8086 - Pentesting InfluxDB

Reading time: 3 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Basic Information

InfluxDB is an open-source time series database (TSDB) developed by InfluxData. TSDBs are optimized for storing and serving time series data, which consists of timestamp-value pairs. Compared to general-purpose databases, TSDBs provide significant improvements in storage space and performance for time series datasets. They employ specialized compression algorithms and can be configured to automatically remove old data. Specialized database indices also enhance query performance.

Default port: 8086

PORT STATE SERVICE VERSION 8086/tcp open http InfluxDB http admin 1.7.5

Enumeration

From a pentester point of view this another database that could be storing sensitive information, so it's interesting to know how to dump all the info.

Authentication

InfluxDB might require authentication or not

bash
# Try unauthenticated influx -host 'host name' -port 'port #' > use _internal

If you get an error like this one: ERR: unable to parse authentication credentials it means that it's expecting some credentials.

influx –username influx –password influx_pass

There was a vulnerability influxdb that allowed to bypass the authentication: CVE-2019-20933

Manual Enumeration

The information of this example was taken from here.

Show databases

The found databases are telegraf and internal (you will find this one everywhere)

bash
> show databases name: databases name ---- telegraf _internal

Show tables/measurements

The InfluxDB documentation explains that measurements in InfluxDB can be paralleled with SQL tables. The nomenclature of these measurements is indicative of their respective content, each housing data relevant to a particular entity.

bash
> show measurements name: measurements name ---- cpu disk diskio kernel mem processes swap system

Show columns/field keys

The field keys are like the columns of the database

bash
> show field keys name: cpu fieldKey fieldType -------- --------- usage_guest float usage_guest_nice float usage_idle float usage_iowait float name: disk fieldKey fieldType -------- --------- free integer inodes_free integer inodes_total integer inodes_used integer [ ... more keys ...]

Dump Table

And finally you can dump the table doing something like

bash
select * from cpu name: cpu time cpu host usage_guest usage_guest_nice usage_idle usage_iowait usage_irq usage_nice usage_softirq usage_steal usage_system usage_user ---- --- ---- ----------- ---------------- ---------- ------------ --------- ---------- ------------- ----------- ------------ ---------- 1497018760000000000 cpu-total ubuntu 0 0 99.297893681046 0 0 0 0 0 0.35105315947842414 0.35105315947842414 1497018760000000000 cpu1 ubuntu 0 0 99.69909729188728 0 0 0 0 0 0.20060180541622202 0.10030090270811101

warning

In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: select * from "cpu"

Automated Authentication

bash
msf6 > use auxiliary/scanner/http/influxdb_enum

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks