9200 - Pentesting Elasticsearch
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Pata mtazamo wa hacker kuhusu programu zako za wavuti, mtandao, na wingu
Pata na ripoti kuhusu udhaifu muhimu, unaoweza kutumiwa kwa faida halisi ya biashara. Tumia zana zetu zaidi ya 20 za kawaida kupanga uso wa shambulio, pata masuala ya usalama yanayokuruhusu kupandisha mamlaka, na tumia matumizi ya moja kwa moja kukusanya ushahidi muhimu, ukigeuza kazi yako ngumu kuwa ripoti za kushawishi.
Elasticsearch ni iliyogawanywa, chanzo wazi injini ya utafutaji na uchambuzi kwa aina zote za data. Inajulikana kwa speed, scalability, na REST APIs rahisi. Imejengwa juu ya Apache Lucene, ilitolewa kwa mara ya kwanza mwaka 2010 na Elasticsearch N.V. (sasa inajulikana kama Elastic). Elasticsearch ni kipengele cha msingi cha Elastic Stack, mkusanyiko wa zana za chanzo wazi kwa ajili ya upokeaji wa data, uboreshaji, uhifadhi, uchambuzi, na uonyeshaji. Stack hii, inayojulikana kwa kawaida kama ELK Stack, pia inajumuisha Logstash na Kibana, na sasa ina wakala wa usafirishaji wa data nyepesi wanaoitwa Beats.
Index ya Elasticsearch ni mkusanyiko wa nyaraka zinazohusiana zilizohifadhiwa kama JSON. Kila hati ina funguo na thamani zao zinazolingana (nyuzi, nambari, booleans, tarehe, orodha, maeneo ya kijiografia, nk.).
Elasticsearch hutumia muundo wa data mzuri unaoitwa inverted index kuwezesha utafutaji wa haraka wa maandiko yote. Index hii inataja kila neno la kipekee katika nyaraka na kutambua nyaraka ambazo kila neno linaonekana.
Wakati wa mchakato wa kuunda index, Elasticsearch huhifadhi nyaraka na kujenga index iliyo kinyume, ikiruhusu utafutaji wa karibu wakati halisi. Index API inatumika kuongeza au kuboresha nyaraka za JSON ndani ya index maalum.
Bandari ya Kawaida: 9200/tcp
Protokali inayotumika kufikia Elasticsearch ni HTTP. Unapoiwasha kupitia HTTP utaona taarifa za kuvutia: http://10.10.10.115:9200/
Ikiwa huoni jibu hilo ukifungua /
angalia sehemu ifuatayo.
Kwa kawaida Elasticsearch haina uthibitishaji ulioanzishwa, hivyo kwa kawaida unaweza kufikia kila kitu ndani ya hifadhidata bila kutumia akidi yoyote.
Unaweza kuthibitisha kuwa uthibitishaji umezimwa kwa ombi la:
Hata hivyo, ikiwa utatuma ombi kwa /
na kupokea jibu kama hili:
Hii itamaanisha kwamba uthibitishaji umewekwa na unahitaji akreditif sahihi kupata taarifa yoyote kutoka elasticserach. Kisha, unaweza kujaribu kuibua nguvu (inatumia HTTP basic auth, hivyo chochote kinachoweza BF HTTP basic auth kinaweza kutumika). Hapa una orodha ya majina ya watumiaji ya kawaida: elastic (superuser), remote_monitoring_user, beats_system, logstash_system, kibana, kibana_system, apm_system, _anonymous_._ Matoleo ya zamani ya Elasticsearch yana nenosiri la kawaida changeme kwa ajili ya mtumiaji huyu.
Hapa kuna baadhi ya endpoints ambazo unaweza kupata kupitia GET ili kupata baadhi ya habari kuhusu elasticsearch:
/_cat/segments
/_cluster/allocation/explain
/_security/user
/_cat/shards
/_cluster/settings
/_security/privilege
/_cat/repositories
/_cluster/health
/_security/role_mapping
/_cat/recovery
/_cluster/state
/_security/role
/_cat/plugins
/_cluster/stats
/_security/api_key
/_cat/pending_tasks
/_cluster/pending_tasks
/_cat/nodes
/_nodes
/_cat/tasks
/_nodes/usage
/_cat/templates
/_nodes/hot_threads
/_cat/thread_pool
/_nodes/stats
/_cat/ml/trained_models
/_tasks
/_cat/transforms/_all
/_remote/info
/_cat/aliases
/_cat/allocation
/_cat/ml/anomaly_detectors
/_cat/count
/_cat/ml/data_frame/analytics
/_cat/ml/datafeeds
/_cat/fielddata
/_cat/health
/_cat/indices
/_cat/master
/_cat/nodeattrs
/_cat/nodes
Endpoints hizi zilichukuliwa kutoka kwenye nyaraka ambapo unaweza kupata zaidi.
Pia, ukipata /_cat
jibu litakuwa na /_cat/*
endpoints zinazoungwa mkono na mfano.
Katika /_security/user
(ikiwa uthibitishaji umewezeshwa) unaweza kuona ni nani mtumiaji mwenye jukumu superuser
.
Unaweza kusanya indices zote kwa kufikia http://10.10.10.115:9200/_cat/indices?v
To obtain information about which kind of data is saved inside an index you can access: http://host:9200/<index>
from example in this case http://10.10.10.115:9200/bank
If you want to dump all the contents of an index you can access: http://host:9200/<index>/_search?pretty=true
like http://10.10.10.115:9200/bank/_search?pretty=true
Take a moment to compare the contents of the each document (entry) inside the bank index and the fields of this index that we saw in the previous section.
So, at this point you may notice that there is a field called "total" inside "hits" that indicates that 1000 documents were found inside this index but only 10 were retried. This is because by default there is a limit of 10 documents.
But, now that you know that this index contains 1000 documents, you can dump all of them indicating the number of entries you want to dump in the size
parameter: http://10.10.10.115:9200/quotes/_search?pretty=true&size=1000
asd
&#xNAN;Note: If you indicate bigger number all the entries will be dumped anyway, for example you could indicate size=9999
and it will be weird if there were more entries (but you should check).
In order to dump all you can just go to the same path as before but without indicating any indexhttp://host:9200/_search?pretty=true
like http://10.10.10.115:9200/_search?pretty=true
Remember that in this case the default limit of 10 results will be applied. You can use the size
parameter to dump a bigger amount of results. Read the previous section for more information.
If you are looking for some information you can do a raw search on all the indices going to http://host:9200/_search?pretty=true&q=<search_term>
like in http://10.10.10.115:9200/_search?pretty=true&q=Rockwell
If you want just to search on an index you can just specify it on the path: http://host:9200/<index>/_search?pretty=true&q=<search_term>
Note that the q parameter used to search content supports regular expressions
You can also use something like https://github.com/misalabs/horuz to fuzz an elasticsearch service.
You can check your write permissions trying to create a new document inside a new index running something like the following:
Hiyo cmd itaunda index mpya inayoitwa bookindex
yenye hati ya aina books
ambayo ina sifa "bookId", "author", "publisher" na "name"
Tazama jinsi index mpya inavyoonekana sasa kwenye orodha:
Na kumbuka sifa zilizoundwa kiotomatiki:
Zana zingine zitapata baadhi ya data zilizowasilishwa hapo awali:
port:9200 elasticsearch
Pata mtazamo wa hacker kuhusu programu zako za wavuti, mtandao, na wingu
Pata na ripoti kuhusu udhaifu muhimu, unaoweza kutumiwa kwa faida halisi ya biashara. Tumia zana zetu zaidi ya 20 za kawaida kupanga uso wa shambulio, pata masuala ya usalama yanayokuruhusu kupandisha mamlaka, na tumia matumizi ya moja kwa moja kukusanya ushahidi muhimu, ukigeuza kazi yako ngumu kuwa ripoti za kushawishi.
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)