CVE-2015-5531

CVE-2015-5531

CVE-2015-5531-POC 漏洞背景 Elasticsearch是荷兰Elasticsearch公司的一套基于Lucene构建的开源分布式RESTful搜索引擎，它主要用于云计算中，并支持通过HTTP使用JSON进行数据索引。 Elasticsearch 161之前版本中存在目录遍历漏洞。远程攻击者可借助快照的API调用利用该漏洞读取任意文件。 使用说明 -u 指�

dirsearch

dirsearch2 dirsearch Bolt view page saurce ( its written on bolt) url/bolt admin – password file management – create filetxt enter - rename flagtxt to filephp go to file url = php?cmd=ls -l php?cmd=cat /flagtxt path traversal vulnerability Elastic Searchsploit elasticsearch 160 is our vulnerability, githubcom/nixawk/labs/blob/master/CVE-2015-5531/

cyber-sec-labs bolt Let's try: View Page Source, pay attantion to p This website is /p, add /bolt to url and guess the user and pass Once you are in you need to go to file management to see if you can upload some malicious files Let’s try to create and upload vulnerable rcehtml file click file and start editing Go to options and rename the rcehtml file to rce

nodiff backdoor $ dirsearch -u url found /backupzip download backup file $ wget url+/backupzip $ grep -r "shell_exec(" execute backdoor through vulnerable function browse url+/?welldone=knockknock&shazam=id find flag in source of page php unit $ dirsearch -u url found /composerjson browse url+/composerjson found php unit version look for vulnerability for