banner
Hi my new friend!

山河浪漫,
人间温暖。

Scroll down

Elasticsearch 未授权访问漏洞(Es未授权访问)

漏洞描述

ElasticSearch 是一款 Java 编写的企业级搜索服务,启动此服务默认开放 HTTP-9200 端口,可被非法操作数据。

复现

访问 IP:9200 显示 You konw,for Search 表示存在此漏洞
在这里插入图片描述
显示登录界面或访问不到的情况 证明不存在此漏洞
在这里插入图片描述

https://github.com/mobz/elasticsearch-head

查询所有 index, type:
localhost:9200/_search?pretty=true 
http://ip:9200/_cat/indices
一般泄漏的文件都会出现在这个页面里面,可访问进行信息搜集
查询某个 index 下所有 type:
localhost:9200/films/_search 
查询某个 index 下, 某个 type 下所有记录:
localhost:9200/films/md/_search?pretty=true 
带参数的查询  
localhost:9200/films/md/_search?q=tag:good 
{ "took":7,"timed_out":false,"_shards":{ "total":5,"successful":5,"failed":0},"hits":{ "total":2,"max_score":1.0,"hits":[{ "_index":"film","_type":"md","_id":"2","_score":1.0, "_source" : 
{  "name":"hei yi ren", "tag": "good"}},{ "_index":"film","_type":"md","_id":"1","_score":0.30685282, "_source" : 
{  "name":"ma da jia si jia", "tag": "good"}}]}} 
JSON 参数的查询 
注意:query 和 term 关键字)
localhost:9200/film/_search -d '{"query" : { "term": { "tag":"bad"}}}' 

http://localhost:9200/_rvier/_search
查看敏感信息了
http://localhost:9200/_plugin/head/web
管理界面
http://localhost:9200/_cat/indices
http://localhost:9200/_river/_search
查看数据库敏感信息
http://localhost:9200/_nodes
查看节点数据

使用 ElasticHD 工具进行远程连接可视化数据进行信息搜集

修复

1.限制 IP 访问,禁止未授权 IP 访问 ElasticSearch 9200 端口
使用 iptables 等服务器内嵌防火墙对访问 IP 进行限制

2.通过 ES 插件增加访问验证,增加验证后切勿使用弱口令
①shield插件,收费,暂不考虑。
②针对1.7.0版本之前的ElasticSearch,可采用elasticsearch-http-basic插件。
下载地址:https://github.com/Asquera/elasticsearch-http-basic/releases
elasticsearch-http-basic,安装在 plugins 文件夹下,config/elasticsearch.yml 中统一配置:
http.basic.enabled true 
#开关,开启会接管全部HTTP连接
http.basic.user “admin” 
#账号
http.basic.password “admin_pw” 
#密码
http.basic.ipwhitelist [“localhost”, “127.0.0.1”] 
#白名单内的IP访问不需要通过账号和密码,支持IP和主机名,不支持IP区间或正则。
③针对 elasticsearch2.x 以后版本采用 search-guard 插件
https://docs.search-guard.com/6.x-25/search-guard-versions
安装插件执行命令
./bin/elasticsearch-plugin install -b file:///path/search-guard-6-6.2.3-23.0.zip

config/elasticsearch.yml 中统一配置,末尾追
searchguard.ssl.transport.pemcert_filepath: certificates/esnode.pem
searchguard.ssl.transport.pemkey_filepath: certificates/esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: certificates/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: certificates/esnode.pem
searchguard.ssl.http.pemkey_filepath: certificates/esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: certificates/root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test,C=de
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"] 

注:默认弱口令用户admin admin强烈建议修改默认密码
使用默认hash工具,生成hash串
elasticsearch-6.2.3\plugins\search-guard-6\tools
.\hash.bat -p newpwd
新密码生效
sgadmin.bat -cd ..\sgconfig -key ..\..\..\config\certificates\kirk-key.pem -cert ..\..\..\config\certificates\kirk.pem -cacert ..\..\..\config\certificates\root-ca.pem -nhnv -icl
使用 searchbox 获取 jestclient 的方式(basic的方式连接es)

    JestClientFactory factory= new JestClientFactory();
    factory.setHttpClientConfig(new HttpClientCofig.Builder("https://ip:9200").defaultCredentials(username,pwd).sslSockedFactory(getSslSockedFactory()));
    private static SSLConnectionSockedFactory getSslSockedFactory() throws Exception{ 
    SSLContextBuilder builder= SSLContexts.custom();
    builder.loadTrustMaterial(new Trustrategy(){ 
    @Override
    public boolean isTrusted(X509Certificate[] chain,String authType){ 
    return true;
    }
    });
    SSLContext sslcontext=builder.build();
    SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext,new String[]{ "TLSv1","TLSv1.1","TLSv1.2"},null,new HostnameVerifier(){ 
    @Override
    public boolean verify(String arg0,String arg1){ 
    return true;
    }
    });
    return sslsf ;
    }
nodejs 使用用户名密码 (basic-auth) 连接 es
架设 nginx 反向代理服务器,设置 http basic 认证来实现 elasticsearch 登录认证
使用域名 配置转发
upstream es.nginx.com{ 
         server 127.0.0.1:9901 weight=1 max_fails=2;
         server 127.0.0.1:9902 weight=1 max_fails=2;
         server 127.0.0.1:9903 weight=1 max_fails=2;
         server 127.0.0.1:9904 weight=1 max_fails=2;
         server 127.0.0.1:9905 weight=1 max_fails=2;
}
location ~* / { 
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";

		if ($host ~* es\.nginx\.com) { 
			proxy_pass  http://es.nginx.com;
		}
}
配置账号密码访问模式
location ~* / { 
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";

		#配置帐号密码
		auth_basic "login";#提示信息
		auth_basic_user_file /usr/local/nginx/conf/vhosts/password/es; #密码文件(填写绝对路径)
		autoindex on;

		if ($host ~* es\.sojson\.com) { 
			proxy_pass  http://es.nginx.com;
		}
}
配置密码帐号文件
auth_basic_user_file 选项用于匹配密码文件
将密码按照一定规定进行编写 按照 unsername:passwd 格式填写进入密码文件内
vi /usr/local/nginx/conf/vhosts/password/es
 
关闭外网访问
修改config/elasticsearch.yml 
#network.publish_host: 0.0.0.0
#networt.bind_host: 0.0.0.0
#network.host: 0.0.0.0
#只要配置这个即可
network.host: 127.0.0.1
#network.publish_host: 127.0.0.1
重启  Elasticsearch ,更保险,可再加上 iptables ,加上访问频率限制,防止暴力破解

原文链接:https://blog.csdn.net/weixin_52084568/article/details/129397581

我很可爱,请给我钱

昵称
邮箱
0/200
  • OωO
  • |´・ω・)ノ
  • ヾ(≧∇≦*)ゝ
  • (☆ω☆)
  • (╯‵□′)╯︵┴─┴
  •  ̄﹃ ̄
  • (/ω\)
  • ∠( ᐛ 」∠)_
  • (๑•̀ㅁ•́ฅ)
  • →_→
  • ୧(๑•̀⌄•́๑)૭
  • ٩(ˊᗜˋ*)و
  • (ノ°ο°)ノ
  • (´இ皿இ`)
  • ⌇●﹏●⌇
  • (ฅ´ω`ฅ)
  • (╯°A°)╯︵○○○
  • φ( ̄∇ ̄o)
  • ヾ(´・ ・`。)ノ"
  • ( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
  • (ó﹏ò。)
  • Σ(っ °Д °;)っ
  • ( ,,´・ω・)ノ"(´っω・`。)
  • ╮(╯▽╰)╭
  • o(*////▽////*)q
  • >﹏<
  • ( ๑´•ω•) "(ㆆᴗㆆ)
  • 😂
  • 😀
  • 😅
  • 😊
  • 🙂
  • 🙃
  • 😌
  • 😍
  • 😘
  • 😜
  • 😝
  • 😏
  • 😒
  • 🙄
  • 😳
  • 😡
  • 😔
  • 😫
  • 😱
  • 😭
  • 💩
  • 👻
  • 🙌
  • 🖕
  • 👍
  • 👫
  • 👬
  • 👭
  • 🌚
  • 🌝
  • 🙈
  • 💊
  • 😶
  • 🙏
  • 🍦
  • 🍉
  • 😣
  • 颜文字
  • Emoji
0 条评论