maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/9200-pentesting-elasticsearch.md

173 lines
10 KiB
Markdown
Raw Blame History

# 9200 - Pentesting Elasticsearch
{{#include ../banners/hacktricks-training.md}}
## Basic information
Elasticsearch ni **distributed**, **open source** injini ya kutafuta na kuchambua kwa **aina zote za data**. Inajulikana kwa **speed**, **scalability**, na **simple REST APIs**. Imejengwa juu ya Apache Lucene, ilitolewa kwa mara ya kwanza mwaka 2010 na Elasticsearch N.V. (sasa inajulikana kama Elastic). Elasticsearch ni sehemu kuu ya Elastic Stack, mkusanyiko wa zana za open source kwa ajili ya upokeaji wa data, uboreshaji, uhifadhi, uchambuzi, na uonyeshaji. Stack hii, ambayo mara nyingi inajulikana kama ELK Stack, pia inajumuisha Logstash na Kibana, na sasa ina wakala wa usafirishaji wa data wa mwanga wanaoitwa Beats.
### What is an Elasticsearch index?
**Index** ya Elasticsearch ni mkusanyiko wa **nyaraka zinazohusiana** zilizohifadhiwa kama **JSON**. Kila hati ina **funguo** na **thamani** zao zinazolingana (nyuzi, nambari, booleans, tarehe, orodha, maeneo ya kijiografia, n.k.).
Elasticsearch inatumia muundo wa data mzuri unaoitwa **inverted index** ili kuwezesha utafutaji wa haraka wa maandiko yote. Index hii inataja kila neno la kipekee katika nyaraka na kutambua nyaraka ambazo kila neno linaonekana.
Wakati wa mchakato wa kuunda index, Elasticsearch inahifadhi nyaraka na kujenga index iliyo kinyume, ikiruhusu utafutaji wa karibu wakati halisi. **Index API** inatumika kuongeza au kuboresha nyaraka za JSON ndani ya index maalum.
**Default port**: 9200/tcp
## Manual Enumeration
### Banner
Protokali inayotumika kufikia Elasticsearch ni **HTTP**. Unapofikia kupitia HTTP utaona taarifa za kuvutia: `http://10.10.10.115:9200/`
![](<../images/image (294).png>)
Ikiwa huoni jibu hilo unapofikia `/` angalia sehemu ifuatayo.
### Authentication
**Kwa default Elasticsearch haina uthibitisho ulioanzishwa**, hivyo kwa default unaweza kufikia kila kitu ndani ya hifadhidata bila kutumia akidi yoyote.
Unaweza kuthibitisha kuwa uthibitisho umezimwa kwa ombi la:
```bash
curl -X GET "ELASTICSEARCH-SERVER:9200/_xpack/security/user"
{"error":{"root_cause":[{"type":"exception","reason":"Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."}],"type":"exception","reason":"Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."},"status":500}
```
**Hata hivyo**, ikiwa utatuma ombi kwa `/` na kupokea jibu kama hili:
```bash
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
```
Hii itamaanisha kwamba uthibitishaji umewekwa na **unahitaji akauti halali** ili kupata taarifa yoyote kutoka elasticsearch. Kisha, unaweza [**kujaribu kuibua nguvu**](../generic-hacking/brute-force.md#elasticsearch) (inatumia HTTP basic auth, hivyo chochote kinachoweza BF HTTP basic auth kinaweza kutumika).\
Hapa kuna **orodha ya majina ya watumiaji ya kawaida**: _**elastic** (superuser), remote_monitoring_user, beats_system, logstash_system, kibana, kibana_system, apm_system,_ \_anonymous\_.\_ Matoleo ya zamani ya Elasticsearch yana nenosiri la kawaida **changeme** kwa ajili ya mtumiaji huyu.
```
curl -X GET http://user:password@IP:9200/
```
### Msingi wa Kuorodhesha Watumiaji
```bash
#List all roles on the system:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/role"
#List all users on the system:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user"
#Get more information about the rights of an user:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user/<USERNAME>"
```
### Elastic Info
Hapa kuna baadhi ya endpoints ambazo unaweza **kupata kupitia GET** ili **kupata** baadhi ya **habari** kuhusu elasticsearch:
| \_cat | /\_cluster | /\_security |
| ------------------------------ | ----------------------------- | ------------------------ |
| /\_cat/segments | /\_cluster/allocation/explain | /\_security/user |
| /\_cat/shards | /\_cluster/settings | /\_security/privilege |
| /\_cat/repositories | /\_cluster/health | /\_security/role_mapping |
| /\_cat/recovery | /\_cluster/state | /\_security/role |
| /\_cat/plugins | /\_cluster/stats | /\_security/api_key |
| /\_cat/pending_tasks | /\_cluster/pending_tasks | |
| /\_cat/nodes | /\_nodes | |
| /\_cat/tasks | /\_nodes/usage | |
| /\_cat/templates | /\_nodes/hot_threads | |
| /\_cat/thread_pool | /\_nodes/stats | |
| /\_cat/ml/trained_models | /\_tasks | |
| /\_cat/transforms/\_all | /\_remote/info | |
| /\_cat/aliases | | |
| /\_cat/allocation | | |
| /\_cat/ml/anomaly_detectors | | |
| /\_cat/count | | |
| /\_cat/ml/data_frame/analytics | | |
| /\_cat/ml/datafeeds | | |
| /\_cat/fielddata | | |
| /\_cat/health | | |
| /\_cat/indices | | |
| /\_cat/master | | |
| /\_cat/nodeattrs | | |
| /\_cat/nodes | | |
Hizi endpoints zilichukuliwa [**kutoka kwenye nyaraka**](https://www.elastic.co/guide/en/elasticsearch/reference/current/rest-apis.html) ambapo unaweza **kupata zaidi**.\
Pia, ukipata `/_cat` jibu litakuwa na `/_cat/*` endpoints zinazoungwa mkono na mfano.
Katika `/_security/user` (ikiwa uthibitishaji umewezeshwa) unaweza kuona ni nani mtumiaji mwenye jukumu `superuser`.
### Indices
Unaweza **kusanya indices zote** kwa kufikia `http://10.10.10.115:9200/_cat/indices?v`
```
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .kibana 6tjAYZrgQ5CwwR0g6VOoRg 1 0 1 0 4kb 4kb
yellow open quotes ZG2D1IqkQNiNZmi2HRImnQ 5 1 253 0 262.7kb 262.7kb
yellow open bank eSVpNfCfREyYoVigNWcrMw 5 1 1000 0 483.2kb 483.2kb
```
Ili kupata **habari kuhusu ni aina gani ya data inayohifadhiwa ndani ya index** unaweza kufikia: `http://host:9200/<index>` kutoka mfano katika kesi hii `http://10.10.10.115:9200/bank`
![](<../images/image (342).png>)
### Dump index
Ikiwa unataka **kutoa maudhui yote** ya index unaweza kufikia: `http://host:9200/<index>/_search?pretty=true` kama `http://10.10.10.115:9200/bank/_search?pretty=true`
![](<../images/image (914).png>)
_Chukua muda kulinganisha maudhui ya kila hati (entry) ndani ya index ya bank na maeneo ya index hii ambayo tuliona katika sehemu ya awali._
Hivyo, katika hatua hii unaweza kugundua kuwa **kuna uwanja unaoitwa "total" ndani ya "hits"** unaoashiria kuwa **hati 1000 zilipatikana** ndani ya index hii lakini ni 10 tu zilizorejeshwa. Hii ni kwa sababu **kwa kawaida kuna kikomo cha hati 10**.\
Lakini, sasa kwamba unajua kuwa **index hii ina hati 1000**, unaweza **kutoa zote** ukionyesha idadi ya entries unayotaka kutoa katika **`size`** parameter: `http://10.10.10.115:9200/quotes/_search?pretty=true&size=1000`asd\
\_Kumbuka: Ikiwa utaonyesha nambari kubwa zaidi, entries zote zitatolewa kwa njia yoyote, kwa mfano unaweza kuonyesha `size=9999` na itakuwa ya ajabu ikiwa kuna entries zaidi (lakini unapaswa kuangalia)._
### Dump all
Ili kutoa zote unaweza tu kwenda kwenye **njia ile ile kama awali lakini bila kuonyesha index yoyote** `http://host:9200/_search?pretty=true` kama `http://10.10.10.115:9200/_search?pretty=true`\
Kumbuka kwamba katika kesi hii **kikomo cha kawaida cha 10** matokeo kitatumika. Unaweza kutumia parameter ya `size` kutoa **idadi kubwa ya matokeo**. Soma sehemu ya awali kwa maelezo zaidi.
### Search
Ikiwa unatafuta habari fulani unaweza kufanya **utafutaji wa moja kwa moja kwenye index zote** ukielekea `http://host:9200/_search?pretty=true&q=<search_term>` kama katika `http://10.10.10.115:9200/_search?pretty=true&q=Rockwell`
![](<../images/image (335).png>)
Ikiwa unataka tu **kutafuta kwenye index** unaweza tu **kueleza** kwenye **njia**: `http://host:9200/<index>/_search?pretty=true&q=<search_term>`
_Kumbuka kwamba parameter ya q inayotumika kutafuta maudhui **inaunga mkono mifumo ya kawaida**_
Unaweza pia kutumia kitu kama [https://github.com/misalabs/horuz](https://github.com/misalabs/horuz) kufanyia fuzz huduma ya elasticsearch.
### Write permissions
Unaweza kuangalia ruhusa zako za kuandika kwa kujaribu kuunda hati mpya ndani ya index mpya ukikimbia kitu kama ifuatavyo:
```bash
curl -X POST '10.10.10.115:9200/bookindex/books' -H 'Content-Type: application/json' -d'
{
"bookId" : "A00-3",
"author" : "Sankaran",
"publisher" : "Mcgrahill",
"name" : "how to get a job"
}'
```
Hiyo cmd itaunda **index mpya** inayoitwa `bookindex` yenye hati ya aina `books` ambayo ina sifa "_bookId_", "_author_", "_publisher_" na "_name_"
Tazama jinsi **index mpya inavyoonekana sasa kwenye orodha**:
![](<../images/image (130).png>)
Na kumbuka **sifa zilizoundwa kiotomatiki**:
![](<../images/image (434).png>)
## Automatic Enumeration
Zana zingine zitapata baadhi ya data zilizowasilishwa hapo awali:
```bash
msf > use auxiliary/scanner/elasticsearch/indices_enum
```
{{#ref}}
https://github.com/theMiddleBlue/nmap-elasticsearch-nse
{{#endref}}
## Shodan
- `port:9200 elasticsearch`
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink