How to find open ElasticSearch databases using Shodan
The power of shodan
A large part of the Internet is called the Deep web. Deep web contains important and sensitive information that belongs to a person or an organization, a small or large company and etc. In order to access this part of the internet, in a legal way I mean, you need to be authorized or/and authenticated. BUT sometimes these classified data expose due to application vulnerabilities, human errors, or etc.
These sensitive information exposed publicly, yes, but still we need to find them, they barely show up in our daily google/duckduck search. there are some way to find exposed data, of course for reporting them and maybe receive the reward.
in this article I will show how to find open/exposed ElasticSearch database with Shodan.
How to find open ElasticSearch databases using Shodan
To do this, let’s go to our favorite shodan.io. The Shodan is something like the search engine of internet-connected devices. Just subscribe and if it possible use its Small Business/Corporate plan and hit start.
1- To begin, we will use the “product” and “port” filters of “shodan”. See the example below:
product:elastic port:9200Notice ElasticSearch’s default port is 9200.
2- Of course, you can also use the “country” filter to restrict the search, for example:
product:elastic port:9200 country:COUNTRY_CODEIn this example I did not use “country” filter. We are looking for the open database, maybe it has users column, so lets search with this query this time:
product:elastic port:9200 usersthe result:
Now we can see databases with user columns. Look at the size of that column, the larger it is, the more information it has. I kept going with one of them.
To reach the “users” column, we must use the ElasticSearch query: change the browser address to:
http://IP_ADDRESS:9200/_cat/indices?vNow let’s go back to using ElasticSearch queries to see what information is in the user column:
http://IP_ADDRESS:9200/users/_search?size=1000What I found: (Of course I colored red to protect users privacy. After all my goal is not to hurt people but help them to be safe and secure.)
As it’s obvious, users private information are public.
Conclusion:
This way we are able to find vulnerable websites, I mean open ElasticSearch db. If you find something, the best thing is to report it to the website administrator. You may get rewards by reporting, but if there is no reward, don't worry about that, don't seek revenge or other monkey business :P
This is the way.
P.S :I had wrote this article in Turkish before, today I decided to publish it in English too.
