Skip to content

Commit

Permalink
Update CVE-2014-3120.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@xxxxbxxxxx
xxxxbxxxxx authored May 7, 2020
1 parent e0b04ad commit 175d7cd
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions writeup/CVE-2014-3120/CVE-2014-3120.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,15 @@ Elasticsearch < 1.2


1 启动 CVE-2014-3120 镜像,打开其访问地址查看,可见其版本为1.1.1

![avatar](./1.png)

![avatar](./2.png)

2 向 Elasticsearch 添加一条数据

![avatar](./3.png)

其数据包为

POST /website/blog/ HTTP/1.1
Expand All @@ -41,6 +45,7 @@ Elasticsearch < 1.2
}

3 script 为最终执行 Java 代码的地方,此字段会被默认当作脚本执行,按照其 json 格式向其填充要执行的代码即可

![avatar](./4.png)

最终目的为 /tmp 下的 flag,其数据包为
Expand Down Expand Up @@ -74,8 +79,11 @@ Elasticsearch < 1.2
}
```
4 填入得到的 flag,成功则出现 恭喜!通过

![avatar](./5.png)

![avatar](./6.png)

## 四、修复方案

1、升级到新版本,大于等于1.2版本即可解决此问题
Expand Down

0 comments on commit 175d7cd

Please sign in to comment.