Thousands of misconfigured Elasticsearch instances

Thousands of misconfigured Elasticsearch instances
The basic elasticsearch configuration can expose your assets

Elasticsearch is a distributed search and analytics engine designed to handle large volumes of data efficiently.
It is built on top of Apache Lucene and is commonly used for real-time search, log analysis, and full-text search applications.
The default port for Elasticsearch is 9200.
In its basic configuration without authentication, Elasticsearch allows users to index, search, and analyze data across various types of documents. 
It employs a RESTful API, making it accessible and easy to integrate with other applications and services.

Searching misconfigured elasticsearch
Well, knowing that default configuration has no authentication, the statuscode is 200, here's a hunter query: product.name="Elasticsearch" and header.status_code=="200"
We can see 122k+ results in the past month, some of these just may not working anymore or have been compromised, but certainly remain a significative number.


[*] hunter_results.png



You can also use these FOFA or Shodan queries (I used FOFA btw, but i mentioned hunter because it has a cool name).

Dumping data
The ElasticSearch API works with a simple HTTP GET requests to various endpoints and we can also use it inside your browser receiving JSON formatted response.
To view all indices, go to /_cat/indices?v

[*] elasitc_indicies.png



To view the content of an index, go to /[name]/_search?pretty=true. 
This will be dump the first 10 items, for viewing all you have to select the (probably) max size like /[name]/_search?pretty=true&size=9999
To search something inside the index, use the q query, like /[name]/_search?pretty=true&size=9999&q=[word] or press ctrl-f inside your broswer lol.

To dump all indices, just don't specify an index and use the base URL.

(the 'pretty' query with the parameter set to 'true' isn't necessary, but just to make the response human readable)
If you want to learn more about this, there are 2 useful links.

 [1] https://book.hacktricks.xyz/network-services-pentesting/9200-pentesting-elasticsearch
 [2] https://github.com/kh4sh3i/ElasticSearch-Pentesting


[*] elasitcsearch_1.png



[*] elasitcsearch_2.png