hacktricks/network-services-pentesting/8086-pentesting-influxdb.md

7.4 KiB
Raw Blame History

8086 - Pentesting InfluxDB


Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

InfluxDB is an open-source time series database (TSDB) developed by the company InfluxData.

A time series database (TSDB) is a software system that is optimized for storing and serving time series through associated pairs of time(s) and value(s).

Time series datasets are relatively large and uniform compared to other datasets―usually being composed of a timestamp and associated data. Time series datasets can also have fewer relationships between data entries in different tables and don't require indefinite storage of entries. The unique properties of time series datasets mean that time series databases can provide significant improvements in storage space and performance over general purpose databases. For instance, due to the uniformity of time series data, specialized compression algorithms can provide improvements over regular compression algorithms designed to work on less uniform data. Time series databases can also be configured to regularly delete old data, unlike regular databases which are designed to store data indefinitely. Special database indices can also provide boosts in query performance. (From here).

Default port: 8086

PORT     STATE SERVICE VERSION
8086/tcp open  http    InfluxDB http admin 1.7.5

Enumeration

From a pentester point of view this another database that could be storing sensitive information, so it's interesting to know how to dump all the info.

Authentication

InfluxDB might require authentication or not

# Try unauthenticated
influx -host 'host name' -port 'port #'
> use _internal

If you get an error like this one: ERR: unable to parse authentication credentials it means that it's expecting some credentials.

influx username influx password influx_pass

There was a vulnerability influxdb that allowed to bypass the authentication: CVE-2019-20933

Manual Enumeration

The information of this example was taken from here.

Show databases

The found databases are telegraf and _internal (you will find this one everywhere)

> show databases
name: databases
name
----
telegraf
_internal

Show tables/measurements

As the InfluxDB documentation explains, SQL measurements can be thought of as SQL tables. As the measurement names above suggest, each one contains information which pertains to a specific entity

> show measurements
name: measurements
name
----
cpu
disk
diskio
kernel
mem
processes
swap
system

Show columns/field keys

The field keys are like the columns of the database

> show field keys
name: cpu
fieldKey         fieldType
--------         ---------
usage_guest      float
usage_guest_nice float
usage_idle       float
usage_iowait     float

name: disk
fieldKey     fieldType
--------     ---------
free         integer
inodes_free  integer
inodes_total integer
inodes_used  integer

[ ... more keys ...]

Dump Table

And finally you can dump the table doing something like

select * from cpu
name: cpu
time                cpu       host   usage_guest usage_guest_nice usage_idle        usage_iowait        usage_irq usage_nice usage_softirq        usage_steal usage_system        usage_user
----                ---       ----   ----------- ---------------- ----------        ------------        --------- ---------- -------------        ----------- ------------        ----------
1497018760000000000 cpu-total ubuntu 0           0                99.297893681046   0                   0         0          0                    0           0.35105315947842414 0.35105315947842414
1497018760000000000 cpu1      ubuntu 0           0                99.69909729188728 0                   0         0          0                    0           0.20060180541622202 0.10030090270811101

{% hint style="warning" %} In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: select * from "cpu" {% endhint %}

Automated Authentication

msf6 > use auxiliary/scanner/http/influxdb_enum
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:


Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}