mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
166 lines
7.4 KiB
Markdown
166 lines
7.4 KiB
Markdown
# 8086 - Pentesting InfluxDB
|
||
|
||
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
\
|
||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||
Get Access Today:
|
||
|
||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
||
|
||
<details>
|
||
|
||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
Other ways to support HackTricks:
|
||
|
||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
|
||
## Basic Information
|
||
|
||
**InfluxDB** is an open-source **time series database** (TSDB) developed by the company InfluxData.
|
||
|
||
A **time series database (TSDB)** is a software system that is optimized for storing and **serving time series** through associated pairs of time(s) and value(s).
|
||
|
||
Time series datasets are **relatively large and uniform compared to other datasets**―usually being composed of a timestamp and associated data. Time series datasets can also have fewer relationships between data entries in different tables and don't require indefinite storage of entries. The unique properties of time series datasets mean that time series databases can provide **significant improvements in storage space and performance over general purpose databases**. For instance, due to the uniformity of time series data, **specialized compression algorithms** can provide improvements over regular compression algorithms designed to work on less uniform data. Time series databases can also be **configured to regularly delete old data**, unlike regular databases which are designed to store data indefinitely. Special database indices can also provide boosts in query performance. (From [here](https://en.wikipedia.org/wiki/Time\_series\_database)).
|
||
|
||
**Default port**: 8086
|
||
|
||
```
|
||
PORT STATE SERVICE VERSION
|
||
8086/tcp open http InfluxDB http admin 1.7.5
|
||
```
|
||
|
||
## Enumeration
|
||
|
||
From a pentester point of view this another database that could be storing sensitive information, so it's interesting to know how to dump all the info.
|
||
|
||
### Authentication
|
||
|
||
InfluxDB might require authentication or not
|
||
|
||
```bash
|
||
# Try unauthenticated
|
||
influx -host 'host name' -port 'port #'
|
||
> use _internal
|
||
```
|
||
|
||
If you **get an error like** this one: `ERR: unable to parse authentication credentials` it means that it's **expecting some credentials**.
|
||
|
||
```
|
||
influx –username influx –password influx_pass
|
||
```
|
||
|
||
There was a vulnerability influxdb that allowed to bypass the authentication: [**CVE-2019-20933**](https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933)
|
||
|
||
### Manual Enumeration
|
||
|
||
The information of this example was taken from [**here**](https://oznetnerd.com/2017/06/11/getting-know-influxdb/).
|
||
|
||
#### Show databases
|
||
|
||
The found databases are _telegraf_ and _\_internal_ (you will find this one everywhere)
|
||
|
||
```bash
|
||
> show databases
|
||
name: databases
|
||
name
|
||
----
|
||
telegraf
|
||
_internal
|
||
```
|
||
|
||
#### Show tables/measurements
|
||
|
||
As the [**InfluxDB documentation**](https://docs.influxdata.com/influxdb/v1.2/introduction/getting\_started/) explains, SQL **measurements** can be thought of as SQL tables. As the **measurement** names above suggest, each one contains information which pertains to a specific entity
|
||
|
||
```bash
|
||
> show measurements
|
||
name: measurements
|
||
name
|
||
----
|
||
cpu
|
||
disk
|
||
diskio
|
||
kernel
|
||
mem
|
||
processes
|
||
swap
|
||
system
|
||
```
|
||
|
||
#### Show columns/field keys
|
||
|
||
The field keys are like the **columns** of the database
|
||
|
||
```bash
|
||
> show field keys
|
||
name: cpu
|
||
fieldKey fieldType
|
||
-------- ---------
|
||
usage_guest float
|
||
usage_guest_nice float
|
||
usage_idle float
|
||
usage_iowait float
|
||
|
||
name: disk
|
||
fieldKey fieldType
|
||
-------- ---------
|
||
free integer
|
||
inodes_free integer
|
||
inodes_total integer
|
||
inodes_used integer
|
||
|
||
[ ... more keys ...]
|
||
```
|
||
|
||
#### Dump Table
|
||
|
||
And finally you can **dump the table** doing something like
|
||
|
||
```bash
|
||
select * from cpu
|
||
name: cpu
|
||
time cpu host usage_guest usage_guest_nice usage_idle usage_iowait usage_irq usage_nice usage_softirq usage_steal usage_system usage_user
|
||
---- --- ---- ----------- ---------------- ---------- ------------ --------- ---------- ------------- ----------- ------------ ----------
|
||
1497018760000000000 cpu-total ubuntu 0 0 99.297893681046 0 0 0 0 0 0.35105315947842414 0.35105315947842414
|
||
1497018760000000000 cpu1 ubuntu 0 0 99.69909729188728 0 0 0 0 0 0.20060180541622202 0.10030090270811101
|
||
```
|
||
|
||
{% hint style="warning" %}
|
||
In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: `select * from "cpu"`
|
||
{% endhint %}
|
||
|
||
### Automated Authentication
|
||
|
||
```bash
|
||
msf6 > use auxiliary/scanner/http/influxdb_enum
|
||
```
|
||
|
||
<details>
|
||
|
||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
Other ways to support HackTricks:
|
||
|
||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
|
||
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
\
|
||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||
Get Access Today:
|
||
|
||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|