id: elasticsearch

info:
  name: ElasticSearch Information Disclosure
  author: Shine,c-sh0,geeknik
  severity: low
  description: Internal information is exposed in elasticsearch to external users.
  metadata:
    verified: true
    max-request: 4
    shodan-query: "ElasticSearch"
  tags: elastic,unauth,elasticsearch,misconfig

http:
  - method: GET
    path:
      - '{{BaseURL}}/?pretty'
      - '{{BaseURL}}/_cat/indices?v'
      - '{{BaseURL}}/_all/_search'
      - "{{BaseURL}}/_cluster/health?pretty"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"took":'
          - '"number" :'
          - '"number_of_nodes"'
        condition: or

      - type: word
        part: header
        words:
          - application/json
          - application/vnd.api+json
          - text/plain
        condition: or

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '"number"\s:\s"([0-9.]+)"'
# digest: 490a0046304402207b44d14688d4487c464122b6e50ecfa3559829942a4dd3bcbe6a74ae7fa56e8d02204fea683b7c3a02f35cc6c012dc4792d3cfd602f30f84b57a8d1aaab32d4ad067:922c64590222798bb761d5b6d8e72950