id: elasticsearch

info:
  name: ElasticSearch Information Disclosure
  author: Shine,c-sh0,geeknik
  severity: low
  metadata:
    verified: true
    shodan-query: "ElasticSearch"
  tags: elastic,unauth,elasticsearch

requests:
  - method: GET
    path:
      - '{{BaseURL}}/?pretty'
      - '{{BaseURL}}/_cat/indices?v'
      - '{{BaseURL}}/_all/_search'
      - "{{BaseURL}}/_cluster/health?pretty"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"took":'
          - '"number" :'
          - '"number_of_nodes"'
        condition: or

      - type: word
        part: header
        words:
          - application/json
          - application/vnd.api+json
          - text/plain
        condition: or

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '"number"\s:\s"([0-9.]+)"'