id: elasticsearch

info:
  name: ElasticSearch Information Disclosure
  author: Shine,c-sh0
  severity: low
  tags: elastic,unauth,elasticsearch

requests:
  - method: GET
    path:
      - '{{BaseURL}}/?pretty'
      - '{{BaseURL}}/_cat/indices?v'
      - '{{BaseURL}}/_all/_search'

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"took":'
          - '"number" :'
        condition: or

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '"number"\s:\s"([0-9.]+)"'