CVE-2018-17246 – Kibana Local File Inclusion

Logstash is an open source tool for collecting, parsing, and storing logs for future use. Kibana is a web interface that can be used to search and view the logs that Logstash has indexed. Both of these tools are based on Elasticsearch. Elasticsearch, Logstash, and Kibana, when used together is known as an ELK stack.


Affected URL:  http://<IP>:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../<js file>

Affected Parameter: apis

The bug lies in the URI parameter ‘apis’ which allows including any javascript file locally available on the server. The application uses Nodejs. So if we could upload any malicious server side js code to server, we could include that js code and achieve code execution. A tip to exploit this bug in pentests would be to find other vectors like a vulnerable NFS or file upload function to upload our malicious javascript code.

In the following example, I have uploaded a malicious reverse shell javascript code. This will connect to on port 8000 and spawn /bin/sh

Lets include this rshell.js file using the LFI in Kibana


After including our rshell.js file, we receive a reverse shell


We can also include a webshell instead which might help when we face firewall restrictions. In case we upload a webshell, here is how we can access the webshell and execute commands


js reverse shell and js webshell can be found at the following link:

Join the Conversation

1 Comment

Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: