InfluxDB TCP 8086 (Default) — Authentication Bypass & Pentest Notes
Target: InfluxDB (port 8086)
Affected versions: < 1.7.6 (CVE-2019-20933)
Vulnerability description
InfluxDB versions prior to 1.7.6 contain an authentication bypass in the
authenticate function in services/httpd/handler.go. A crafted JWT token may
contain an empty SharedSecret, allowing an attacker to bypass authentication and perform
sensitive actions such as reading internal metrics, modifying data, or executing administrative operations.
Risk
No formal risk description available in original advisory. Impact depends on exposed instance and data sensitivity.
Recommendation
Upgrade to influxdb version 1.7.6~rc0-1 or later. Apply vendor-provided patches and restrict access to port 8086 with network controls.
References
- Exploit: LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933
- CVE-2019-20933 — MITRE
- NVD — CVE-2019-20933
- InfluxData patch commit
Exploitation & Tools
Useful resources for pentesting and red teaming InfluxDB:
- InfluxDB NoSQL injection notes
- HackTricks: InfluxDB pentesting (port 8086)
- Pentest-Tools entry
- KomodoSec blog
Proof-of-Concept (curl)
Attempt to retrieve debug requests from an unauthenticated instance:
curl -i -s -k -X 'GET' \
```
-H 'Host: 172.19.139.138:8086'
-H 'User-Agent: Mozilla/5.0'
-H 'Accept: application/json'
'[http://172.19.139.138:8086/debug/requests](http://172.19.139.138:8086/debug/requests)'Metasploit enumeration
Metasploit provides an auxiliary/scanner/http/influxdb_enum module to locate and enumerate databases. Example workflow:
msf6 > use auxiliary/scanner/http/influxdb_enum
```
msf6 auxiliary(scanner/http/influxdb_enum) > set RHOSTS 172.19.139.139
msf6 auxiliary(scanner/http/influxdb_enum) > runNew discoveries & notes for red teamers
Open authentication / exposed endpoints
- Some misconfigured instances expose operational endpoints such as
/metrics,/debug/vars, and/debug/requests. These may leak internal state and metrics useful for lateral movement or reconnaissance. - Check for
X-Influxdb-Versionin HTTP responses — it often reveals version strings useful for fingerprinting.
Unauthenticated queries
Older or misconfigured InfluxDB APIs may allow unauthenticated InfluxQL queries via the HTTP API:
curl -G http://TARGET:8086/query --data-urlencode "q=SHOW DATABASES"Shodan dorks / discovery
Use Shodan or similar to locate exposed instances:
"X-Influxdb-Version" port:8086Post-exploitation — common follow-ups
- Dump database contents and review retention policy / sensitive measurement names.
- Look for hardcoded API keys, tokens, or secrets in configuration files and internal metrics.
- Enumerate users (if authentication present) and attempt password spraying where permitted.
- Pivot to other services that ingest metrics (Grafana, Telegraf, etc.) and look for weak integrations.
Quick checklist for pentesters
- Identify InfluxDB instances (port 8086, X-Influxdb-Version header).
- Probe
/debug/requests,/metrics, and/debug/varsfor unauthenticated leaks. - Attempt unauthenticated InfluxQL queries (e.g.
SHOW DATABASES). - Use Metasploit and public PoCs to validate authentication bypass (in authorized engagements only).
- Report findings and recommend upgrade + access controls + network segmentation.
Multimedia
Exploit walkthrough video: YouTube — exploit demo
Disclaimer: For education and authorized testing only. Unauthorized exploitation is illegal and unethical.
Comments
Post a Comment