一、简介
本文旨在记录一次 ELK7.17.1 为例的 X-Pack 插件破解实验,以及 ELK 和 ldap 的集成,文中方法均来自互联网,**
本人仅做研究学习,不做商用,特此申明**
!
参考文档链接:
二、反编译破解 x-pack
查找自己版本的 jar 包
1
| ls /usr/share/elasticsearch/modules | grep x-pack-core
|
取出 jar 包
1
2
3
4
5
| ll /usr/share/elasticsearch/modules/x-pack-core/x-pack-core-7.17.1.jar
#由于是docker,将jar包放入data文件夹中转出来
cp /usr/share/elasticsearch/modules/x-pack-core/x-pack-core-7.17.1.jar /usr/share/elasticsearch/data/
#从宿主机下载jar包
sz /opt/khalidfile/docker/data/elk/elasticsearch/es-data/x-pack-core-7.17.1.jar
|
反编译并重新打 jar 包
- 将 x-pack-core-7.17.1.jar 重命名成 x-pack-core-7.17.1.zip
- 解压缩 x-pack-core-7.17.1.zip
- 从目录
x-pack-core-7.17.1/org/elasticsearch/license找到LicenseVerifier.class
- 从目录
x-pack-core-7.17.1/org/elasticsearch/xpack/core找到XPackBuild.class
- 把 2 个文件提取出来进行修改
修改 LicenseVerifier.java
LicenseVerifier中有两个静态方法,这就是验证授权文件是否有效的方法,我们把它修改为全部返回 true.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| package org.elasticsearch.license;
/**
* LicenseVerifier
*
* @author khalid
* @version V1.0
* @since 2023-11-28 10:56
*/
public class LicenseVerifier {
public LicenseVerifier() {
}
public static boolean verifyLicense(License license, byte[] publicKeyData) {
return true;
}
public static boolean verifyLicense(License license) {
return true;
}
}
|
修改 XPackBuild.java
XPackBuild中最后一个静态代码块中 try 的部分全部删除,这部分会验证 jar 包是否被修改.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
| package org.elasticsearch.xpack.core;
import java.io.IOException;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.jar.JarInputStream;
import java.util.jar.Manifest;
import org.elasticsearch.core.PathUtils;
import org.elasticsearch.core.SuppressForbidden;
/**
* XPackBuild
*
* @author khalid
* @version V1.0
* @since 2023-11-28 10:49
*/
public class XPackBuild {
public static final XPackBuild CURRENT;
private String shortHash;
private String date;
@SuppressForbidden(
reason = "looks up path of xpack.jar directly"
)
static Path getElasticsearchCodebase() {
URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
try {
return PathUtils.get(url.toURI());
} catch (URISyntaxException var2) {
throw new RuntimeException(var2);
}
}
XPackBuild(String shortHash, String date) {
this.shortHash = shortHash;
this.date = date;
}
public String shortHash() {
return this.shortHash;
}
public String date() {
return this.date;
}
static {
Path path = getElasticsearchCodebase();
String shortHash = null;
String date = null;
Label_0109: {
// if (path.toString().endsWith(".jar")) {
// try {
// JarInputStream jar = new JarInputStream(Files.newInputStream(path));
//
// try {
// Manifest manifest = jar.getManifest();
// shortHash = manifest.getMainAttributes().getValue("Change");
// date = manifest.getMainAttributes().getValue("Build-Date");
// } catch (Throwable var7) {
// try {
// jar.close();
// } catch (Throwable var6) {
// var7.addSuppressed(var6);
// }
//
// throw var7;
// }
//
// jar.close();
// } catch (IOException var8) {
// throw new RuntimeException(var8);
// }
// } else {
shortHash = "Unknown";
date = "Unknown";
}
CURRENT = new XPackBuild(shortHash, date);
}
}
|
生成.class 文件
上述 LicenseVerifier.java 和 XPackBuild.java 两个文件在本地电脑修改完成后,我们需要将其复制到 elasticsearch 服务器上并编译成 class 文件,然后打包到 x-pack-core-7.17.1.jar 中。我们这里将这 2 个文件放到了/opt 目录下。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| mv /usr/share/elasticsearch/data/LicenseVerifier.java /opt/
mv /usr/share/elasticsearch/data/XPackBuild.java /opt/
cd /opt
# 编译LicenseVerifier.java
/usr/share/elasticsearch/jdk/bin/javac -cp "/usr/share/elasticsearch/lib/elasticsearch-7.17.1.jar:/usr/share/elasticsearch/lib/lucene-core-8.11.1.jar:/usr/share/elasticsearch/modules/x-pack-core/x-pack-core-7.17.1.jar:/usr/share/elasticsearch/modules/x-pack-core/netty-common-4.1.66.Final.jar:/usr/share/elasticsearch/lib/elasticsearch-core-7.17.1.jar" /opt/LicenseVerifier.java
# 编译XPackBuild.java
/usr/share/elasticsearch/jdk/bin/javac -cp "/usr/share/elasticsearch/lib/elasticsearch-7.17.1.jar:/usr/share/elasticsearch/lib/lucene-core-8.11.1.jar:/usr/share/elasticsearch/modules/x-pack-core/x-pack-core-7.17.1.jar:/usr/share/elasticsearch/modules/x-pack-core/netty-common-4.1.66.Final.jar:/usr/share/elasticsearch/lib/elasticsearch-core-7.17.1.jar" /opt/XPackBuild.java
# 查看编译后的文件
ls /opt | grep .class
LicenseVerifier.class
XPackBuild.class
|
替换 LicenseVerifier.class 和 XPackBuild.class
我们把/usr/share/elasticsearch/modules/x-pack-core 目录下的 x-pack-core-7.1.0.jar 提取出来,放到一个临时的/opt/x-pack 目录中。
1
2
3
4
5
6
7
8
9
10
| mkdir -p /opt/x-pack
cd /opt/x-pack
cp /usr/share/elasticsearch/modules/x-pack-core/x-pack-core-7.17.1.jar /opt/x-pack
# 解压x-pack-core-7.17.1.jar
/usr/share/elasticsearch/jdk/bin/jar -xvf x-pack-core-7.17.1.jar
# 替换.class文件
cp /opt/XPackBuild.class /opt/x-pack/org/elasticsearch/xpack/core/
cp /opt/LicenseVerifier.class /opt/x-pack/org/elasticsearch/license/
|
打包新 x-pack-core-7.1.0.jar 文件
1
2
3
4
5
6
| cd /opt/x-pack
# 删除临时拷贝过来的源文件
rm -rf x-pack-core-7.17.1.jar
ls
#“.”表示全选文件
/usr/share/elasticsearch/jdk/bin/jar cvf x-pack-core-7.17.1.jar .
|
至此在/opt/x-pack 目录下会新生成一个 x-pack-core-7.17.1.jar 文件。也就是破解后的文件。
下载 x-pack-core-7.17.1.jar 文件
1
2
3
| cp /opt/x-pack/x-pack-core-7.17.1.jar /usr/share/elasticsearch/data/
#宿主机下载文件
sz /opt/khalidfile/docker/data/elk/elasticsearch/es-data/x-pack-core-7.17.1.jar
|
修改 docker-compose 文件
1
2
3
| volumes:
#增加以下配置
- /opt/khalidfile/docker/data/elk/elasticsearch/jar/x-pack-core-7.17.1.jar:/usr/share/elasticsearch/modules/x-pack-core/x-pack-core-7.17.1.jar
|
重启 docker 应用
激活 License
申请 License
完成以上步骤后,需要去 elastic 官网申请一个 license, License 申请地址,申请个一年的免费 license,申请完成后会发送文件到你的邮箱中,打开后:
点击Download the license for Elasticsearch 5.x/6.x.
编辑 License
以下为网上例子,请自行下载并修改自己申请的 License
下载后打开这个文件,并将该 License 的type、expiry_date_in_millis、max_nodes分别进行修改。
- “type”: “platinum”
- “expiry_date_in_millis”: 2524579200999
- “max_nodes”: 1000,
1
2
3
4
5
6
7
8
9
10
11
12
13
| {
"license": {
"uid": "c3f3df93-4636-45af-aafa-65d982dcabcd",
"type": "platinum", //修改这里
"issue_date_in_millis": 1594598400000,
"expiry_date_in_millis": 2524579200999, //修改这里
"max_nodes": 1000,//修改这里
"issued_to": "Yun Ma (alibaba)",
"issuer": "Web Form",
"signature": "AAAAAwAAAA2OlDvwgEit+SgvmIMdAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJdadadvcvTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQAiHgOdr6bXoO1mENpZuipAKKjoMyW2cAT0DD8FQ2fotYibJO2rK4JX4e4Ce4yO/g5lv6/DgNt95qN2m9c2NpZlv3Qu0wg3lovrnAzstX3IddpnIvoDOIOTDULFLBNL5+jENUVZ+OtKewXUqldPKQWA4v2a4UjQ8TKV6dwxYNMz55Ml8y0XU9mK/DoRCsXUwDFsOdR+bUHOZsTMA1EUgosIykxo5L8E7bYgMIuW8IirRB50DmtzUxCe5eX+SoarOIHVKQica/YHXETD0dzGRhHR7AOm3AMoHnXcg652dNvKVbyiaSXLaTwy2NuHKxmRR9L/fcPgA/xf2+pCXzTMfgjm",
"start_date_in_millis": 1594598400000
}
}
|
传入 License
再将这个 License 的 json 文件通过 kibana 上传上去即可。
#
开启 x-pack 安全认证
编辑 elasticsearch.yml
1
2
3
4
5
6
7
8
9
10
11
12
| cluster.name: "docker-cluster"
network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.authc.realms.ldap.ldap1.order: 0
xpack.security.authc.realms.ldap.ldap1.url: "ldap://xxx:389"
xpack.security.authc.realms.ldap.ldap1.bind_dn: "cn=admin,dc=xxx,dc=com"
xpack.security.authc.realms.ldap.ldap1.bind_password: "xxx"
xpack.security.authc.realms.ldap.ldap1.user_search.base_dn: "ou=People,dc=xxx,dc=com"
xpack.security.authc.realms.ldap.ldap1.user_search.filter: "(mail={0})"
xpack.security.authc.realms.ldap.ldap1.group_search.base_dn: "dc=xxx,dc=com"
xpack.security.authc.realms.ldap.ldap1.unmapped_groups_as_roles: false
|
修改 docker-compose 文件
1
2
3
| volumes:
#增加以下配置
- /opt/khalidfile/docker/data/elk/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
|
重启 docker
1
2
| docker-compose down
docker-compose up -d
|
建立角色 elk_ldap
使用 kibana 新建角色 elk_ldap
给 ldap 用户组绑定角色
去 kibana 的 devTools 里执行:
1
2
3
4
5
6
7
8
| POST /_xpack/security/role_mapping/users
{
"roles": [ "elk_ldap" ],
"enabled": true,
"rules": {
"field" : { "dn" : "*,ou=People,dc=xxx,dc=com" }
}
}
|
查看角色绑定关系
1
| GET /_xpack/security/role_mapping?pretty
|
总结
本文所有内容仅供个人学习,请勿用于商业用途,谢谢!
