> For the complete documentation index, see [llms.txt](https://blog.1nf1n1ty.team/hacktricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blog.1nf1n1ty.team/hacktricks/network-services-pentesting/8086-pentesting-influxdb.md). # 8086 - Pentesting InfluxDB

[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)

\ Learn & practice GCP Hacking:

[**HackTricks Training GCP Red Team Expert (GRTE)**

](https://training.hacktricks.xyz/courses/grte)

Support HackTricks

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

{% endhint %} ## Basic Information **InfluxDB** is an open-source **time series database (TSDB)** developed by InfluxData. TSDBs are optimized for storing and serving time series data, which consists of timestamp-value pairs. Compared to general-purpose databases, TSDBs provide significant improvements in **storage space** and **performance** for time series datasets. They employ specialized compression algorithms and can be configured to automatically remove old data. Specialized database indices also enhance query performance. **Default port**: 8086 ``` PORT STATE SERVICE VERSION 8086/tcp open http InfluxDB http admin 1.7.5 ``` ## Enumeration From a pentester point of view this another database that could be storing sensitive information, so it's interesting to know how to dump all the info. ### Authentication InfluxDB might require authentication or not ```bash # Try unauthenticated influx -host 'host name' -port 'port #' > use _internal ``` If you **get an error like** this one: `ERR: unable to parse authentication credentials` it means that it's **expecting some credentials**. ``` influx –username influx –password influx_pass ``` There was a vulnerability influxdb that allowed to bypass the authentication: [**CVE-2019-20933**](https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933) ### Manual Enumeration The information of this example was taken from [**here**](https://oznetnerd.com/2017/06/11/getting-know-influxdb/). #### Show databases The found databases are `telegraf` and `internal` (you will find this one everywhere) ```bash > show databases name: databases name ---- telegraf _internal ``` #### Show tables/measurements The [**InfluxDB documentation**](https://docs.influxdata.com/influxdb/v1.2/introduction/getting_started/) explains that **measurements** in InfluxDB can be paralleled with SQL tables. The nomenclature of these **measurements** is indicative of their respective content, each housing data relevant to a particular entity. ```bash > show measurements name: measurements name ---- cpu disk diskio kernel mem processes swap system ``` #### Show columns/field keys The field keys are like the **columns** of the database ```bash > show field keys name: cpu fieldKey fieldType -------- --------- usage_guest float usage_guest_nice float usage_idle float usage_iowait float name: disk fieldKey fieldType -------- --------- free integer inodes_free integer inodes_total integer inodes_used integer [ ... more keys ...] ``` #### Dump Table And finally you can **dump the table** doing something like ```bash select * from cpu name: cpu time cpu host usage_guest usage_guest_nice usage_idle usage_iowait usage_irq usage_nice usage_softirq usage_steal usage_system usage_user ---- --- ---- ----------- ---------------- ---------- ------------ --------- ---------- ------------- ----------- ------------ ---------- 1497018760000000000 cpu-total ubuntu 0 0 99.297893681046 0 0 0 0 0 0.35105315947842414 0.35105315947842414 1497018760000000000 cpu1 ubuntu 0 0 99.69909729188728 0 0 0 0 0 0.20060180541622202 0.10030090270811101 ``` {% hint style="warning" %} In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: `select * from "cpu"` {% endhint %} ### Automated Authentication ```bash msf6 > use auxiliary/scanner/http/influxdb_enum ``` {% hint style="success" %} Learn & practice AWS Hacking:

[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)

\ Learn & practice GCP Hacking:

[**HackTricks Training GCP Red Team Expert (GRTE)**

](https://training.hacktricks.xyz/courses/grte)

Support HackTricks

{% endhint %}

\ Use [**Trickest**](https://trickest.com/?utm_source=hacktricks\&utm_medium=text\&utm_campaign=ppc\&utm_content=8086-pentesting-influxdb) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.1nf1n1ty.team/hacktricks/network-services-pentesting/8086-pentesting-influxdb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.