42 lines
1.4 KiB
YAML
42 lines
1.4 KiB
YAML
|
id: docker-daemon-exposed
|
||
|
|
||
|
info:
|
||
|
name: Docker Daemon Exposed
|
||
|
author: Arm!tage
|
||
|
severity: critical
|
||
|
description: |
|
||
|
Docker Daemon exposed on the network map can help remote attacker to gain access to the Docker containers and potentially the host system.
|
||
|
metadata:
|
||
|
verified: true
|
||
|
max-request: 2
|
||
|
shodan-query: port:2375 product:"docker"
|
||
|
fofa-query: app="docker-Daemon" && port="2375"
|
||
|
tags: docker,exposure,misconfig
|
||
|
|
||
|
http:
|
||
|
- raw:
|
||
|
- |
|
||
|
GET /version HTTP/1.1
|
||
|
Host: {{Hostname}}
|
||
|
|
||
|
- |
|
||
|
GET /v{{version}}/containers/json HTTP/1.1
|
||
|
Host: {{Hostname}}
|
||
|
|
||
|
matchers:
|
||
|
- type: dsl
|
||
|
dsl:
|
||
|
- 'status_code_2 == 200'
|
||
|
- 'contains(body_1, "ApiVersion") && contains(body_1, "GitCommit") && contains(body_1, "GoVersion") && contains(body_1, "KernelVersion")'
|
||
|
- 'contains(body_2, "Id") && contains(body_2, "Names") && contains(body_2, "Image") && contains(body_2, "Command") && contains(body_2, "PrivatePort") && contains(body_2, "PublicPort") || contains(body_2, "[]")'
|
||
|
condition: and
|
||
|
|
||
|
extractors:
|
||
|
- type: regex
|
||
|
name: version
|
||
|
group: 1
|
||
|
regex:
|
||
|
- '"ApiVersion":"(.*?)"'
|
||
|
internal: true
|
||
|
# digest: 4a0a0047304502204626aa849bc6837c86c193b5794710f7b01316c525f17924e8db7aa818772ec9022100f3c6d104e7d268933dbfbacd0b3ddf8049a9cc7fec4d9487cebbdc93877883d5:922c64590222798bb761d5b6d8e72950
|