From 4a70bb80ca6b2a95c9c1c2286f774a7cf7a64227 Mon Sep 17 00:00:00 2001
From: Arm!tage <an0ther1412@qq.com>
Date: Mon, 25 Dec 2023 11:08:11 +0800
Subject: [PATCH] add docker daemon exposed via http

---
 http/exposures/docker-daemon-exposed.yaml | 51 +++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 http/exposures/docker-daemon-exposed.yaml

diff --git a/http/exposures/docker-daemon-exposed.yaml b/http/exposures/docker-daemon-exposed.yaml
new file mode 100644
index 0000000000..e9601013b9
--- /dev/null
+++ b/http/exposures/docker-daemon-exposed.yaml
@@ -0,0 +1,51 @@
+id: docker-daemon-exposed
+
+info:
+  name: Docker Daemon Exposed
+  author: Arm!tage
+  severity: critical
+  description: |
+    Docker Daemon exposed on the network map can help remote attacker to gain access to the Docker containers and potentially the host system.
+  metadata:
+    max-request: 1
+    shodan-query: port:2375 product:"docker"
+    fofa-query: app="docker-Daemon" && port="2375"
+    verified: true
+  tags: docker,exposure
+
+http:
+  - raw:
+    - |
+      GET /version HTTP/1.1
+      Host: {{Hostname}}
+    
+    - |
+      GET /v{{version}}/containers/json HTTP/1.1
+      Host: {{Hostname}}
+
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Id"
+          - "Names"
+          - "Image"
+          - "Command"
+          - "PrivatePort"
+          - "PublicPort"
+        condition: and
+      - type: word
+        part: body
+        words:
+          - '[]'
+
+
+    extractors:
+      - type: regex
+        name: version
+        group: 1
+        regex:
+          - '"ApiVersion":"(.*?)"'
+        internal: true
+