41 lines
1.4 KiB
YAML
41 lines
1.4 KiB
YAML
id: docker-daemon-exposed
|
|
|
|
info:
|
|
name: Docker Daemon Exposed
|
|
author: Arm!tage
|
|
severity: critical
|
|
description: |
|
|
Docker Daemon exposed on the network map can help remote attacker to gain access to the Docker containers and potentially the host system.
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
shodan-query: port:2375 product:"docker"
|
|
fofa-query: app="docker-Daemon" && port="2375"
|
|
tags: docker,exposure,misconfig
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /version HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
GET /v{{version}}/containers/json HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'status_code_2 == 200'
|
|
- 'contains(body_1, "ApiVersion") && contains(body_1, "GitCommit") && contains(body_1, "GoVersion") && contains(body_1, "KernelVersion")'
|
|
- 'contains(body_2, "Id") && contains(body_2, "Names") && contains(body_2, "Image") && contains(body_2, "Command") && contains(body_2, "PrivatePort") && contains(body_2, "PublicPort") || contains(body_2, "[]")'
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: version
|
|
group: 1
|
|
regex:
|
|
- '"ApiVersion":"(.*?)"'
|
|
internal: true
|
|
# digest: 4a0a0047304502204626aa849bc6837c86c193b5794710f7b01316c525f17924e8db7aa818772ec9022100f3c6d104e7d268933dbfbacd0b3ddf8049a9cc7fec4d9487cebbdc93877883d5:922c64590222798bb761d5b6d8e72950 |