■ ■ ■ ■ ■ ■
afrog-pocs/vulnerability/docker-remote-api-unauth.yaml
| 1 | + | id: docker-remote-api-unauth |
| 2 | + | |
| 3 | + | info: |
| 4 | + | name: Docker remote api Unauth |
| 5 | + | author: zan8in |
| 6 | + | severity: critical |
| 7 | + | description: | |
| 8 | + | 该未授权访问漏洞是因为 Docker remote api 可执行docker命令,获取信息 |
| 9 | + | 从官方文档可以看出,该接口是目的是取代docker 命令界面,通过url操作docker。 |
| 10 | + | 而Docker swarm是docker下的分布化应用的本地集群,在开放2375监听集群容器时,就会调用这个api |
| 11 | + | protocol="docker" |
| 12 | + | reference: |
| 13 | + | - http://wiki.peiqi.tech/redteam/vulnerability/unauthorized/Docker%202375%E7%AB%AF%E5%8F%A3.html |
| 14 | + | |
| 15 | + | rules: |
| 16 | + | r0: |
| 17 | + | request: |
| 18 | + | method: GET |
| 19 | + | path: /version |
| 20 | + | expression: response.status == 200 && response.body.bcontains(b'"MinAPIVersion":') && response.body.bcontains(b'"Version":') && response.body.bcontains(b'"ApiVersion":') |
| 21 | + | r1: |
| 22 | + | request: |
| 23 | + | method: GET |
| 24 | + | path: /containers/json |
| 25 | + | expression: response.status == 200 && response.body.bcontains(b'<title>GPON Home Gateway</title>') |
| 26 | + | expression: r1() |