STRLCPY/afrog

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

afrog-pocs/vulnerability/docker-remote-api-unauth.yaml

1	+	id: docker-remote-api-unauth
2	+
3	+	info:
4	+	name: Docker remote api Unauth
5	+	author: zan8in
6	+	severity: critical
7	+	description: \|
8	+	该未授权访问漏洞是因为 Docker remote api 可执行docker命令，获取信息
9	+	从官方文档可以看出，该接口是目的是取代docker 命令界面，通过url操作docker。
10	+	而Docker swarm是docker下的分布化应用的本地集群，在开放2375监听集群容器时，就会调用这个api
11	+	protocol="docker"
12	+	reference:
13	+	- http://wiki.peiqi.tech/redteam/vulnerability/unauthorized/Docker%202375%E7%AB%AF%E5%8F%A3.html
14	+
15	+	rules:
16	+	r0:
17	+	request:
18	+	method: GET
19	+	path: /version
20	+	expression: response.status == 200 && response.body.bcontains(b'"MinAPIVersion":') && response.body.bcontains(b'"Version":') && response.body.bcontains(b'"ApiVersion":')
21	+	r1:
22	+	request:
23	+	method: GET
24	+	path: /containers/json
25	+	expression: response.status == 200 && response.body.bcontains(b'<title>GPON Home Gateway</title>')
26	+	expression: r1()

■ ■ ■ ■ ■ ■

pocs/afrog-pocs/e-vulnerability/docker-remote-api.yaml

		skipped 2 lines
3	3		info:
4	4		name: Docker Remote API
5	5		author: zan8in
6		-	severity: info
	6	+	severity: critical
7	7		description: \|
8	8		fofa: port="2375" && server="docker"
9	9		reference:
		skipped 10 lines
20	20		method: GET
21	21		path: /containers/json
22	22		expression: response.status == 200 && response.content_type.contains("application/json")
23		-	expression: r0() && r1()
	23	+	expression: r0() \|\| r1()