wooyun容器
安装参考:
v7hinc/wooyun - Docker Image | Docker Hub
dockerfile
V7hinc/wooyun_final: 根据hanc00l和m0l1ce提供的数据构建docker版的乌云漏洞库,包含8.8W漏洞信息 (github.com)
FROM centos:7
MAINTAINER V7hinc
ENV WOOYUN_DB="wooyun"
ENV DB_Root_Password="wooyun"
ENV SITE_ROOT /home/wwwroot/default
RUN set -x;\
yum -y install wget git;\
cd /tmp;\
# 安装lamp
wget http://soft.vpser.net/lnmp/lnmp1.7.tar.gz -cO lnmp1.7.tar.gz;\
tar zxf lnmp1.7.tar.gz && cd lnmp1.7;\
# lnmp脚本无人值守命令解释:DBSelect="6"表示MariaDB 5.5、PHPSelect="5"表示PHP5.6、SelectMalloc="1"表示不安装内存分配器、ApacheSelect="1"表示Apache2.2,其他请查看https://lnmp.org/faq/v1-5-auto-install.html
LNMP_Auto="y" DBSelect="6" DB_Root_Password="${DB_Root_Password}" InstallInnodb="y" PHPSelect="5" SelectMalloc="1" ApacheSelect="1" ServerAdmin="" ./install.sh lamp;
# 进入网站根目录
WORKDIR ${SITE_ROOT}
# 网站源码拉取
RUN set -x;\
# 清除网站根目录下的默认数据
rm -rf *;\
# 拉取网站源码到当前目录
git clone https://github.com/V7hinc/wooyun_final.git ./;\
# 删除Dockerfile文件
rm -rf Dockerfile;\
# 替换数据库密码
sed -i "s/root\")/${DB_Root_Password}\")/" conn.php;
# wooyun数据库恢复
RUN set -x;\
# 开启mariadb
lnmp mariadb restart;\
# 创建数据库wooyun
create_db_sql="create database IF NOT EXISTS ${WOOYUN_DB}";\
mysql -hlocalhost -P3306 -uroot -p${DB_Root_Password} -e "${create_db_sql}";\
# 下载数据库源文件
echo "正在下载wooyun_bugs_db.tar.bz2文件";\
wget -c https://github.com/V7hinc/wooyun_final/releases/download/1.0/wooyun_bugs_db.tar.bz2;\
# 解压数据库源文件到wooyun数据库目录下
tar xjvf wooyun_bugs_db.tar.bz2 -C /usr/local/mariadb/var/${WOOYUN_DB};\
# 清除压缩包
rm -rf wooyun_bugs_db.tar.bz2;
# 编写开机启动脚本
RUN set -x;\
echo "#!/bin/bash" >> /autostart.sh;\
# nginx 重启
echo "lnmp restart;" >> /autostart.sh;\
# 保持前台
echo "/bin/bash;" >> /autostart.sh;\
chmod 755 /autostart.sh;
VOLUME ["${SITE_ROOT}/upload"]
EXPOSE 80
EXPOSE 3306
# 切换进入docker容器默认路径为网站根目录
WORKDIR ${SITE_ROOT}
ENTRYPOINT ["/autostart.sh"]镜像分析
docker查找该镜像
docker search wooyundocker 拉取镜像容器
docker pull v7hinc/wooyun导出镜像,保存为wooyun.tar(需要几十秒时间,看镜像的大小)
docker save -o wooyun.tar v7hinc/wooyun解压缩该tar文件:
首先查看manifest.json的内容,可以看出该文件一共包含了三个字段,Config、RepoTages和Layers。
Config的值为镜像配置文件的json文件,对应733242646ba649f19be0efe15eb0dfee995e0ae431fdcce76688a072f82925d3.json;RepoTages为镜像的名称和标签;Layers包含了镜像的有哪些层,每一个元素代表一个层目录,由此可见ubuntu含有五个层,对应33b5e87a65b65985a0445827bd27436b3467bb578d1b1cc2aa0b6000685fb4bf/layer.tare203e4e9c0ac9eb1226cb20ac3da1946c2378ad4574b6c7d31f91edd5bfd2617/layer.tar519c3f049f3fdc543f41ade13ec96b228e0c6ce2f68b3cb7444d63cf860c8dea/layer.tare7ed979c2c7053a45f10ce0b625eb7e0679d11512c96d55a4f5d25a351201569/layer.tarfd857d4057e86fcdf2de6b09a0e13442010a46401744924bf9ed921806c44754/layer.tar
[{"Config":"733242646ba649f19be0efe15eb0dfee995e0ae431fdcce76688a072f82925d3.json","RepoTags":["v7hinc/wooyun:latest"],"Layers":["33b5e87a65b65985a0445827bd27436b3467bb578d1b1cc2aa0b6000685fb4bf/layer.tar","e203e4e9c0ac9eb1226cb20ac3da1946c2378ad4574b6c7d31f91edd5bfd2617/layer.tar","519c3f049f3fdc543f41ade13ec96b228e0c6ce2f68b3cb7444d63cf860c8dea/layer.tar","e7ed979c2c7053a45f10ce0b625eb7e0679d11512c96d55a4f5d25a351201569/layer.tar","fd857d4057e86fcdf2de6b09a0e13442010a46401744924bf9ed921806c44754/layer.tar"]}]
查看733242646ba649f19be0efe15eb0dfee995e0ae431fdcce76688a072f82925d3.json的内容:
{
"architecture":"amd64",
"author":"V7hinc",
"config":{
"Hostname":"",
"Domainname":"",
"User":"",
"AttachStdin":false,
"AttachStdout":false,
"AttachStderr":false,
"ExposedPorts":{"3306/tcp":{},"80/tcp":{}},
"Tty":false,
"OpenStdin":false,
"StdinOnce":false,
"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","WOOYUN_DB=wooyun","DB_Root_Password=wooyun","SITE_ROOT=/home/wwwroot/default"],
"Cmd":null,
"Image":"sha256:e751337e6949667e081b823b6c3ff0aaa9d6c62860fb20755873953118fb28ff",
"Volumes":{"/home/wwwroot/default/upload":{}},
"WorkingDir":"/home/wwwroot/default",
"Entrypoint":["/autostart.sh"],
"OnBuild":null,
"Labels":{"org.label-schema.build-date":"20200809","org.label-schema.license":"GPLv2",
"org.label-schema.name":"CentOS Base Image",
"org.label-schema.schema-version":"1.0",
"org.label-schema.vendor":"CentOS",
"org.opencontainers.image.created":"2020-08-09 00:00:00+01:00",
"org.opencontainers.image.licenses":"GPL-2.0-only",
"org.opencontainers.image.title":"CentOS Base Image",
"org.opencontainers.image.vendor":"CentOS"}
},
"container":"1423d454aa6bb1ea6e6a6e98ad32c4aec4369eef6a58c5855d88c3f754ce81b3",
"container_config":{
"Hostname":"1423d454aa6b",
"Domainname":"",
"User":"",
"AttachStdin":false,
"AttachStdout":false,
"AttachStderr":false,
"ExposedPorts":{"3306/tcp":{},"80/tcp":{}},
"Tty":false,
"OpenStdin":false,
"StdinOnce":false,
"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","WOOYUN_DB=wooyun","DB_Root_Password=wooyun","SITE_ROOT=/home/wwwroot/default"],
"Cmd":["/bin/sh","-c","#(nop) ","ENTRYPOINT [\"/autostart.sh\"]"],
"Image":"sha256:e751337e6949667e081b823b6c3ff0aaa9d6c62860fb20755873953118fb28ff",
"Volumes":{"/home/wwwroot/default/upload":{}},
"WorkingDir":"/home/wwwroot/default",
"Entrypoint":["/autostart.sh"],
"OnBuild":null,
"Labels":{
"org.label-schema.build-date":"20200809",
"org.label-schema.license":"GPLv2",
"org.label-schema.name":"CentOS Base Image",
"org.label-schema.schema-version":"1.0",
"org.label-schema.vendor":"CentOS",
"org.opencontainers.image.created":"2020-08-09 00:00:00+01:00",
"org.opencontainers.image.licenses":"GPL-2.0-only",
"org.opencontainers.image.title":"CentOS Base Image",
"org.opencontainers.image.vendor":"CentOS"
}
},
"created":"2020-09-26T08:17:24.141981121Z",
"docker_version":"19.03.8",
"history":[{"created":"2020-08-10T18:20:08.948813347Z",
"created_by":"/bin/sh -c #(nop) ADD file:61908381d3142ffba798ae9a904476d19b197ab79d0338f14bec0f76649df8d4 in / "},
{"created":"2020-08-10T18:20:09.298928893Z",
"created_by":"/bin/sh -c #(nop) LABEL org.label-schema.schema-version=1.0 org.label-schema.name=CentOS Base Image org.label-schema.vendor=CentOS org.label-schema.license=GPLv2 org.label-schema.build-date=20200809 org.opencontainers.image.title=CentOS Base Image org.opencontainers.image.vendor=CentOS org.opencontainers.image.licenses=GPL-2.0-only org.opencontainers.image.created=2020-08-09 00:00:00+01:00",
"empty_layer":true},
{"created":"2020-08-10T18:20:09.474278304Z",
"created_by":"/bin/sh -c #(nop) CMD [\"/bin/bash\"]",
"empty_layer":true},{"created":"2020-09-26T07:45:50.273037587Z",
"author":"V7hinc",
"created_by":"/bin/sh -c #(nop) MAINTAINER V7hinc",
"empty_layer":true},
{"created":"2020-09-26T07:45:50.535602119Z",
"author":"V7hinc",
"created_by":"/bin/sh -c #(nop) ENV WOOYUN_DB=wooyun",
"empty_layer":true},
{"created":"2020-09-26T07:45:50.800755999Z",
"author":"V7hinc",
"created_by":"/bin/sh -c #(nop) ENV DB_Root_Password=wooyun",
"empty_layer":true},
{"created":"2020-09-26T07:45:51.078089971Z",
"author":"V7hinc",
"created_by":"/bin/sh -c #(nop) ENV SITE_ROOT=/home/wwwroot/default",
"empty_layer":true},
{"created":"2020-09-26T08:16:36.486994633Z",
"author":"V7hinc",
"created_by":"/bin/sh -c set -x;yum -y install wget git;cd /tmp;wget http://soft.vpser.net/lnmp/lnmp1.7.tar.gz -cO lnmp1.7.tar.gz;tar zxf lnmp1.7.tar.gz \u0026\u0026 cd lnmp1.7;LNMP_Auto=\"y\" DBSelect=\"6\" DB_Root_Password=\"${DB_Root_Password}\" InstallInnodb=\"y\" PHPSelect=\"5\" SelectMalloc=\"1\" ApacheSelect=\"1\" ServerAdmin=\"\" ./install.sh lamp;"},
{"created":"2020-09-26T08:16:37.736561615Z",
"author":"V7hinc",
"created_by":"/bin/sh -c #(nop) WORKDIR /home/wwwroot/default",
"empty_layer":true},
{"created":"2020-09-26T08:16:39.029781199Z",
"author":"V7hinc",
"created_by":"/bin/sh -c set -x;rm -rf *;git clone https://github.com/V7hinc/wooyun_final.git ./;rm -rf Dockerfile;sed -i \"s/root\\\")/${DB_Root_Password}\\\")/\" conn.php;"},
{"created":"2020-09-26T08:17:22.48714402Z",
"author":"V7hinc",
"created_by":"/bin/sh -c set -x;lnmp mariadb restart;create_db_sql=\"create database IF NOT EXISTS ${WOOYUN_DB}\";mysql -hlocalhost -P3306 -uroot -p${DB_Root_Password} -e \"${create_db_sql}\";echo \"正在下载wooyun_bugs_db.tar.bz2文件\";wget -c https://github.com/V7hinc/wooyun_final/releases/download/1.0/wooyun_bugs_db.tar.bz2;tar xjvf wooyun_bugs_db.tar.bz2 -C /usr/local/mariadb/var/${WOOYUN_DB};rm -rf wooyun_bugs_db.tar.bz2;"},
{"created":"2020-09-26T08:17:23.277388147Z",
"author":"V7hinc",
"created_by":"/bin/sh -c set -x;echo \"#!/bin/bash\" \u003e\u003e /autostart.sh;echo \"lnmp restart;\" \u003e\u003e /autostart.sh;echo \"/bin/bash;\" \u003e\u003e /autostart.sh;chmod 755 /autostart.sh;"},
{"created":"2020-09-26T08:17:23.45705874Z",
"author":"V7hinc",
"created_by":"/bin/sh -c #(nop) VOLUME [/home/wwwroot/default/upload]",
"empty_layer":true},
{"created":"2020-09-26T08:17:23.63338606Z",
"author":"V7hinc",
"created_by":"/bin/sh -c #(nop) EXPOSE 80",
"empty_layer":true},
{"created":"2020-09-26T08:17:23.790678121Z",
"author":"V7hinc",
"created_by":"/bin/sh -c #(nop) EXPOSE 3306",
"empty_layer":true},
{"created":"2020-09-26T08:17:23.975235317Z",
"author":"V7hinc",
"created_by":"/bin/sh -c #(nop) WORKDIR /home/wwwroot/default",
"empty_layer":true},
{"created":"2020-09-26T08:17:24.141981121Z",
"author":"V7hinc",
"created_by":"/bin/sh -c #(nop) ENTRYPOINT [\"/autostart.sh\"]",
"empty_layer":true}],
"os":"linux",
"rootfs":{
"type":"layers",
"diff_ids":["sha256:613be09ab3c0860a5216936f412f09927947012f86bfa89b263dfa087a725f81","sha256:211ed803113c21a810793cbc242ab2e7d4476c2ebeb6de8b56beed3f1c6409bc","sha256:18134933659bea1138575ddd1ca379f76adfab1506a73355b2f8b9d85c3a5e21","sha256:383c016287741f6073a01ced1227b2062be91e13f3874c2116619773f6b0d355","sha256:5d287207f15bd783319d2adae013ef08ce2a18ece02f9ffec6f37ae1fac19ad8"]
}
}
该文件记录了镜像的关键信息,该链接简述了每一个字段的意义,如config包含了镜像生成容器时基础的执行参数,Cmd为容器入口点的默认参数 等。
我们主要关注的是 history 列表,它列出了镜像中的每一层,Docker 镜像由这些层堆叠而成。Dockerfile 中几乎每条命令都会变成一个层,描述该命令对镜像所做的更改。
在docker中使用docker inspect (查看详细信息)和docker history(查看形成的历史过程) 命令也能查看镜像或容器的相关信息,该信息与上诉是一一对应的。
接下来打开33b5e87a65b65985a0445827bd27436b3467bb578d1b1cc2aa0b6000685fb4bf文件夹,该文件夹包含三个文件。
VERSION json layer.tar
其中VERSION代表wooyun镜像的版本,值为1.0;json文件的很多内容是与上面是重合的。镜像的核心内容在layer.tar里,将该文件解压,可以发现该文件夹的内容就是对应linux文件系统。
五个文件夹都是包含三个文件,只是各个操作系统版本不同等存在文件的差异
工具
dive
dive:GitHub - wagoodman/dive: A tool for exploring each layer in a docker image
使用DIVE能够更好的查看镜像每一层的内容,和各层比上一层做出的改变,下图为dive分析ubuntu的界面。DIVE主要具有以下主要功能:
屏幕左上角提供镜像层列表以及与每个镜像层的大小。
提供有关镜像的效率(百分比值)、潜在浪费的空间以及镜像的总大小的一般统计信息。
对于每个选定的镜像层,右边会显示出该层对应的文件系统视图,其中包含每个文件夹大小的数据。
要分析Docker镜像,只需使用image tag/id/digest运行:
dive <your-image-tag>或者如果你想新建一个自己的image,那就直接使用命令:
dive build -t <some-tag> .键绑定
| 密钥绑定 | 描述 |
|---|---|
| Ctrl + C | 退出 |
| Tab 或 Ctrl + 空格 | 在图层和文件树视图之间切换 |
| Ctrl + F | 过滤文件 |
| Ctrl + A | 图层视图:查看聚合图像修改 |
| Ctrl + L | 图层视图:查看当前图层修改 |
| Space | Filetree视图:折叠/取消折叠目录 |
| Ctrl + A | Filetreeview: 显示/隐藏添加的文件 |
| Ctrl + R | Filetreeview:显示/隐藏已删除的文件 |
| Ctrl + M | Filetreeview:显示/隐藏已修改的文件 |
| Ctrl + U | Filetreeview:显示/隐藏未修改的文件 |
| PageUp | Filetreeview:向上滚动页面 |
| PageDown | Filetreeview:向下滚动页面 |
其他工具
下面分享一些对容器镜像进行分析的网站或工具
contains,一个支持在线分析容器镜像的网站。
trivy,镜像扫描工具,可以检测镜像、文件系统、git存储库的漏洞以及配置问题
Clair,静态分析容器镜像中的漏洞
Anchore,用于深度分析docker镜像,扫描容器镜像和文件系统中的漏洞。
Dagda,用于对 docker 镜像和容器中的木马、恶意软件、病毒等已知漏洞进行静态分析。
Aqua Security,保护使用容器等云原生技术构建的应用程序。
思考
该逆向止步于知道对方公开容器的情况下,为能根据对方未开源的容器进行操作。如能进入对方容器交互式下再进行逃逸到宿主机,那逆向容器可操作性价值并不高了,毕竟在能进入交互式时便能将容器整体文件打包了,进入宿主机还得获得root权限操作docker(windows系统就比较友好了,你懂的)
作用
在个人没有该容器的dockerfile文件时,逆向就能让我们方便的知道其配置信息,并且有机会逆向出其dockerfile文件