Description

A Docker configuration file was found in a publicly accessible directory, leading to information disclosure. This file contained MySQL credentials, which could allow an attacker to access the database and extract sensitive information.

Docker configuration files, especially docker-compose.yml, often store environment variables that include database connection details. If these files are exposed, an attacker can use the leaked credentials to gain unauthorized access.

Impact

Exposing MySQL credentials can lead to:

  • Unauthorized database access
  • Potential data leakage or modification
  • Escalation of attacks, such as injecting malicious queries

Remediation

To mitigate this issue:

  • Ensure that sensitive files like docker-compose.yml are not publicly accessible.
  • Use a .env file to store credentials and add it to .gitignore.
  • Limit database access to trusted IP addresses.

Steps to Reproduce

  1. Scan publicly accessible directories for Docker files.
  2. Look for docker-compose.yml or Dockerfile containing sensitive environment variables.
  3. Extract MySQL credentials from the file.
  4. Use the credentials to attempt database access.

Proof of Concept (POC)


 
    version: '3'

    services:
    website:
        build:
        context: ./
        dockerfile: Dockerfile_local
        environment:
        - DB_HOSTNAME_PROD=mysql.example.com
        - DB_USERNAME_PROD=user@mysql
        - DB_PASSWORD_PROD=SuperSecretPass
        volumes:
        - ./:/var/www/html
        ports:
        - 80:80
        - 443:443

Automation Code


    import requests

  
    input_file = "input.txt"
    output_file = "output.txt"

    with open(input_file, "r") as file:
        urls = file.read().splitlines()

    with open(output_file, "w") as output:
        for target in urls:
            try:
                response = requests.get(f'{target}/docker-compose.yml', timeout=5)
                if "DB_PASSWORD_PROD" in response.text:
                    result = f"[+] MySQL credentials found in {target}!\n{response.text}\n"
                else:
                    result = f"[-] No sensitive data exposed in {target}.\n"
                print(result)
                output.write(result + "\n")

            except requests.RequestException as e:
                error_msg = f"[!] Error fetching {target}: {str(e)}\n"
                print(error_msg)
                output.write(error_msg + "\n")

    print(f"\nResults saved in {output_file}")


# To run python check_docker_leak.py

POC Video

Thanks for reading! If you found this useful, feel free to share it with your fellow hunters. Happy hacking!