Vifurushi vya S3 vya Umma

Kifurushi kinachukuliwa kuwa "cha umma" ikiwa mtumiaji yeyote anaweza kuorodhesha maudhui ya kifurushi, na "binafsi" ikiwa maudhui ya kifurushi yanaweza kuorodheshwa au kuandikwa na watumiaji fulani.

Kampuni zinaweza kuwa na ruhusa za vifurushi zilizopangwa vibaya zinazotoa ufikiaji kwa kila kitu au kwa kila mtu aliye na uthibitisho katika AWS katika akaunti yoyote (hivyo kwa yeyote). Kumbuka, hata na upangaji huo mbaya, baadhi ya hatua zinaweza isiweze kufanywa kwani vifurushi vinaweza kuwa na orodha zao za udhibiti wa ufikiaji (ACLs).

Jifunze kuhusu upangaji mbaya wa AWS-S3 hapa: http://flaws.cloud na http://flaws2.cloud/

Kupata Vifurushi vya AWS

Njia tofauti za kupata wakati ukurasa unatumia AWS kuhifadhi baadhi ya rasilimali:

Uorodheshaji & OSINT:

• Kutumia programu-jalizi ya wappalyzer kwenye kivinjari

• Kutumia burp (kutambaa wavuti) au kwa kutembea kwa mkono kupitia ukurasa, rasilimali zote zilizopakiwa zitahifadhiwa kwenye Historia.

• Angalia rasilimali kwenye uwanja kama:

http://s3.amazonaws.com/[jina_la_kifurushi]/
http://[jina_la_kifurushi].s3.amazonaws.com/

• Angalia CNAMES kama resources.domain.com inaweza kuwa na CNAME kifurushi.s3.amazonaws.com

• Angalia https://buckets.grayhatwarfare.com, wavuti yenye vifurushi vya wazi vilivyogunduliwa tayari.

• Jina la kifurushi na jina la uwanja wa kifurushi lazima viwe sawa.

• flaws.cloud iko kwenye IP 52.92.181.107 na ikienda huko inakuelekeza kwa https://aws.amazon.com/s3/. Pia, dig -x 52.92.181.107 inatoa s3-website-us-west-2.amazonaws.com.

• Ili kuthibitisha ni kifurushi unaweza pia kuitembelea https://flaws.cloud.s3.amazonaws.com/.

Kuvizia

Unaweza kupata vifurushi kwa kufanya nguvu ya jina zinazohusiana na kampuni unayofanya udukuzi:

• https://github.com/sa7mon/S3Scanner

• https://github.com/clario-tech/s3-inspector

• https://github.com/jordanpotti/AWSBucketDump (Ina orodha na majina ya vifurushi yanayowezekana)

• https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets

• https://github.com/smaranchand/bucky

• https://github.com/tomdev/teh_s3_bucketeers

• https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3

• https://github.com/Eilonh/s3crets_scanner

• https://github.com/belane/CloudHunter

# Unda orodha ya maneno kujenga mabadiliko
curl -s https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt > /tmp/words-s3.txt.temp
curl -s https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt >>/tmp/words-s3.txt.temp
cat /tmp/words-s3.txt.temp | sort -u > /tmp/words-s3.txt

# Unda orodha ya maneno kulingana na uwanja na subdomains kwa majaribio
## Andika uwanja na subdomains hizo kwenye subdomains.txt
cat subdomains.txt > /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "-" >> /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "\n" | sort -u >> /tmp/words-hosts-s3.txt

# Unda mabadiliko kulingana na orodha na subdomains kushambulia
goaltdns -l /tmp/words-hosts-s3.txt -w /tmp/words-s3.txt -o /tmp/final-words-s3.txt.temp
## Zana iliyotangulia ni maalum katika kuunda mabadiliko kwa subdomains, hebu tuchuje orodha hiyo
### Ondoa mistari inayoishia na "."
cat /tmp/final-words-s3.txt.temp | grep -Ev "\.$" > /tmp/final-words-s3.txt.temp2
### Unda orodha bila TLD
cat /tmp/final-words-s3.txt.temp2 | sed -E 's/\.[a-zA-Z0-9]+$//' > /tmp/final-words-s3.txt.temp3
### Unda orodha bila dots
cat /tmp/final-words-s3.txt.temp3 | tr -d "." > /tmp/final-words-s3.txt.temp4http://phantom.s3.amazonaws.com/
### Unda orodha bila viungo
cat /tmp/final-words-s3.txt.temp3 | tr "." "-" > /tmp/final-words-s3.txt.temp5

## Unda orodha ya mwisho
cat /tmp/final-words-s3.txt.temp2 /tmp/final-words-s3.txt.temp3 /tmp/final-words-s3.txt.temp4 /tmp/final-words-s3.txt.temp5 | grep -v -- "-\." | awk '{print tolower($0)}' | sort -u > /tmp/final-words-s3.txt
## Piga simu s3scanner
s3scanner --threads 100 scan --buckets-file /tmp/final-words-s3.txt  | grep bucket_exists

Nyang'anya Vifurushi vya S3

Kwa kutoa vifurushi vya S3 vilivyo wazi, BucketLoot inaweza kutafuta moja kwa moja taarifa za kuvutia.

Pata Mkoa

Unaweza kupata mikoa yote inayoungwa mkono na AWS kwenye https://docs.aws.amazon.com/general/latest/gr/s3.html

Kupitia DNS

Unaweza kupata mkoa wa kifurushi kwa kutumia dig na nslookup kwa kufanya ombi la DNS la anwani ya IP iliyogunduliwa:

dig flaws.cloud
;; ANSWER SECTION:
flaws.cloud.    5    IN    A    52.218.192.11

nslookup 52.218.192.11
Non-authoritative answer:
11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.

Hakikisha kuwa kikoa kilichotatuliwa kina neno "website". Unaweza kufikia tovuti ya msingi kwa kwenda: flaws.cloud.s3-website-us-west-2.amazonaws.com au unaweza kufikia sanduku kwa kutembelea: flaws.cloud.s3-us-west-2.amazonaws.com

Kwa Kujaribu

Ikiwa unajaribu kufikia sanduku, lakini kwenye jina la kikoa unaweka eneo lingine (kwa mfano sanduku iko katika bucket.s3.amazonaws.com lakini unajaribu kufikia bucket.s3-website-us-west-2.amazonaws.com), basi utaonyeshwa mahali sahihi:

Kuchambua sanduku

Ili kujaribu ufikiaji wa sanduku, mtumiaji anaweza tu kuingiza URL kwenye kivinjari chao cha wavuti. Sanduku la faragha litajibu na "Kupata Kukataliwa". Sanduku la umma litapanga orodha ya vitu vya kwanza 1,000 vilivyohifadhiwa.

Wazi kwa kila mtu:

Faragha:

Unaweza pia kuchunguza hili kwa kutumia cli:

#Use --no-sign-request for check Everyones permissions
#Use --profile <PROFILE_NAME> to indicate the AWS profile(keys) that youwant to use: Check for "Any Authenticated AWS User" permissions
#--recursive if you want list recursivelyls
#Opcionally you can select the region if you now it
aws s3 ls s3://flaws.cloud/ [--no-sign-request] [--profile <PROFILE_NAME>] [ --recursive] [--region us-west-2]

Ikiwa ndoo haina jina la kikoa, wakati wa kujaribu kuorodhesha, weka tu jina la ndoo na siyo AWSs3 yote. Mfano: s3://<JINALANDOO>

Kigezo cha URL ya Umma

https://{user_provided}.s3.amazonaws.com

Pata ID ya Akaunti kutoka kwa Bakuli ya Umma

Inawezekana kubaini akaunti ya AWS kwa kutumia faida ya S3:ResourceAccount Sera ya Masharti ya Hali. Hali hii inazuia upatikanaji kulingana na bakuli la S3 akaunti iko ndani yake (sera zingine zinazotegemea akaunti zinazuia kulingana na akaunti ambayo mwombaji mkuu yuko ndani yake). Na kwa sababu sera inaweza kuwa na vikokotoo inawezekana kupata nambari ya akaunti moja kwa wakati mmoja.

Zana hii inaautomatisha mchakato huo:

# Installation
pipx install s3-account-search
pip install s3-account-search
# With a bucket
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket
# With an object
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket/path/to/object.ext

Hii technique pia inafanya kazi na URL za API Gateway, URL za Lambda, seti za data Exchange na hata kupata thamani ya vitambulisho (ikiwa unajua ufunguo wa lebo). Unaweza kupata habari zaidi katika utafiti wa awali na zana conditional-love kwa kiotomatiki hiki cha kutumia.

Marejeo

• https://www.youtube.com/watch?v=8ZXRw4Ry3mQ

• https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/