s3sec检查AWS S3存储桶的读写删除访问权限

s3sec检查AWS S3存储桶的读写删除访问权限

s3sec介绍

测试 AWS S3 存储桶的读/写/删除访问

开发此工具是为了快速测试 s3 存储桶列表以进行公共读取、写入和删除访问,以便对漏洞赏金计划进行渗透测试。

安装

将 git repo 克隆到您的机器上:

git clone https://github.com/0xmoot/s3sec

用法

检查单个 S3 实例:

echo "test-instance.s3.amazonaws.com" | python3 s3sec.py

或者:

echo "test-instance" | python3 s3sec.py

检查 S3 实例列表:

cat locations | python3 s3sec.py

设置 AWS CLI 和凭证(可选)

要充分利用此工具,您应该安装 AWS CLI 并设置用户凭证。

使用 AWS CLI 激活了一系列更深入的测试(包括未签名的读取、写入文件和删除文件):

在 Kali Linux 上安装 AWS CLI

要安装 AWS CLI,您只需使用以下命令进行安装:

pip3 install awscli

获取 AWS 凭证(访问密钥 ID 和 AWS 秘密访问密钥)

  1. 从他们的官方网站注册亚马逊的 AWS:https ://aws.amazon.com/free/?all-free-tier.sort-by=item.additionalFields.SortRank&all-free-tier.sort-order=asc
  2. 登录到您的 AWS 账户并单击我的安全凭证。
  3. 单击访问密钥(访问密钥 ID 和秘密访问密钥)以获取 AWS CLI 的登录凭证。
  4. 然后单击显示访问密钥选项以获取您的访问密钥 ID 和秘密访问密钥,或者您也可以下载它。

在 Kali Linux 上配置 AWS CLI

  1. 启动终端并输入以下命令,然后输入在前面步骤中创建的 AWS 访问密钥 ID 和 AWS 秘密访问密钥。
aws configure

使用以下默认设置:

AWS Access Key Id: <<Your Key>>
AWS Secret Access Key: <<Your Secret Access Key>>
Default region name: ap-south-1
Default output format: json
s3sec检查AWS S3存储桶的读写删除访问权限

工具源码:

s3sec.py

#
#
#   s3sec developed by 0xmoot
#
#   Test AWS S3 instances for read/write/delete access
#   Usage: cat locations | python3 s3sec.py
#
#   0xmoot.com
#   twitter.com/0xmoot
#
#   Found a bug bounty using this tool? Feel free to add me as a collaborator: 0xmoot
#
#

import sys
import requests
import subprocess
import os
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

print("     _____               ", file=sys.stderr)
print(" ___|___ / ___  ___  ___ ", file=sys.stderr)
print("/ __| |_ \/ __|/ _ \/ __|", file=sys.stderr)
print("\__ \___) \__ \  __/ (__ ", file=sys.stderr)
print("|___/____/|___/\___|\___|", file=sys.stderr)
print("", file=sys.stderr)
print("	0xmoot.com", file=sys.stderr)
print("	twitter.com/0xmoot", file=sys.stderr)
print("", file=sys.stderr)
print("Found a bug bounty using this tool?", file=sys.stderr)
print("Feel free to add me as a collaborator: 0xmoot :)", file=sys.stderr)
print("", file=sys.stderr)
print("Disclaimer: Use with caution. You are responsible for your actions.", file=sys.stderr)
print("Developers assume no liability and are not responsible for any misuse or damage.", file=sys.stderr)
print("Usage: cat locations | python3 s3sec.py", file=sys.stderr)
print("", file=sys.stderr)

class http_obj:
    status_code: int
    text: str
    _url: str

def http_get(url):

    data = http_obj()
    data._url = url
    data.text = ""

    headers = {
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36',
        'connection': 'close'
    }

    try:
        r = requests.get(url, headers=headers, verify=False, timeout=3)
        data.status_code = r.status_code
        data.text = r.text
    except:
        data.status_code = -1
    
    return data

added = []
def process(url, protocol="https"):

    b = http_get(protocol+"://"+url+".s3.amazonaws.com")

    if(b.text.find("<Error><Code>")>=0):
        code = b.text.split("<Error><Code>")[1].split("</Code>")[0]
        print(url+".s3.amazonaws.com [error: "+code+"]")
        if(code == "AccessDenied"):
            try:
                #falls back to aws cli to test access with --no-sign-request argument
                subprocess.check_output([str('aws'), 's3', 'ls', 's3://'+url, '--no-sign-request'],stderr=subprocess.DEVNULL)
                print(url+".s3.amazonaws.com [read (--no-sign-request)]")
            except:
                return
        return
    elif(b.text.find("ListBucketResult")>=0):
        print(url+".s3.amazonaws.com [read]")
    else:
        if(protocol=="http"):
            print(url+".s3.amazonaws.com [error: ConnectionError("+str(b.status_code)+")]")
        else:
            #try connecting to http instead
            process(url,"http")
        return

    try:
        #check that we can write to server
        subprocess.check_output([str('aws'), 's3', 'cp', os.getcwd()+"/s3sec.txt", 's3://'+url+'/s3sec.txt', '--no-sign-request'],stderr=subprocess.DEVNULL)
        print(url+".s3.amazonaws.com [write]")

        #check that we can remove file from server
        subprocess.check_output([str('aws'), 's3', 'rm', 's3://'+url+'/s3sec.txt', '--no-sign-request'],stderr=subprocess.DEVNULL)
        print(url+".s3.amazonaws.com [delete]")

    except:
        return

urls = []; c = 0
for line in sys.stdin:
    url = line.strip().replace("https://","").replace(".s3.amazonaws.com","").replace("s3.amazonaws.com/","")
    process(url)

项目地址:

GitHub:https://github.com/0xmoot/s3sec

转载请注明出处及链接

Leave a Reply

您的电子邮箱地址不会被公开。