目录导航
s3sec介绍
测试 AWS S3 存储桶的读/写/删除访问
开发此工具是为了快速测试 s3 存储桶列表以进行公共读取、写入和删除访问,以便对漏洞赏金计划进行渗透测试。
安装
将 git repo 克隆到您的机器上:
git clone https://github.com/0xmoot/s3sec用法
检查单个 S3 实例:
echo "test-instance.s3.amazonaws.com" | python3 s3sec.py或者:
echo "test-instance" | python3 s3sec.py检查 S3 实例列表:
cat locations | python3 s3sec.py设置 AWS CLI 和凭证(可选)
要充分利用此工具,您应该安装 AWS CLI 并设置用户凭证。
使用 AWS CLI 激活了一系列更深入的测试(包括未签名的读取、写入文件和删除文件):
在 Kali Linux 上安装 AWS CLI
要安装 AWS CLI,您只需使用以下命令进行安装:
pip3 install awscli获取 AWS 凭证(访问密钥 ID 和 AWS 秘密访问密钥)
- 从他们的官方网站注册亚马逊的 AWS:https ://aws.amazon.com/free/?all-free-tier.sort-by=item.additionalFields.SortRank&all-free-tier.sort-order=asc
- 登录到您的 AWS 账户并单击我的安全凭证。
- 单击访问密钥(访问密钥 ID 和秘密访问密钥)以获取 AWS CLI 的登录凭证。
- 然后单击显示访问密钥选项以获取您的访问密钥 ID 和秘密访问密钥,或者您也可以下载它。
在 Kali Linux 上配置 AWS CLI
- 启动终端并输入以下命令,然后输入在前面步骤中创建的 AWS 访问密钥 ID 和 AWS 秘密访问密钥。
aws configure使用以下默认设置:
AWS Access Key Id: <<Your Key>>
AWS Secret Access Key: <<Your Secret Access Key>>
Default region name: ap-south-1
Default output format: json
工具源码:
s3sec.py
#
#
# s3sec developed by 0xmoot
#
# Test AWS S3 instances for read/write/delete access
# Usage: cat locations | python3 s3sec.py
#
# 0xmoot.com
# twitter.com/0xmoot
#
# Found a bug bounty using this tool? Feel free to add me as a collaborator: 0xmoot
#
#
import sys
import requests
import subprocess
import os
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
print(" _____ ", file=sys.stderr)
print(" ___|___ / ___ ___ ___ ", file=sys.stderr)
print("/ __| |_ \/ __|/ _ \/ __|", file=sys.stderr)
print("\__ \___) \__ \ __/ (__ ", file=sys.stderr)
print("|___/____/|___/\___|\___|", file=sys.stderr)
print("", file=sys.stderr)
print(" 0xmoot.com", file=sys.stderr)
print(" twitter.com/0xmoot", file=sys.stderr)
print("", file=sys.stderr)
print("Found a bug bounty using this tool?", file=sys.stderr)
print("Feel free to add me as a collaborator: 0xmoot :)", file=sys.stderr)
print("", file=sys.stderr)
print("Disclaimer: Use with caution. You are responsible for your actions.", file=sys.stderr)
print("Developers assume no liability and are not responsible for any misuse or damage.", file=sys.stderr)
print("Usage: cat locations | python3 s3sec.py", file=sys.stderr)
print("", file=sys.stderr)
class http_obj:
status_code: int
text: str
_url: str
def http_get(url):
data = http_obj()
data._url = url
data.text = ""
headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36',
'connection': 'close'
}
try:
r = requests.get(url, headers=headers, verify=False, timeout=3)
data.status_code = r.status_code
data.text = r.text
except:
data.status_code = -1
return data
added = []
def process(url, protocol="https"):
b = http_get(protocol+"://"+url+".s3.amazonaws.com")
if(b.text.find("<Error><Code>")>=0):
code = b.text.split("<Error><Code>")[1].split("</Code>")[0]
print(url+".s3.amazonaws.com [error: "+code+"]")
if(code == "AccessDenied"):
try:
#falls back to aws cli to test access with --no-sign-request argument
subprocess.check_output([str('aws'), 's3', 'ls', 's3://'+url, '--no-sign-request'],stderr=subprocess.DEVNULL)
print(url+".s3.amazonaws.com [read (--no-sign-request)]")
except:
return
return
elif(b.text.find("ListBucketResult")>=0):
print(url+".s3.amazonaws.com [read]")
else:
if(protocol=="http"):
print(url+".s3.amazonaws.com [error: ConnectionError("+str(b.status_code)+")]")
else:
#try connecting to http instead
process(url,"http")
return
try:
#check that we can write to server
subprocess.check_output([str('aws'), 's3', 'cp', os.getcwd()+"/s3sec.txt", 's3://'+url+'/s3sec.txt', '--no-sign-request'],stderr=subprocess.DEVNULL)
print(url+".s3.amazonaws.com [write]")
#check that we can remove file from server
subprocess.check_output([str('aws'), 's3', 'rm', 's3://'+url+'/s3sec.txt', '--no-sign-request'],stderr=subprocess.DEVNULL)
print(url+".s3.amazonaws.com [delete]")
except:
return
urls = []; c = 0
for line in sys.stdin:
url = line.strip().replace("https://","").replace(".s3.amazonaws.com","").replace("s3.amazonaws.com/","")
process(url)项目地址:
GitHub:https://github.com/0xmoot/s3sec
转载请注明出处及链接