admin/Cloud-Bucket-Leak-Detection-Tools
1
0
Fork 0
mirror of https://github.com/UzJu/Cloud-Bucket-Leak-Detection-Tools.git synced 2025-11-05 10:44:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: update v0.4.0

Browse Source 
新增
1. TenCentCloud Cos Scan
2. HuaweiCloud OBS Scan
修复
1、部分代码逻辑问题
This commit is contained in:
UzJu 2022-07-16 15:38:39 +08:00
parent 1445d0b445
commit 5981418853
29 changed files with 1055 additions and 333 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

213
README.en.md
View File

@ -1,196 +1,86 @@
# :rooster:0x00 Preface
![image-20220703203021188](images/image-20220703203021188.png)
![image-20220529132925098](images/image-20220529132925098.png)
> March 7, 2022
>
> I think the documentation is not very clear, wait for the time to update the full documentation of the use of tutorials
> March 8, 2022
>
> May 29, 2022
>
> 1. updated the aws storage bucket detection feature
>
> 2. feel that the update is a bit slow, this is a busy time, in fact, the new local version is written, has not been push
**Using tutorial**: [Using tutorial](使用教程.md)
**Language**
English README: [English](README.en.md)
I want to write a storage bucket utilization, first draw a pie for myself
+ Aliyun Cloud (Aliyun Cloud Oss)
+ Tencent Cloud COS
+ Huawei Cloud (HuaWei Cloud OBS)
+ AWS (Amazon S3 Bucket)
+ Azure (Azure Blob)
+ GCP (Google Cloud Bucket)
I don't even think about the name of the tool, I believe the big guys will know when they see the project name... King of machine flip
If you think it works fine, you can raise an issue to give the tool a name? :sos:
:waning_crescent_moon:**painting pie progress**
1, Ali cloud storage bucket use
Not too good with Git, code writing also sucks, there are bugs directly mention Issue can (as if I may not even use issue to understand)
> Good thing the second master recommended to me GitHub Desktop second master YYDS
2, AWS storage bucket use
# :pill:0x01 dependency
+ pip3 install oss2
+ pip3 install colorlog
+ pip3 install argparse
+ pip3 install boto3
# :gun:0x02 Usage
# :rooster:Tutorial
```bash
git clone https://github.com/UzJu/Cloud-Bucket-Leak-Detection-Tools.git
cd Cloud-Bucket-Leak-Detection-Tools/
pip3 install -r requirements.txt
python3 main.py -h
```
Then write your own Aliyun AK in config/conf.py, the role is as follows
![image-20220716140707903](images/image-20220716140707903.png)
1, if you can hijack, will use the AK to create a storage bucket of the same name
You need to configure your corresponding cloud vendor AK in the `config/conf.py` file before using it.
2, used to verify the legitimate user
![image-20220716140934866](images/image-20220716140934866.png)
![image-20220304184757595](images/UzJuMarkDownImageimage-20220304184757595.png)
## 1、Ariyun storage bucket
## 1. When storage bucket Policy permission is available
![images/20220304185015693](images/UzJuMarkDownImageimage-20220304185015693.png)
## 2. When the storage bucket does not exist (automatically created and hijacked)
![image](images/156925718-9a3dc236-0ef6-4afa-8d26-a2946fe876b2.png)
## 3、Batch detection of storage buckets
New detection function of batch storage bucket, recommend fofa to export all assets with one click
**fofa**
### 1.1, single storage bucket detection
```bash
python3 main.py -aliyun [BucketURL]
```
![image-20220716141132931](images/image-20220716141132931.png)
### 1.2. Automatic bucket hijacking
Automatically hijack a bucket when it is detected as not existing
![image-20220703202339058](images/image-20220703202339058.png)
### 1.3. Bulk bucket address detection
```bash
# fofa syntax
domain="aliyuncs.com"
server="AliyunOSS" domain="aliyuncs.com" #This syntax is not recommended
server="AliyunOSS" domain="aliyuncs.com"
```
```bash
python3 main.py -f aws/aliyun filepath
# For example
python3 main.py -f aws . /url.tx\\\\\\\``````````````````````````````````````````````````````````````````````````
# Use -faliyun
python3 main.py -faliyun url.txt
```
Then just wait, the scan results will be in the results directory with the date of the day as the filename
![image-20220716141356518](images/image-20220716141356518.png)
![image](images/156925744-3c012b86-6449-4cf1-a790-b2c1282f76bd.png)
![image](images/156925758-36a8fcba-8bc8-4d1a-8863-d8110dbe0b71.png)
Only buckets that have permission to operate will be saved
![image](images/156925766-15d415d3-d573-4b54-ab0f-5c79bc1966ad.png)
Input the storage bucket address to detect automatically, the function is as follows
+ 1. detect whether the current bucket can be hijacked
+ If it can be hijacked, automatically create a bucket with the same name on the AK account written in the config and open all permissions
+ 2. detect whether the current bucket can list Object
+ 3. Check if the current bucket can get ACL
+ 4、Check if the current bucket can get Policy policy table
+ 5、Detect whether the bucket can upload Objects
+ 6、Batch detection function
## 4、Domain name detection function
Many storage buckets have resolved the domain name, the new judgment of the domain name CNAME, and then take the CNAME to detect
** can now directly import a large number of domain name assets for detection, will automatically determine the CNAME of the domain name **
![image-20220307231827585](images/UzJuMarkDownImageimage-20220307231827585.png)
# 0x03 Ali cloud storage bucket utilization
### 1、Implementation ideas
First implement the `OssBucketCheckFromSDK` class
+ AliyunOssBucketDoesBucketExist
+ AliyunOssBucketDoesBucketExist is used to determine whether the current bucket exists, first if the bucket exists then return a True, continue with the following process, if the bucket does not exist, then call the OssBucketExploitFromSDK class, create the bucket, and set ACL permissions, upload access policy, then upload a file for verification, if the bucket exists at this time or AccessDenied, continue with the following process
+ AliyunOssGetBucketObjectList
+ determine if the contents of the bucket can be traversed, and if so, the first 3 contents will be selected for traversal and displayed
> If you want to iterate through more content, you can check the AliyunOssGetBucketObjectList method in aliyunOss.py
+ AliyunOssGetBucketAcl
+ determine if the current Bucket's ACL can be accessed, if so, return the current Bucket's ACL, if not, continue with the following Check process
+ AliyunOssGetBucketPolicy
+ Determine if the policy of the current Bucket can be accessed, if so, the ACL of the current Bucket will be returned, if not, continue with the following Check process
+ AliyunOssGetBucketObject
+ Try to upload a file, whether it can be successfully uploaded
# 0x04 Aws storage bucket utilization
## 2. Tencent cloud storage bucket
```bash
python3 main.py -aws xxxx
python3 main.py -tcloud [storage bucket address]
```
![image-20220529094124272](images/image-20220529094124272.png)
![image-20220716141554856](images/image-20220716141554856.png)
# 0x05 Explanation of the results file after use
## 3. Huawei cloud storage bucket
You can see the problematic bucket in the results directory
```bash
python3 main.py -hcloud [storage bucket address]
```
![image-20220529134339645](images/image-20220529134339645.png)
![image-20220716141948046](images/image-20220716141948046.png)
1, ListObject means the contents of the bucket can be listed
## 4. AWS storage bucket
2、PutObject means that the bucket can upload any file
```bash
python3 main.py -aws [storage bucket address]
```
3、NoSuchBucket means the bucket can be taken over
![image-20220716142431142](images/image-20220716142431142.png)images/image-20220716142431142.png)
4、GetBucketACL means you can get the ACL of the bucket
## 5. Scan results saving
5、GetBucketPolicy means you can get the policy configuration of the bucket
The scan results will be stored in the `results` directory
# :older_man:0x040001 Update Log
![image-20220716142617997](images/image-20220716142617997.png)
**March 6, 2022**
![image-20220716142641883](images/image-20220716142641883.png)
+ Add batch scan function
+ Fix the Fake_UserAgent error reporting problem
# :cop:0xFFFFFFFF Disclaimer
> actually just delete this library, don't use it ^ ^
**March 7, 2022**
+ Added domain detection
**May 29, 2022**
- Added AWS storage bucket scan
# :cop:0xffffffff Disclaimer
Disclaimers
1、This tool is for academic exchange only, it is forbidden to use the tool to do illegal things
1、This tool is only for academic exchange, it is forbidden to use the tool to do illegal things
2, just writing for fun
@ -198,8 +88,13 @@ Disclaimers
> If you have a better suggestion or make a friend
![image](images/157070417-dbb7886f-1bb8-412f-a30b-0f85bc8ffa10.png)
<img src="images/157070417-dbb7886f-1bb8-412f-a30b-0f85bc8ffa10.png" alt="image" style="zoom:33%;" />
4、Blog: UzzJu.com
5、Public
![image-20220716143619529](images/image-20220716143619529.png)
# Curve chart
[![Stargazers over time](https://starchart.cc/UzJu/Cloud-Bucket-Leak-Detection-Tools.svg)](https://starchart.cc/UzJu/Cloud-Bucket-Leak-Detection-Tools)
[![Stargazers over time](images/Cloud-Bucket-Leak-Detection-Tools.svg)](https://starchart.cc/UzJu/Cloud-Bucket-Leak-Detection-Tools)

170
README.md
View File

@ -1,162 +1,86 @@
# :rooster:0x00 前言
![image-20220703203021188](images/image-20220703203021188.png)
**使用教程**: [使用教程](使用教程.md)
**语言/Language**
English README: [English](README.en.md)
# :pill:0x01 依赖
```bash
pip3 install -r requirements.txt
```
# :gun:0x02 使用方法
# :rooster:使用教程
```bash
git clone https://github.com/UzJu/Cloud-Bucket-Leak-Detection-Tools.git
cd Cloud-Bucket-Leak-Detection-Tools/
# 安装依赖 建议使用Python3.8以上的版本 我的版本: Python 3.9.13 (main, May 24 2022, 21:28:31)
pip3 install huaweicloud-sdk-python
pip3 install -r requirements.txt
python3 main.py -h
```
随后在config/conf.py中写入自己的AK作用如下
![image-20220716140707903](images/image-20220716140707903.png)
1、如果可以劫持会用该AK创建同名的存储桶
使用之前需要在`config/conf.py`文件配置自己对应的云厂商AK
2、用来验证合法用户
![image-20220716140934866](images/image-20220716140934866.png)
![image-20220703201835328](images/image-20220703201835328.png)
## 1、阿里云存储桶
## 1、当存储桶Policy权限可获取时
### 1.1、单个存储桶检测
![image-20220703202049560](images/image-20220703202049560.png)
```bash
python3 main.py -aliyun [存储桶URL]
```
## 2、当存储桶不存在时(自动创建并劫持)
![image-20220716141132931](images/image-20220716141132931.png)
### 1.2、自动存储桶劫持
当如果检测存储桶不存在时会自动劫持该存储桶
![image-20220703202339058](images/image-20220703202339058.png)
## 3、批量检测存储桶
新增批量存储桶的检测功能推荐fofa一键导出所有资产
**fofa**
### 1.3、批量存储桶地址检测
```bash
# fofa语法
domain="aliyuncs.com"
server="AliyunOSS"domain="aliyuncs.com" #不推荐该语法
server="AliyunOSS"domain="aliyuncs.com"
```
```bash
python3 main.py -faliyun url.txt
# 使用-faliyun
python3 main.py -faliyun url.txt
```
随后等待即可扫描结果会在results目录下文件名为当天的日期
![image-20220716141356518](images/image-20220716141356518.png)
![image-20220703202518187](images/image-20220703202518187.png)
随后会将结果保存至csv
![image-20220703202635171](images/image-20220703202635171.png)
输入存储桶地址即可自动检测,功能如下
+ 1、检测当前存储桶是否可劫持
+ 如果可劫持自动在config中写入的AK账号上创建同命名的存储桶并开放所有权限
+ 2、检测当前存储桶是否可列出Object
+ 3、检测当前存储桶是否可获取ACL
+ 4、检测当前存储桶是否可获取Policy策略表
+ 5、检测存储桶是否可上传Object
+ 6、批量检测功能
## 4、域名检测功能(v0.3.0暂未支持)
很多存储桶都解析了域名新增判断域名的CNAME然后取CNAME来进行检测
**现在可以直接导入大量域名资产来进行检测会自动判断域名的CNAME**
![image-20220307231827585](images/UzJuMarkDownImageimage-20220307231827585.png)
# 0x03 阿里云存储桶利用
### 1、实现思路
首先实现了`OssBucketCheckFromSDK`
+ AliyunOssBucketDoesBucketExist
+ 用来判断当前存储桶是否存在首先如果存储桶存在那么就返回一个True继续走下面的流程如果存储桶不存在那么就调用OssBucketExploitFromSDK类创建存储桶并且设置ACL权限上传访问策略随后上传一个文件进行验证如果存储桶此时存在或者为AccessDenied继续走下面的流程
+ AliyunOssGetBucketObjectList
+ 判断是否可以遍历存储桶中的内容如果可以则会选择前3个内容进行遍历并显示
> 如果想遍历更多的内容可以查看aliyunOss.py中的AliyunOssGetBucketObjectList方法
+ AliyunOssGetBucketAcl
+ 判断能否访问当前Bucket的ACL如果可以的话就返回当前Bucket的ACL如果不可以就继续走下面的Check流程
+ AliyunOssGetBucketPolicy
+ 判断能否访问当前Bucket的Policy如果可以的话就会返回当前Bucket的ACL如果不可以就继续走下面的Check
+ AliyunOssGetBucketObject
+ 尝试上传一个文件,是否可以成功上传
# 0x04 Aws存储桶利用
## 2、腾讯云存储桶
```bash
python3 main.py -aws xxxx
python3 main.py -tcloud [存储桶地址]
```
![image-20220529094124272](images/image-20220529094124272.png)
![image-20220716141554856](images/image-20220716141554856.png)
# 0x05 利用后results文件解释
## 3、华为云存储桶
在results目录下可以看到存在问题的存储桶
```bash
python3 main.py -hcloud [存储桶地址]
```
![image-20220529134339645](images/image-20220529134339645.png)
![image-20220716141948046](images/image-20220716141948046.png)
1、ListObject 代表该存储桶的内容可以列出来
## 4、AWS存储桶
2、PutObject 代表该存储桶可以上传任意的文件
```bash
python3 main.py -aws [存储桶地址]
```
3、NoSuchBucket 代表该存储桶可以接管
![image-20220716142431142](images/image-20220716142431142.png)
4、GetBucketACL 代表可以获取该存储桶的ACL
## 5、扫描结果保存
5、GetBucketPolicy 代表可以获取该存储桶的策略配置
扫描结果会存放在`results`目录下
# :older_man:0x040001 更新日志
![image-20220716142617997](images/image-20220716142617997.png)
**2022年3月6日**
![image-20220716142641883](images/image-20220716142641883.png)
+ 新增批量扫描功能
+ 修复Fake_UserAgent报错的问题
> 其实是直接把这个库删了,不用了^ ^
**2022年3月7日**
+ 新增域名检测
**2022年5月29日**
- 新增AWS存储桶扫描
**2022年7月3日**
- 重构项目
- aliyunoss模块
- aws模块
- main模块
- 扫描模块
# :cop:0xffffffff 免责声明
免责声明
# :cop:0xFFFFFFFF 免责声明
1、本工具只作为学术交流禁止使用工具做违法的事情
@ -166,9 +90,13 @@ python3 main.py -aws xxxx
> 如果你有更好的建议或者交个朋友
![image](images/157070417-dbb7886f-1bb8-412f-a30b-0f85bc8ffa10.png)
<img src="images/157070417-dbb7886f-1bb8-412f-a30b-0f85bc8ffa10.png" alt="image" style="zoom:33%;" />
4、博客: UzzJu.com
5、公众号
![image-20220716143619529](images/image-20220716143619529.png)
# 曲线图
[![Stargazers over time](https://starchart.cc/UzJu/Cloud-Bucket-Leak-Detection-Tools.svg)](https://starchart.cc/UzJu/Cloud-Bucket-Leak-Detection-Tools)
[![Stargazers over time](images/Cloud-Bucket-Leak-Detection-Tools.svg)](https://starchart.cc/UzJu/Cloud-Bucket-Leak-Detection-Tools)

17
UPDATE.md
View File

@ -1,17 +0,0 @@
# 阿里云
## **已完成**
1、GetObjectList ✅
2、GetBucketPolicy ✅
3、PutBucketPolicy ✅
4、GetBucketAcl ✅
5、PutBucketAcl ✅
6、PutBucketObject✅
7、批量检测✅
8、批量获取域名的CNAME来进行检测✅
## **待完成[画饼,反正画了也不一定写]**
1、存储桶名称爆破/Object爆破
> 不过感觉还是有点问题,感觉可以试试

9
config/conf.py
View File

@ -18,8 +18,15 @@ aliyun_key = ""
AWS_ACCESS_KEY = ""
AWS_SECRET_KEY = ""
# tencent
tencent_cam_id = ""
tencent_cam_key = ""
version = "v.0.3.0"
# huawei
huawei_access_key_id = ""
huawei_access_key_key = ""
version = "v.0.4.0"
author = "UzJu"
email = "UzJuer@163.com"
github = "GitHub.com/UzJu"

7
core/__init__.py Normal file
View File

@ -0,0 +1,7 @@
#!/usr/bin/python3.8.4 (python版本)
# -*- coding: utf-8 -*-
# @Author : UzJu@菜菜狗
# @Email : UzJuer@163.com
# @Software: PyCharm
# @Time : 2022/7/15 14:25
# @File : __init__.py.py

7
core/aliyun/__init__.py Normal file
View File

@ -0,0 +1,7 @@
#!/usr/bin/python3.8.4 (python版本)
# -*- coding: utf-8 -*-
# @Author : UzJu@菜菜狗
# @Email : UzJuer@163.com
# @Software: PyCharm
# @Time : 2022/7/15 14:24
# @File : __init__.py.py

2
core/aliyunOss.py → core/aliyun/oss.py
View File

@ -4,7 +4,7 @@
# @Email : UzJuer@163.com
# @Software: PyCharm
# @Time : 2022/7/2 14:22
# @File : aliyunOss.py
# @File : oss.py
import json
import os
from itertools import islice

7
core/aws/__init__.py Normal file
View File

@ -0,0 +1,7 @@
#!/usr/bin/python3.8.4 (python版本)
# -*- coding: utf-8 -*-
# @Author : UzJu@菜菜狗
# @Email : UzJuer@163.com
# @Software: PyCharm
# @Time : 2022/7/15 14:25
# @File : __init__.py.py

0
core/aws.py → core/aws/aws.py
View File

7
core/huaweiyun/__init__.py Normal file
View File

@ -0,0 +1,7 @@
#!/usr/bin/python3.8.4 (python版本)
# -*- coding: utf-8 -*-
# @Author : UzJu@菜菜狗
# @Email : UzJuer@163.com
# @Software: PyCharm
# @Time : 2022/7/15 14:25
# @File : __init__.py.py

55
core/huaweiyun/obs.py Normal file
View File

@ -0,0 +1,55 @@
#!/usr/bin/python3.8.4 (python版本)
# -*- coding: utf-8 -*-
# @Author : UzJu@菜菜狗
# @Email : UzJuer@163.com
# @Software: PyCharm
# @Time : 2022/7/15 14:22
# @File : obs.py
from obs import ObsClient
from config import conf
from config.logs import logger
class HuaWeiCloud_OBS_Check:
def __init__(self, target, location):
self.target = target
self.client = ObsClient(
access_key_id=conf.huawei_access_key_id,
secret_access_key=conf.huawei_access_key_key,
server=f'https://obs.{location}.myhuaweicloud.com'
)
def ListObject(self):
try:
resp = self.client.listObjects(self.target, max_keys=3)
for content in resp.body.contents:
logger.log("INFOR",
f"ObjectKey: {content.key}, owner_id: {content.owner.owner_id}, owner_name: {content.owner.owner_name}")
return True
except Exception as e:
logger.log("ALERT", f"BucketName: {self.target}> ListObject权限不足")
logger.log("ERROR", f"BucketName: {self.target}> ListObject > {repr(e)}")
def PutObject(self):
try:
resp = self.client.putFile(self.target, objectKey="UzJu.html", file_path="./config/UzJu.html")
if resp['status'] == 403:
logger.log("ALERT", f"BucketName: {self.target}> PutObject权限不足")
else:
logger.log("INFOR", f"BucketName: {self.target}> PutObject成功, 访问UzJu.html查看")
return True
except Exception as e:
logger.log("ERROR", repr(e))
def GetBucketACL(self):
try:
resp = self.client.getBucketAcl(self.target)
if resp['status'] == 200:
logger.log("INFOR", f"BucketName: {self.target}> GetBucketACL成功, {resp}")
return True
elif resp['status'] == 403:
logger.log("ALERT", f"BucketName: {self.target}> GetBucketACL权限不足")
except Exception as e:
logger.log("ERROR", repr(e))

149
core/main.py
View File

@ -7,25 +7,28 @@
# @File : main.py
from config.logs import logger
from plugins.results import aliyun_save_file
from core import aliyunOss
from core import aws
from plugins.results import *
import urllib.parse
import prettytable as pt
import multiprocessing
from core.aliyun import oss
from core.aws import aws
from core.tencent import cos
from core.huaweiyun import obs
def aliyun_file_scan(filename):
def Aliyun_file_scan(filename):
target_file = open(filename, mode='r', encoding='utf-8')
p = multiprocessing.Pool(processes=3)
for i in target_file.read().splitlines():
p.apply_async(aliyun, args=(i,))
p.apply_async(Aliyun_OSS, args=(i,))
p.close()
p.join()
p.terminate()
def aliyun(target):
def Aliyun_OSS(target):
"""
:desc: aliyun Bucket Scan function
@ -36,14 +39,23 @@ def aliyun(target):
aliyun_print_table_header = pt.PrettyTable(
['Bucket', 'BucketHijack', 'GetBucketObjectList', 'PutBucketObject', 'GetBucketAcl', 'PutBucketAcl',
'GetBucketPolicy'])
aliyun_scan_results = {}
aliyun_scan_results = {
"BucketName": target,
"BucketDoesBucketExist": False,
"BucketHijack": False,
"GetBucketObjectList": False,
"PutBucketObject": False,
"GetBucketAcl": False,
"PutBucketAcl": False,
"GetBucketPolicy": False,
}
get_domain = urllib.parse.urlparse(target).netloc
if get_domain == "":
get_target_list = target.split('.')
aliyunOss_Check_init = aliyunOss.Aliyun_Oss_Bucket_Check(target=get_target_list[0],
location=get_target_list[1])
aliyunOss_Exploit_init = aliyunOss.Aliyun_Oss_Bucket_Exploit(target=get_target_list[0],
location=get_target_list[1])
aliyunOss_Check_init = oss.Aliyun_Oss_Bucket_Check(target=get_target_list[0],
location=get_target_list[1])
aliyunOss_Exploit_init = oss.Aliyun_Oss_Bucket_Exploit(target=get_target_list[0],
location=get_target_list[1])
if aliyunOss_Check_init.Aliyun_Oss_BucketDoesBucketExist():
logger.log("INFOR", f"{target}> 当前存储桶不存在, 尝试劫持存储桶")
if aliyunOss_Exploit_init.Aliyun_Oss_CreateBucket_Exp():
@ -53,45 +65,38 @@ def aliyun(target):
aliyunOss_Exploit_init.Aliyun_Oss_PutBucketPolicy_Exp()
aliyunOss_Exploit_init.Aliyun_Oss_GetBucketPolicy_Exp()
aliyunOss_Exploit_init.Aliyun_Oss_PutBucketAcl_Exp()
aliyun_scan_results.update({"BucketDoesBucketExist": "true"})
else:
aliyun_scan_results.update({"BucketDoesBucketExist": "false"})
if aliyunOss_Check_init.Aliyun_Oss_GetBucketObject_List():
logger.log("INFOR", f"{target}> 存储桶对象可遍历")
aliyun_scan_results.update({"GetBucketObject": "true"})
aliyun_scan_results['GetBucketObject'] = True
else:
logger.log("ALERT", f"{target}> 存储桶对象不可遍历")
aliyun_scan_results.update({"GetBucketObject": "false"})
if aliyunOss_Check_init.Aliyun_Oss_PutBucketObject():
logger.log("INFOR", f"{target}> 可未授权上传对象至存储桶(可导致覆盖已有对象)")
aliyun_scan_results.update({"PutBucketObject": "true"})
aliyun_scan_results['PutBucketObject'] = True
else:
logger.log("ALERT", f"{target}> 不可未授权上传对象至存储桶")
aliyun_scan_results.update({"PutBucketObject": "false"})
if aliyunOss_Check_init.Aliyun_Oss_GetBucketAcl():
logger.log("INFOR", f"{target}> 可公开访问存储桶ACL策略")
aliyun_scan_results.update({"GetBucketAcl": "true"})
aliyun_scan_results['GetBucketAcl'] = True
else:
logger.log("ALERT", f"{target}> 不可公开访问存储桶ACL策略")
aliyun_scan_results.update({"GetBucketAcl": "false"})
if aliyunOss_Check_init.Aliyun_Oss_PutBucketAcl():
logger.log("INFOR", f"{target}> 可上传覆盖存储桶ACL策略")
aliyun_scan_results.update({"PutBucketAcl": "true"})
aliyun_scan_results['PutBucketAcl'] = True
else:
logger.log("ALERT", f"{target}> 不可上传覆盖存储桶ACL策略")
aliyun_scan_results.update({"PutBucketAcl": "false"})
results_policy = aliyunOss_Check_init.Aliyun_Oss_GetBucketPolicy()
if results_policy:
logger.log("INFOR", f"{target}> 可公开获取存储桶Policy策略组")
logger.log("INFOR", f"{target}Policy> {results_policy}")
aliyun_scan_results.update({"GetBucketPolicy": "true"})
aliyun_scan_results['GetBucketPolicy'] = True
else:
logger.log("ALERT", f"{target}> 不可公开获取存储桶Policy策略")
aliyun_scan_results.update({"GetBucketPolicy": "false"})
aliyun_print_table_header.add_row([target,
aliyun_scan_results['BucketDoesBucketExist'],
@ -107,9 +112,83 @@ def aliyun(target):
aliyun_scan_results['GetBucketAcl'],
aliyun_scan_results['PutBucketAcl'],
aliyun_scan_results['GetBucketPolicy'])
print(aliyun_print_table_header, "\n")
print(aliyun_print_table_header)
else:
aliyun(get_domain)
Aliyun_OSS(get_domain)
def Tencent_Cloud_Cos(target):
tencent_cloud_print_table_header = pt.PrettyTable(
['Bucket', 'ListObject', 'PutObject', 'GetBucketACL'])
tencent_cloud_results = {
"BucketName": target,
"ListObject": False,
"PutObject": False,
"GetBucketACL": False
}
get_domain = urllib.parse.urlparse(target).netloc
if get_domain == "":
if "cos" not in target:
logger.log("ALERT", f"当前{target}非COS存储桶地址")
return
logger.log("INFOR", f"开始扫描> {target}")
get_target_list = target.split(".")
tencent_check_init = cos.TenCent_Cloud_OBS_Check(target=get_target_list[0],
location=get_target_list[2])
if tencent_check_init.ListObject():
tencent_cloud_results['ListObject'] = True
if tencent_check_init.PutObject():
tencent_cloud_results['PutObject'] = True
if tencent_check_init.GetBucketACL():
tencent_cloud_results['GetBucketACL'] = True
else:
Tencent_Cloud_Cos(target)
tencent_cloud_print_table_header.add_row([target,
tencent_cloud_results['ListObject'],
tencent_cloud_results['PutObject'],
tencent_cloud_results['GetBucketACL']])
tencent_save_file(target,
tencent_cloud_results['ListObject'],
tencent_cloud_results['PutObject'],
tencent_cloud_results['GetBucketACL'])
print(tencent_cloud_print_table_header)
def Huawei_Cloud_OBS(target):
huawei_cloud_print_table_header = pt.PrettyTable(
['Bucket', 'ListObject', 'PutObject', 'GetBucketACL'])
huawei_cloud_results = {
"BucketName": target,
"ListObject": False,
"PutObject": False,
"GetBucketACL": False
}
get_domain = urllib.parse.urlparse(target).netloc
if get_domain == "":
if "obs" not in target:
logger.log("ALERT", f"当前{target}非OBS存储桶地址")
return
logger.log("INFOR", f"开始扫描> {target}")
get_target_list = target.split(".")
huaweiyun_check_init = obs.HuaWeiCloud_OBS_Check(target=get_target_list[0],
location=get_target_list[2])
if huaweiyun_check_init.ListObject():
huawei_cloud_results['ListObject'] = True
if huaweiyun_check_init.PutObject():
huawei_cloud_results['PutObject'] = True
if huaweiyun_check_init.GetBucketACL():
huawei_cloud_results['GetBucketACL'] = True
else:
Huawei_Cloud_OBS(target)
huawei_cloud_print_table_header.add_row([target,
huawei_cloud_results['ListObject'],
huawei_cloud_results['PutObject'],
huawei_cloud_results['GetBucketACL']])
huawei_save_file(target,
huawei_cloud_results['ListObject'],
huawei_cloud_results['PutObject'],
huawei_cloud_results['GetBucketACL'])
print(huawei_cloud_print_table_header)
def AmazoneS3(target):
@ -119,6 +198,14 @@ def AmazoneS3(target):
:param target: bucket url
:return:
"""
aws_print_table_header = pt.PrettyTable(
['Bucket', 'ListObject', 'PutObject', 'GetBucketACL'])
aws_results = {
"BucketName": target,
"ListObject": False,
"PutObject": False,
"GetBucketACL": False
}
get_domain = urllib.parse.urlparse(target).netloc
if get_domain == "":
logger.log("INFOR", f"开始扫描> {target}")
@ -127,17 +214,29 @@ def AmazoneS3(target):
location=get_target_list[1])
if aws_check_init.Check_Bucket_ListObject():
logger.log("INFOR", f"{target}> 存储桶对象可遍历")
aws_results['ListObject'] = True
else:
logger.log("ALERT", f"{target}> 存储桶对象不可遍历")
if aws_check_init.Check_Bucket_PutObject():
logger.log("INFOR", f"{target}> 可未授权上传对象至存储桶(可覆盖存储桶已有对象)")
aws_results['PutObject'] = True
else:
logger.log("ALERT", f"{target}> 不可未授权上传对象至存储桶(可覆盖存储桶已有对象)")
if aws_check_init.Check_Bucket_GetBucketAcl():
logger.log("INFOR", f"{target}> 存储桶ACL策略可公开获取")
aws_results['GetBucketACL'] = True
else:
logger.log("ALERT", f"{target}> 存储桶ACL策略不可公开")
else:
AmazoneS3(get_domain)
aws_print_table_header.add_row([target,
aws_results['ListObject'],
aws_results['PutObject'],
aws_results['GetBucketACL']])
aws_save_file(target,
aws_results['ListObject'],
aws_results['PutObject'],
aws_results['GetBucketACL'])
print(aws_print_table_header)

7
core/tencent/__init__.py Normal file
View File

@ -0,0 +1,7 @@
#!/usr/bin/python3.8.4 (python版本)
# -*- coding: utf-8 -*-
# @Author : UzJu@菜菜狗
# @Email : UzJuer@163.com
# @Software: PyCharm
# @Time : 2022/7/15 14:24
# @File : __init__.py.py

61
core/tencent/cos.py Normal file
View File

@ -0,0 +1,61 @@
#!/usr/bin/python3.8.4 (python版本)
# -*- coding: utf-8 -*-
# @Author : UzJu@菜菜狗
# @Email : UzJuer@163.com
# @Software: PyCharm
# @Time : 2022/7/15 11:58
# @File : cos.py
from qcloud_cos import CosConfig
from qcloud_cos import CosS3Client
from config import conf
from config.logs import logger
class TenCent_Cloud_OBS_Check:
def __init__(self, target, location):
self.target = target
config = CosConfig(Region=location, SecretId=conf.tencent_cam_id, SecretKey=conf.tencent_cam_key)
self.client = CosS3Client(config)
def ListObject(self):
try:
resp = self.client.list_objects(Bucket=self.target)
if 'Contents' in resp:
for content in resp['Contents']:
logger.log("INFOR", f"ListObject> {content['Key']}")
return True
except Exception as e:
if "Access Denied." in repr(e):
logger.log("ALERT", f"{self.target}> ListObject权限不足")
else:
logger.log("ERROR", repr(e))
return False
def PutObject(self):
try:
self.client.upload_file(Bucket=self.target,
Key="index.html",
LocalFilePath="./config/UzJu.html",
ACL="public-read",
ContentType="text/html")
logger.log("INFOR", f"{self.target}> PutObject成功 访问index.html查看结果")
return True
except Exception as e:
if "Access Denied." in repr(e):
logger.log("ALERT", f"{self.target}> PutObject权限不足")
else:
logger.log("ERROR", repr(e))
return False
def GetBucketACL(self):
try:
resp = self.client.get_bucket_acl(Bucket=self.target)
logger.log("INFOR", f"{self.target}> GetBucketACL成功, 策略: {resp}")
return True
except Exception as e:
if "Access Denied." in repr(e):
logger.log("ALERT", f"{self.target}> GetBucketACL权限不足")
else:
logger.log("ERROR", repr(e))
return False

572
images/Cloud-Bucket-Leak-Detection-Tools.svg Normal file
View File

@ -0,0 +1,572 @@
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="1024" height="400">\n<path d="M 0 0
L 1024 0
L 1024 400
L 0 400
L 0 0" style="stroke-width:0;stroke:rgba(255,255,255,1.0);fill:rgba(255,255,255,1.0)"/><path d="M 38 11
L 965 11
L 965 351
L 38 351
L 38 11" style="stroke-width:0;stroke:rgba(255,255,255,1.0);fill:rgba(255,255,255,1.0)"/><path d="M 38 351
L 965 351" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><path d="M 38 351
L 38 356" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="5" y="373" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">2022-02-22</text><path d="M 154 351
L 154 356" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="121" y="373" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">2022-03-12</text><path d="M 270 351
L 270 356" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="237" y="373" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">2022-03-29</text><path d="M 386 351
L 386 356" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="353" y="373" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">2022-04-16</text><path d="M 502 351
L 502 356" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="469" y="373" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">2022-05-04</text><path d="M 618 351
L 618 356" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="585" y="373" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">2022-05-22</text><path d="M 734 351
L 734 356" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="701" y="373" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">2022-06-08</text><path d="M 850 351
L 850 356" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="817" y="373" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">2022-06-26</text><path d="M 965 351
L 965 356" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="932" y="373" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">2022-07-14</text><text x="487" y="395" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">Time</text><path d="M 967 351
L 967 11" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><path d="M 967 351
L 972 351" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="977" y="357" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">0</text><path d="M 967 308
L 972 308" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="977" y="314" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">69</text><path d="M 967 265
L 972 265" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="977" y="271" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">138</text><path d="M 967 223
L 972 223" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="977" y="229" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">207</text><path d="M 967 181
L 972 181" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="977" y="187" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">275</text><path d="M 967 138
L 972 138" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="977" y="144" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">344</text><path d="M 967 95
L 972 95" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="977" y="101" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">413</text><path d="M 967 53
L 972 53" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="977" y="59" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">482</text><path d="M 967 11
L 972 11" style="stroke-width:2;stroke:rgba(85,85,85,1.0);fill:none"/><text x="977" y="17" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif">550</text><text x="1009" y="150" style="stroke-width:0;stroke:none;fill:rgba(51,51,51,1.0);font-size:12.8px;font-family:'Roboto Medium',sans-serif" transform="rotate(90.00,1009,150)">Stargazers</text><path d="M 38 351
L 43 350
L 85 349
L 102 349
L 102 348
L 102 347
L 102 347
L 102 346
L 102 346
L 102 345
L 102 344
L 103 344
L 103 343
L 103 342
L 103 342
L 103 341
L 104 341
L 104 340
L 104 339
L 104 339
L 105 338
L 105 338
L 105 337
L 105 336
L 106 336
L 108 335
L 109 334
L 110 334
L 110 333
L 110 333
L 111 332
L 111 331
L 111 331
L 112 330
L 112 329
L 113 329
L 114 328
L 116 328
L 117 327
L 117 326
L 117 326
L 118 325
L 118 325
L 118 324
L 118 323
L 118 323
L 121 322
L 121 321
L 121 321
L 121 320
L 121 320
L 121 319
L 121 318
L 121 318
L 121 317
L 121 317
L 121 316
L 121 315
L 121 315
L 121 314
L 121 313
L 121 313
L 121 312
L 121 312
L 121 311
L 121 310
L 121 310
L 121 309
L 121 308
L 121 308
L 121 307
L 121 307
L 121 306
L 121 305
L 121 305
L 121 304
L 121 304
L 121 303
L 121 302
L 121 302
L 121 301
L 121 300
L 121 300
L 121 299
L 121 299
L 121 298
L 121 297
L 121 297
L 121 296
L 122 295
L 122 295
L 122 294
L 122 294
L 122 293
L 122 292
L 122 292
L 122 291
L 122 291
L 122 290
L 122 289
L 122 289
L 122 288
L 122 287
L 122 287
L 122 286
L 122 286
L 122 285
L 122 284
L 122 284
L 122 283
L 122 283
L 122 282
L 122 281
L 122 281
L 122 280
L 122 279
L 122 279
L 122 278
L 122 278
L 122 277
L 122 276
L 122 276
L 122 275
L 122 274
L 122 274
L 122 273
L 122 273
L 122 272
L 122 271
L 122 271
L 122 270
L 122 270
L 123 269
L 123 268
L 123 268
L 123 267
L 123 266
L 123 266
L 123 265
L 123 265
L 123 264
L 123 263
L 123 263
L 123 262
L 123 261
L 123 261
L 123 260
L 123 260
L 123 259
L 123 258
L 123 258
L 123 257
L 123 257
L 123 256
L 123 255
L 123 255
L 123 254
L 123 253
L 123 253
L 123 252
L 123 252
L 123 251
L 123 250
L 123 250
L 123 249
L 123 249
L 123 248
L 123 247
L 123 247
L 124 246
L 124 245
L 124 245
L 124 244
L 124 244
L 124 243
L 124 242
L 124 242
L 124 241
L 124 240
L 124 240
L 124 239
L 124 239
L 124 238
L 124 237
L 125 237
L 125 236
L 125 236
L 125 235
L 127 234
L 127 234
L 128 233
L 128 232
L 128 232
L 128 231
L 128 231
L 128 230
L 128 229
L 128 229
L 128 228
L 128 227
L 128 227
L 128 226
L 128 226
L 128 225
L 129 224
L 129 224
L 129 223
L 129 223
L 129 222
L 129 221
L 129 221
L 129 220
L 129 219
L 130 219
L 130 218
L 130 218
L 130 217
L 130 216
L 130 216
L 130 215
L 130 215
L 131 214
L 131 213
L 131 213
L 131 212
L 132 211
L 134 211
L 134 210
L 134 210
L 134 209
L 134 208
L 135 208
L 135 207
L 135 206
L 135 206
L 135 205
L 136 205
L 136 204
L 136 203
L 136 203
L 136 202
L 137 202
L 137 201
L 137 200
L 137 200
L 137 199
L 138 198
L 138 198
L 139 197
L 141 197
L 141 196
L 142 195
L 143 195
L 143 194
L 143 193
L 144 193
L 145 192
L 148 192
L 149 191
L 150 190
L 150 190
L 151 189
L 151 189
L 157 188
L 158 187
L 162 187
L 167 186
L 167 185
L 167 185
L 167 184
L 167 184
L 167 183
L 167 182
L 167 182
L 167 181
L 167 181
L 167 180
L 167 179
L 167 179
L 167 178
L 168 177
L 168 177
L 168 176
L 169 176
L 170 175
L 170 174
L 171 174
L 173 173
L 173 172
L 174 172
L 174 171
L 175 171
L 178 170
L 180 169
L 180 169
L 181 168
L 182 168
L 187 167
L 187 166
L 187 166
L 197 165
L 197 164
L 200 164
L 200 163
L 200 163
L 201 162
L 207 161
L 212 161
L 219 160
L 219 159
L 219 159
L 221 158
L 226 158
L 229 157
L 246 156
L 260 156
L 274 155
L 279 155
L 285 154
L 286 153
L 286 153
L 286 152
L 292 151
L 292 151
L 293 150
L 305 150
L 308 149
L 331 148
L 331 148
L 343 147
L 358 147
L 379 146
L 387 145
L 403 145
L 403 144
L 416 143
L 416 143
L 436 142
L 448 142
L 450 141
L 458 140
L 463 140
L 472 139
L 533 138
L 539 138
L 540 137
L 555 137
L 560 136
L 560 135
L 560 135
L 561 134
L 561 134
L 562 133
L 562 132
L 562 132
L 562 131
L 562 130
L 562 130
L 562 129
L 562 129
L 563 128
L 563 127
L 563 127
L 565 126
L 565 125
L 566 125
L 566 124
L 566 124
L 567 123
L 567 122
L 568 122
L 568 121
L 569 121
L 570 120
L 570 119
L 572 119
L 573 118
L 573 117
L 573 117
L 574 116
L 575 116
L 575 115
L 576 114
L 576 114
L 579 113
L 579 113
L 579 112
L 579 111
L 579 111
L 579 110
L 579 109
L 579 109
L 579 108
L 579 108
L 579 107
L 579 106
L 579 106
L 579 105
L 579 104
L 579 104
L 580 103
L 580 103
L 580 102
L 580 101
L 580 101
L 580 100
L 580 100
L 580 99
L 580 98
L 581 98
L 581 97
L 581 96
L 581 96
L 581 95
L 581 95
L 581 94
L 582 93
L 582 93
L 582 92
L 582 91
L 582 91
L 582 90
L 583 90
L 585 89
L 586 88
L 586 88
L 586 87
L 587 87
L 587 86
L 587 85
L 587 85
L 587 84
L 587 83
L 587 83
L 587 82
L 587 82
L 587 81
L 588 80
L 589 80
L 590 79
L 592 79
L 592 78
L 593 77
L 594 77
L 595 76
L 598 75
L 598 75
L 599 74
L 599 74
L 600 73
L 601 72
L 601 72
L 601 71
L 602 70
L 602 70
L 602 69
L 602 69
L 603 68
L 605 67
L 606 67
L 607 66
L 612 66
L 618 65
L 622 64
L 622 64
L 624 63
L 624 62
L 626 62
L 626 61
L 627 61
L 627 60
L 627 59
L 628 59
L 631 58
L 631 57
L 631 57
L 632 56
L 632 56
L 632 55
L 632 54
L 632 54
L 632 53
L 632 53
L 633 52
L 633 51
L 633 51
L 634 50
L 634 49
L 637 49
L 638 48
L 638 48
L 639 47
L 653 46
L 666 46
L 667 45
L 671 45
L 672 44
L 674 43
L 684 43
L 686 42
L 686 41
L 692 41
L 694 40
L 696 40
L 707 39
L 707 38
L 713 38
L 718 37
L 730 36
L 732 36
L 732 35
L 737 35
L 753 34
L 756 33
L 757 33
L 764 32
L 764 32
L 766 31
L 782 30
L 783 30
L 800 29
L 806 28
L 807 28
L 823 27
L 827 27
L 836 26
L 867 25
L 870 25
L 874 24
L 880 23
L 881 23
L 881 22
L 882 22
L 901 21
L 901 20
L 906 20
L 914 19
L 916 19
L 919 18
L 923 17
L 935 17
L 958 16
L 965 15
L 965 15" style="stroke-width:2;stroke:rgba(129,199,239,1.0);fill:none"/></svg>
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
images/image-20220703202549284.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
images/image-20220716140707903.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 446 KiB

BIN
images/image-20220716140934866.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 976 KiB

BIN
images/image-20220716141132931.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.0 MiB

BIN
images/image-20220716141356518.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 579 KiB

BIN
images/image-20220716141554856.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 874 KiB

BIN
images/image-20220716141948046.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 899 KiB

BIN
images/image-20220716142431142.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 912 KiB

BIN
images/image-20220716142617997.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
images/image-20220716142641883.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

BIN
images/image-20220716143619529.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

10
main.py
View File

@ -17,12 +17,18 @@ if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-aliyun', dest='aliyun', help='python3 main.py -aliyun Bucketurl')
parser.add_argument('-faliyun', dest='faliyun', help='python3 main.py -faliyun filename')
parser.add_argument('-tcloud', dest='tencent_cloud', help='python3 main.py -tcloud BucketUrl')
parser.add_argument('-hcloud', dest='huawei_cloud', help='python3 main.py -hcloud BucketUrl')
parser.add_argument('-aws', dest='aws', help='python3 main.py -aws bucketurl')
args = parser.parse_args()
if args.aliyun:
main.aliyun(args.aliyun)
main.Aliyun_OSS(args.aliyun)
elif args.faliyun:
main.aliyun_file_scan(args.faliyun)
main.Aliyun_file_scan(args.faliyun)
elif args.tencent_cloud:
main.Tencent_Cloud_Cos(args.tencent_cloud)
elif args.huawei_cloud:
main.Huawei_Cloud_OBS(args.huawei_cloud)
elif args.aws:
main.AmazoneS3(args.aws)

58
plugins/results.py
View File

@ -12,9 +12,11 @@ import pandas as pd
from config.conf import NowTime
def aliyun_save_file(target, BucketHijack, GetBucketObjectList, PutBucketObject, GetBucketAcl, PutBucketAcl, GetBucketPolicy):
headers = ['Bucket', 'BucketHijack', 'GetBucketObjectList', 'PutBucketObject', 'GetBucketAcl', 'PutBucketAcl', 'GetBucketPolicy']
filepath = f'{os.getcwd()}/results/{NowTime}.csv'
def aliyun_save_file(target, BucketHijack, GetBucketObjectList, PutBucketObject, GetBucketAcl, PutBucketAcl,
GetBucketPolicy):
headers = ['Bucket', 'BucketHijack', 'GetBucketObjectList', 'PutBucketObject', 'GetBucketAcl', 'PutBucketAcl',
'GetBucketPolicy']
filepath = f'{os.getcwd()}/results/aliyun_{NowTime}.csv'
rows = [
[f"{target}", BucketHijack, GetBucketObjectList, PutBucketObject, GetBucketAcl, PutBucketAcl, GetBucketPolicy]
]
@ -28,3 +30,53 @@ def aliyun_save_file(target, BucketHijack, GetBucketObjectList, PutBucketObject,
f_csv = csv.writer(f)
f_csv.writerows(rows)
def tencent_save_file(target, ListObject, PutObject, GetBucketACL):
headers = ['Bucket', 'ListObject', 'PutObject', 'GetBucketACL']
filepath = f'{os.getcwd()}/results/tencentcloud_{NowTime}.csv'
rows = [
[f"{target}", ListObject, PutObject, GetBucketACL]
]
if not os.path.isfile(filepath):
with open(filepath, 'a+', newline='') as f:
f = csv.writer(f)
f.writerow(headers)
f.writerows(rows)
else:
with open(filepath, 'a+', newline='') as f:
f_csv = csv.writer(f)
f_csv.writerows(rows)
def huawei_save_file(target, ListObject, PutObject, GetBucketACL):
headers = ['Bucket', 'ListObject', 'PutObject', 'GetBucketACL']
filepath = f'{os.getcwd()}/results/huaweicloud_{NowTime}.csv'
rows = [
[f"{target}", ListObject, PutObject, GetBucketACL]
]
if not os.path.isfile(filepath):
with open(filepath, 'a+', newline='') as f:
f = csv.writer(f)
f.writerow(headers)
f.writerows(rows)
else:
with open(filepath, 'a+', newline='') as f:
f_csv = csv.writer(f)
f_csv.writerows(rows)
def aws_save_file(target, ListObject, PutObject, GetBucketACL):
headers = ['Bucket', 'ListObject', 'PutObject', 'GetBucketACL']
filepath = f'{os.getcwd()}/results/aws_{NowTime}.csv'
rows = [
[f"{target}", ListObject, PutObject, GetBucketACL]
]
if not os.path.isfile(filepath):
with open(filepath, 'a+', newline='') as f:
f = csv.writer(f)
f.writerow(headers)
f.writerows(rows)
else:
with open(filepath, 'a+', newline='') as f:
f_csv = csv.writer(f)
f_csv.writerows(rows)

37
requirements.txt
View File

@ -1,7 +1,36 @@
boto3==1.23.9
colorama==0.4.4
aliyun-python-sdk-core==2.13.36
aliyun-python-sdk-kms==2.15.0
boto3==1.24.31
botocore==1.27.31
certifi==2022.6.15
cffi==1.15.1
charset-normalizer==2.1.0
colorama==0.4.5
crcmod==1.7
cryptography==37.0.4
deprecation==2.1.0
dnspython==2.2.1
loguru==0.5.3
huaweicloud-sdk-python==1.0.28
idna==3.3
iso8601==1.0.2
jmespath==0.10.0
keystoneauth1==3.4.0
loguru==0.6.0
numpy==1.23.1
oss2==2.15.0
packaging==21.3
pandas==1.4.3
prettytable==3.2.0
pbr==5.9.0
prettytable==3.3.0
pycparser==2.21
pycryptodome==3.15.0
pyparsing==3.0.9
python-dateutil==2.8.2
pytz==2022.1
qcloud-cos==1.0.3
requests==2.28.1
s3transfer==0.6.0
six==1.16.0
stevedore==4.0.0
urllib3==1.26.10
wcwidth==0.2.5