|
1 | | -# :rooster:0x00 Preface |
| 1 | + |
2 | 2 |
|
3 | | - |
4 | | - |
5 | | -> March 7, 2022 |
6 | | -> |
7 | | -> I think the documentation is not very clear, wait for the time to update the full documentation of the use of tutorials |
8 | | -> March 8, 2022 |
9 | | -> |
10 | | -> May 29, 2022 |
11 | | -> |
12 | | -> 1. updated the aws storage bucket detection feature |
13 | | -> |
14 | | -> 2. feel that the update is a bit slow, this is a busy time, in fact, the new local version is written, has not been push |
15 | | -
|
16 | | -**Using tutorial**: [Using tutorial](使用教程.md) |
17 | | - |
18 | | -**Language** |
19 | | - |
20 | | -English README: [English](README.en.md) |
21 | | - |
22 | | -I want to write a storage bucket utilization, first draw a pie for myself |
23 | | - |
24 | | -+ Aliyun Cloud (Aliyun Cloud Oss) |
25 | | -+ Tencent Cloud COS |
26 | | -+ Huawei Cloud (HuaWei Cloud OBS) |
27 | | -+ AWS (Amazon S3 Bucket) |
28 | | -+ Azure (Azure Blob) |
29 | | -+ GCP (Google Cloud Bucket) |
30 | | - |
31 | | -I don't even think about the name of the tool, I believe the big guys will know when they see the project name... King of machine flip |
32 | | - |
33 | | -If you think it works fine, you can raise an issue to give the tool a name? :sos: |
34 | | - |
35 | | -:waning_crescent_moon:**painting pie progress** |
36 | | - |
37 | | -1, Ali cloud storage bucket use |
38 | | - |
39 | | -Not too good with Git, code writing also sucks, there are bugs directly mention Issue can (as if I may not even use issue to understand) |
40 | | - |
41 | | -> Good thing the second master recommended to me GitHub Desktop second master YYDS |
42 | | -
|
43 | | -2, AWS storage bucket use |
44 | | - |
45 | | -# :pill:0x01 dependency |
46 | | - |
47 | | -+ pip3 install oss2 |
48 | | -+ pip3 install colorlog |
49 | | -+ pip3 install argparse |
50 | | -+ pip3 install boto3 |
51 | | - |
52 | | -# :gun:0x02 Usage |
| 3 | +# :rooster:Tutorial |
53 | 4 |
|
54 | 5 | ```bash |
55 | 6 | git clone https://github.com/UzJu/Cloud-Bucket-Leak-Detection-Tools.git |
| 7 | +cd Cloud-Bucket-Leak-Detection-Tools/ |
| 8 | +pip3 install -r requirements.txt |
56 | 9 | python3 main.py -h |
57 | 10 | ``` |
58 | 11 |
|
59 | | -Then write your own Aliyun AK in config/conf.py, the role is as follows |
| 12 | + |
60 | 13 |
|
61 | | -1, if you can hijack, will use the AK to create a storage bucket of the same name |
| 14 | +You need to configure your corresponding cloud vendor AK in the `config/conf.py` file before using it. |
62 | 15 |
|
63 | | -2, used to verify the legitimate user |
| 16 | + |
64 | 17 |
|
65 | | - |
| 18 | +## 1、Ariyun storage bucket |
66 | 19 |
|
67 | | -## 1. When storage bucket Policy permission is available |
| 20 | +### 1.1, single storage bucket detection |
68 | 21 |
|
69 | | - |
| 22 | +```bash |
| 23 | +python3 main.py -aliyun [BucketURL] |
| 24 | +``` |
70 | 25 |
|
71 | | -## 2. When the storage bucket does not exist (automatically created and hijacked) |
| 26 | + |
72 | 27 |
|
73 | | - |
| 28 | +### 1.2. Automatic bucket hijacking |
74 | 29 |
|
75 | | -## 3、Batch detection of storage buckets |
| 30 | +Automatically hijack a bucket when it is detected as not existing |
76 | 31 |
|
77 | | -New detection function of batch storage bucket, recommend fofa to export all assets with one click |
| 32 | + |
78 | 33 |
|
79 | | -**fofa** |
| 34 | +### 1.3. Bulk bucket address detection |
80 | 35 |
|
81 | 36 | ```bash |
| 37 | +# fofa syntax |
82 | 38 | domain="aliyuncs.com" |
83 | | -server="AliyunOSS" domain="aliyuncs.com" #This syntax is not recommended |
| 39 | +server="AliyunOSS" domain="aliyuncs.com" |
84 | 40 | ``` |
85 | 41 |
|
86 | 42 | ```bash |
87 | | -python3 main.py -f aws/aliyun filepath |
88 | | - |
89 | | -# For example |
90 | | -python3 main.py -f aws . /url.tx\\\\\\\`````````````````````````````````````````````````````````````````````````` |
| 43 | +# Use -faliyun |
| 44 | +python3 main.py -faliyun url.txt |
91 | 45 | ``` |
92 | 46 |
|
93 | | -Then just wait, the scan results will be in the results directory with the date of the day as the filename |
94 | | - |
95 | | - |
96 | | - |
97 | | - |
98 | | - |
99 | | -Only buckets that have permission to operate will be saved |
100 | | - |
101 | | - |
102 | | -Input the storage bucket address to detect automatically, the function is as follows |
103 | | - |
104 | | -+ 1. detect whether the current bucket can be hijacked |
105 | | - + If it can be hijacked, automatically create a bucket with the same name on the AK account written in the config and open all permissions |
106 | | -+ 2. detect whether the current bucket can list Object |
107 | | -+ 3. Check if the current bucket can get ACL |
108 | | -+ 4、Check if the current bucket can get Policy policy table |
109 | | -+ 5、Detect whether the bucket can upload Objects |
110 | | -+ 6、Batch detection function |
111 | | - |
112 | | -## 4、Domain name detection function |
113 | | - |
114 | | -Many storage buckets have resolved the domain name, the new judgment of the domain name CNAME, and then take the CNAME to detect |
115 | | - |
116 | | -** can now directly import a large number of domain name assets for detection, will automatically determine the CNAME of the domain name ** |
117 | | - |
118 | | - |
| 47 | + |
119 | 48 |
|
120 | | -# 0x03 Ali cloud storage bucket utilization |
121 | | - |
122 | | -### 1、Implementation ideas |
123 | | - |
124 | | -First implement the `OssBucketCheckFromSDK` class |
125 | | - |
126 | | -+ AliyunOssBucketDoesBucketExist |
127 | | - |
128 | | - + AliyunOssBucketDoesBucketExist is used to determine whether the current bucket exists, first if the bucket exists then return a True, continue with the following process, if the bucket does not exist, then call the OssBucketExploitFromSDK class, create the bucket, and set ACL permissions, upload access policy, then upload a file for verification, if the bucket exists at this time or AccessDenied, continue with the following process |
129 | | - |
130 | | -+ AliyunOssGetBucketObjectList |
131 | | - |
132 | | - + determine if the contents of the bucket can be traversed, and if so, the first 3 contents will be selected for traversal and displayed |
133 | | - |
134 | | - > If you want to iterate through more content, you can check the AliyunOssGetBucketObjectList method in aliyunOss.py |
135 | | - |
136 | | -+ AliyunOssGetBucketAcl |
137 | | - |
138 | | - + determine if the current Bucket's ACL can be accessed, if so, return the current Bucket's ACL, if not, continue with the following Check process |
139 | | - |
140 | | -+ AliyunOssGetBucketPolicy |
141 | | - |
142 | | - + Determine if the policy of the current Bucket can be accessed, if so, the ACL of the current Bucket will be returned, if not, continue with the following Check process |
143 | | - |
144 | | -+ AliyunOssGetBucketObject |
145 | | - |
146 | | - + Try to upload a file, whether it can be successfully uploaded |
147 | | - |
148 | | -# 0x04 Aws storage bucket utilization |
| 49 | +## 2. Tencent cloud storage bucket |
149 | 50 |
|
150 | 51 | ```bash |
151 | | -python3 main.py -aws xxxx |
| 52 | +python3 main.py -tcloud [storage bucket address] |
152 | 53 | ``` |
153 | 54 |
|
154 | | - |
| 55 | + |
155 | 56 |
|
156 | | -# 0x05 Explanation of the results file after use |
| 57 | +## 3. Huawei cloud storage bucket |
157 | 58 |
|
158 | | -You can see the problematic bucket in the results directory |
159 | | - |
160 | | - |
161 | | - |
162 | | -1, ListObject means the contents of the bucket can be listed |
163 | | - |
164 | | -2、PutObject means that the bucket can upload any file |
165 | | - |
166 | | -3、NoSuchBucket means the bucket can be taken over |
167 | | - |
168 | | -4、GetBucketACL means you can get the ACL of the bucket |
169 | | - |
170 | | -5、GetBucketPolicy means you can get the policy configuration of the bucket |
171 | | - |
172 | | -# :older_man:0x040001 Update Log |
| 59 | +```bash |
| 60 | +python3 main.py -hcloud [storage bucket address] |
| 61 | +``` |
173 | 62 |
|
174 | | -**March 6, 2022** |
| 63 | + |
175 | 64 |
|
176 | | -+ Add batch scan function |
177 | | -+ Fix the Fake_UserAgent error reporting problem |
| 65 | +## 4. AWS storage bucket |
178 | 66 |
|
179 | | -> actually just delete this library, don't use it ^ ^ |
| 67 | +```bash |
| 68 | +python3 main.py -aws [storage bucket address] |
| 69 | +``` |
180 | 70 |
|
181 | | -**March 7, 2022** |
| 71 | +images/image-20220716142431142.png) |
182 | 72 |
|
183 | | -+ Added domain detection |
| 73 | +## 5. Scan results saving |
184 | 74 |
|
185 | | -**May 29, 2022** |
| 75 | +The scan results will be stored in the `results` directory |
186 | 76 |
|
187 | | -- Added AWS storage bucket scan |
| 77 | + |
188 | 78 |
|
189 | | -# :cop:0xffffffff Disclaimer |
| 79 | + |
190 | 80 |
|
191 | | -Disclaimers |
| 81 | +# :cop:0xFFFFFFFF Disclaimer |
192 | 82 |
|
193 | | -1、This tool is for academic exchange only, it is forbidden to use the tool to do illegal things |
| 83 | +1、This tool is only for academic exchange, it is forbidden to use the tool to do illegal things |
194 | 84 |
|
195 | 85 | 2, just writing for fun |
196 | 86 |
|
197 | 87 | 3、My WeChat |
198 | 88 |
|
199 | 89 | > If you have a better suggestion or make a friend |
200 | 90 |
|
201 | | - |
| 91 | +<img src="images/157070417-dbb7886f-1bb8-412f-a30b-0f85bc8ffa10.png" alt="image" style="zoom:33%;" /> |
| 92 | + |
| 93 | +4、Blog: UzzJu.com |
| 94 | +5、Public |
| 95 | + |
| 96 | + |
202 | 97 |
|
203 | 98 | # Curve chart |
204 | 99 |
|
205 | | -[](https://starchart.cc/UzJu/Cloud-Bucket-Leak-Detection-Tools) |
| 100 | +[](https://starchart.cc/UzJu/Cloud-Bucket-Leak-Detection-Tools) |
0 commit comments