背景:
在无服务器架构中,将 AWS Lambda 与 SQS 结合使用来处理消息是很常见的,如果这些用户提供的数据用于数据库查询,则会出现危险的情况。这强调了安全编码实践的重要性,尤其是当输入源不受信任或可公开访问时。Lambda 函数中的暴力破解属性值也是一种现实生活中的威胁。
根据题目信息设置一下config后,安装aws-enumerator并枚举我们当前用户的权限
go install -v github.com/shabarkin/aws-enumerator@latest
> ~/go/bin/aws-enumerator cred -aws_access_key_id AKIATWVWNKAVFMBHTHOR -aws_region eu-north-1 -aws_secret_access_key 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
Message: File .env with AWS credentials were created in current folder
枚举一下存在的service
aws-enumerator enum -services all
Message: Successful APPMESH: 0 / 1
Message: Successful ACM: 0 / 1
Message: Successful APIGATEWAY: 0 / 8
Message: Successful APPSYNC: 0 / 1
Message: Successful AMPLIFY: 0 / 1
Message: Successful ATHENA: 0 / 3
Message: Successful BATCH: 0 / 4
Message: Successful AUTOSCALING: 0 / 15
Message: Successful BACKUP: 0 / 7
Message: Successful CHIME: 0 / 1
Message: Successful CLOUD9: 0 / 2
Message: Successful CLOUDFRONT: 0 / 5
Message: Successful CLOUDDIRECTORY: 0 / 4
Message: Successful CLOUDFORMATION: 0 / 8
Message: Successful CLOUDTRAIL: 0 / 1
Message: Successful CODEBUILD: 0 / 4
Message: Successful CODECOMMIT: 0 / 2
Message: Successful CLOUDHSMV2: 0 / 2
Message: Successful CLOUDHSM: 0 / 6
Message: Successful CODEPIPELINE: 0 / 3
Message: Successful CLOUDSEARCH: 0 / 2
Message: Successful CODEDEPLOY: 0 / 8
Message: Successful DATAPIPELINE: 0 / 1
Message: Successful COMPREHEND: 0 / 8
Message: Successful DLM: 0 / 1
Message: Successful DATASYNC: 0 / 4
Message: Successful DIRECTCONNECT: 0 / 9
Message: Successful DAX: 0 / 4
Message: Successful DEVICEFARM: 0 / 10
Message: Successful DYNAMODB: 1 / 5
Message: Successful EKS: 0 / 1
Message: Successful CODESTAR: 0 / 2
Message: Successful EC2: 0 / 74
Message: Successful ECS: 0 / 8
Message: Successful ECR: 0 / 2
Message: Successful ELASTICBEANSTALK: 0 / 8
Message: Successful FIREHOSE: 0 / 1
Message: Successful ELASTICACHE: 0 / 10
Message: Successful FMS: 0 / 4
Message: Successful GLUE: 0 / 17
Message: Successful FSX: 0 / 2
Message: Successful ELASTICTRANSCODER: 0 / 2
Message: Successful GLOBALACCELERATOR: 0 / 2
Message: Successful GUARDDUTY: 0 / 3
Message: Successful IOT: 0 / 30
Message: Successful INSPECTOR: 0 / 7
Message: Successful IAM: 0 / 20
Message: Successful GREENGRASS: 0 / 10
Message: Successful GAMELIFT: 0 / 15
Message: Successful HEALTH: 0 / 2
Message: Successful KAFKA: 0 / 1
Message: Successful KINESIS: 0 / 4
Message: Successful KINESISANALYTICS: 0 / 1
Message: Successful KMS: 0 / 3
Message: Successful LIGHTSAIL: 0 / 19
Message: Successful LAMBDA: 1 / 4
Message: Successful IOTANALYTICS: 0 / 5
Message: Successful MEDIASTORE: 0 / 2
Message: Successful MEDIAPACKAGE: 0 / 2
Message: Successful MEDIACONVERT: 0 / 5
Message: Successful MEDIACONNECT: 0 / 2
Message: Successful MACHINELEARNING: 0 / 4
Message: Successful MACIE: 0 / 2
Message: Successful MQ: 0 / 2
Message: Successful MEDIATAILOR: 0 / 1
Message: Successful ORGANIZATIONS: 0 / 7
Message: Successful KINESISVIDEO: 0 / 3
Message: Successful RAM: 0 / 1
Message: Successful POLLY: 0 / 3
Message: Successful RDS: 0 / 21
Message: Successful MEDIALIVE: 0 / 5
Message: Successful OPSWORKS: 0 / 15
Message: Successful PRICING: 0 / 1
Message: Successful MOBILE: 0 / 2
Message: Successful ROUTE53: 0 / 10
Message: Successful REDSHIFT: 0 / 20
Message: Successful PINPOINT: 0 / 1
Message: Successful ROUTE53DOMAINS: 0 / 3
Message: Successful ROUTE53RESOLVER: 0 / 3
Message: Successful SECURITYHUB: 0 / 8
Message: Successful SECRETSMANAGER: 0 / 2
Message: Successful S3: 0 / 1
Message: Successful REKOGNITION: 0 / 2
Message: Successful SAGEMAKER: 0 / 15
Message: Successful ROBOMAKER: 0 / 6
Message: Successful SIGNER: 0 / 3
Message: Successful SNOWBALL: 0 / 5
Message: Successful SERVICECATALOG: 0 / 7
Message: Successful SHIELD: 0 / 7
Message: Successful STORAGEGATEWAY: 0 / 5
Message: Successful STS: 2 / 2
Message: Successful SNS: 0 / 5
Message: Successful SQS: 1 / 1
Message: Successful SSM: 0 / 16
Message: Successful TRANSFER: 0 / 1
Message: Successful TRANSCRIBE: 0 / 2
Message: Successful TRANSLATE: 0 / 1
Message: Successful WAF: 0 / 15
Message: Successful SUPPORT: 0 / 3
Message: Successful XRAY: 0 / 5
Message: Successful WORKMAIL: 0 / 1
Message: Successful WORKDOCS: 0 / 3
Message: Successful WORKLINK: 0 / 1
Message: Successful WORKSPACES: 0 / 8
可以看到对lambda和sqs都有权限 直接dump他们
aws-enumerator dump -services lambda,sqs
---------------------------------------------- LAMBDA ----------------------------------------------
ListFunctions
....
------------------------------------------------ SQS ------------------------------------------------
ListQueues
....
查看lambda函数有个
> aws lambda list-functions
{
"Functions": [
{
"FunctionName": "huge-logistics-stock",
"FunctionArn": "arn:aws:lambda:eu-north-1:254859366442:function:huge-logistics-stock",
"Runtime": "python3.11",
"Role": "arn:aws:iam::254859366442:role/service-role/huge-lambda-analytics-role-ewljs6ls",
"Handler": "lambda_function.lambda_handler",
"CodeSize": 104874,
"Description": "",
"Timeout": 3,
"MemorySize": 128,
"LastModified": "2023-09-20T11:26:12.000+0000",
"CodeSha256": "FkcaVsjbU9YqnNKIPWBqAu76S9bST/bfljnSuDoU4Y0=",
"Version": "$LATEST",
"VpcConfig": {
"SubnetIds": [],
"SecurityGroupIds": [],
"VpcId": "",
"Ipv6AllowedForDualStack": false
},
"TracingConfig": {
"Mode": "PassThrough"
},
"RevisionId": "dcbd95eb-b673-40dc-9bc0-2ce35d1edd0c",
"PackageType": "Zip",
"Architectures": [
"x86_64"
],
"EphemeralStorage": {
"Size": 512
},
"SnapStart": {
"ApplyOn": "None",
"OptimizationStatus": "Off"
},
"LoggingConfig": {
"LogFormat": "Text",
"LogGroup": "/aws/lambda/huge-logistics-stock"
}
}
]
}
有个huge-logistics-stock方法 但是没有权限访问
> aws lambda get-function --function-name huge-logistics-stock
An error occurred (AccessDeniedException) when calling the GetFunction operation: User: arn:aws:iam::254859366442:user/analytics-usr is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:eu-north-1:254859366442:function:huge-logistics-stock because no identity-based policy allows the lambda:GetFunction action
虽然没有权限访问源代码但是我们有执行权限
提示我们参数不全 尝试fuzz参数
首先下载 Burp Suite 参数名称 wordlist。
wget <https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/burp-parameter-names.txt>
我们可以将一个快速的 bash 脚本放在一起,以尝试不同的参数名称并报告任何有效的参数名称。