如果我们在渗透测试中发现一个OSS,而且默认无法进行读取数据(即桶ACL为"私有"),但是通过查询ACL我们发现桶ACL可写,那么此时我们就可以通过写ACL来更新桶ACL并获取到对象数据信息
Step 1:进入OSS控制面板,选择"查看Bucket列表"
Step 2:进入Bucket操作界面
Step 3:进入"权限管理"页面,确定当前"Bucket ACL"为"私有"
Step 4:设置存储桶策略允许"PutBucketPolicy"和GetBucketPolicy
Step 5:设置存储桶策略拒绝"ListObject"和"GetObject"
最终配置策略如下:
Step 1:直接访问存储桶域名可以看到无法列对象,同时提示"Access denied by bucket policy"
Step 2:之后查看Policy
ossutil64.exe bucket-policy oss://al1ex --method get -c D:\Application\ossutil64\.ossutilconfig
{
"Version": "1",
"Statement": [
{
"Principal": [
"*"
],
"Effect": "Deny",
"Resource": [
"acs:oss:*:1042964876806166:al1ex/*"
],
"Action": [
"oss:ListObjects",
"oss:GetObject"
]
},
{
"Principal": [
"*"
],
"Effect": "Deny",
"Resource": [
"acs:oss:*:1042964876806166:al1ex"
],
"Condition": {
"StringLike": {
"oss:Prefix": [
"*"
]
}
},
"Action": [
"oss:ListObjects",
"oss:GetObject"
]
},
{
"Principal": [
"*"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:1042964876806166:al1ex/*"
],
"Action": [
"oss:PutBucketPolicy",
"oss:GetBucketPolicy"
]
}
]
}
Step 3:之后我可以将Effect中的"Deny"更改为Allow即可,构造一下json文件
{
"Version": "1",
"Statement": [
{
"Principal": [
"*"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:1042964876806166:al1ex/*"
],
"Action": [
"oss:ListObjects",
"oss:GetObject"
]
},
{
"Principal": [
"*"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:1042964876806166:al1ex/*"
],
"Action": [
"oss:PutBucketPolicy",
"oss:GetBucketPolicy"
]
}
]
}
之后上传更新存储桶策略
ossutil64.exe bucket-policy oss://al1ex --method put D:\Application\ossutil64\change.json -c D:\Application\ossutil64\.ossutilconfig
Step 4:再次查看策略会发现成功更新
Step 5:直接访问存储桶域名信息发现无法列举对象(很是奇怪)
但是想着可以访问对象了:
Step 6:查看存储桶读写权限可以看到已经变成了"公共读"
Step 7:查看存储桶可以看到"拒绝"变为了"Allow"
本篇文章我们介绍了当Bucket授权策略配置了PutBucketPolicy,且在获取到AK/SK的情况下如何更改Bucket授权策略,获取对象信息,有些人可能会想,如果获取到了AK/SK,直接使用OSS Browser链接不就可以了吗?但是如果没有ListBucket/GetObject,那么此时是无法连接的,而这个时候我们可以去查看是否可获取Policy,如果可以获取到策略且有配置PutBucketPolicy,那么就可以更新Policy,并最终获得存储桶的访问权限