使用s3sec批量化自动扫描S3存储桶泄露数据
生活随笔
收集整理的這篇文章主要介紹了
使用s3sec批量化自动扫描S3存储桶泄露数据
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
下載
git clone https://github.com/0xmoot/s3sec?
使用例
檢查單個 S3 實例:
echo "test-instance.s3.amazonaws.com" | python3 s3sec.py或者:
echo "test-instance" | python3 s3sec.py檢查 S3 實例列表:
cat locations | python3 s3sec.py查找
設置字典,這里隨便輸入點
?搞事情
想找的全、多,就設置幾百萬條字典
訪問
下載對應資源
不過很多無用的垃圾文件,比如上圖這個鏈接視頻
摔跤?
也可以綁亞馬遜號?
安裝 AWS CLI
pip3 install awscli在 Kali Linux 上配置 AWS CLI
使用以下默認設置:
AWS Access Key Id: <<Your Key>> AWS Secret Access Key: <<Your Secret Access Key>> Default region name: ap-south-1 Default output format: json工具源碼:
s3sec.py
# # # s3sec developed by 0xmoot # # Test AWS S3 instances for read/write/delete access # Usage: cat locations | python3 s3sec.py # # 0xmoot.com # twitter.com/0xmoot # # Found a bug bounty using this tool? Feel free to add me as a collaborator: 0xmoot # #import sys import requests import subprocess import os import urllib3urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)print(" _____ ", file=sys.stderr) print(" ___|___ / ___ ___ ___ ", file=sys.stderr) print("/ __| |_ \/ __|/ _ \/ __|", file=sys.stderr) print("\__ \___) \__ \ __/ (__ ", file=sys.stderr) print("|___/____/|___/\___|\___|", file=sys.stderr) print("", file=sys.stderr) print(" 0xmoot.com", file=sys.stderr) print(" twitter.com/0xmoot", file=sys.stderr) print("", file=sys.stderr) print("Found a bug bounty using this tool?", file=sys.stderr) print("Feel free to add me as a collaborator: 0xmoot :)", file=sys.stderr) print("", file=sys.stderr) print("Disclaimer: Use with caution. You are responsible for your actions.", file=sys.stderr) print("Developers assume no liability and are not responsible for any misuse or damage.", file=sys.stderr) print("Usage: cat locations | python3 s3sec.py", file=sys.stderr) print("", file=sys.stderr)class http_obj:status_code: inttext: str_url: strdef http_get(url):data = http_obj()data._url = urldata.text = ""headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36','connection': 'close'}try:r = requests.get(url, headers=headers, verify=False, timeout=3)data.status_code = r.status_codedata.text = r.textexcept:data.status_code = -1return dataadded = [] def process(url, protocol="https"):b = http_get(protocol+"://"+url+".s3.amazonaws.com")if(b.text.find("<Error><Code>")>=0):code = b.text.split("<Error><Code>")[1].split("</Code>")[0]print(url+".s3.amazonaws.com [error: "+code+"]")if(code == "AccessDenied"):try:#falls back to aws cli to test access with --no-sign-request argumentsubprocess.check_output([str('aws'), 's3', 'ls', 's3://'+url, '--no-sign-request'],stderr=subprocess.DEVNULL)print(url+".s3.amazonaws.com [read (--no-sign-request)]")except:returnreturnelif(b.text.find("ListBucketResult")>=0):print(url+".s3.amazonaws.com [read]")else:if(protocol=="http"):print(url+".s3.amazonaws.com [error: ConnectionError("+str(b.status_code)+")]")else:#try connecting to http insteadprocess(url,"http")returntry:#check that we can write to serversubprocess.check_output([str('aws'), 's3', 'cp', os.getcwd()+"/s3sec.txt", 's3://'+url+'/s3sec.txt', '--no-sign-request'],stderr=subprocess.DEVNULL)print(url+".s3.amazonaws.com [write]")#check that we can remove file from serversubprocess.check_output([str('aws'), 's3', 'rm', 's3://'+url+'/s3sec.txt', '--no-sign-request'],stderr=subprocess.DEVNULL)print(url+".s3.amazonaws.com [delete]")except:returnurls = []; c = 0 for line in sys.stdin:url = line.strip().replace("https://","").replace(".s3.amazonaws.com","").replace("s3.amazonaws.com/","")process(url)總結
以上是生活随笔為你收集整理的使用s3sec批量化自动扫描S3存储桶泄露数据的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: burpsuite插件的使用
- 下一篇: cmd背景换成老婆(冰冰)