gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-08 11:21:00 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:05:38 +00:00
parent 94f24df656
commit 1e9dcd664b
245 changed files with 10145 additions and 12880 deletions
Download Patch File Download Diff File Expand all files Collapse all files

256
src/pentesting-ci-cd/github-security/README.md
View File

@@ -2,41 +2,41 @@
{{#include ../../banners/hacktricks-training.md}}
## What is Github
## 什么是Github
(From [here](https://kinsta.com/knowledgebase/what-is-github/)) At a high level, **GitHub is a website and cloud-based service that helps developers store and manage their code, as well as track and control changes to their code**.
(来自 [这里](https://kinsta.com/knowledgebase/what-is-github/)) 从高层次来看,**GitHub是一个网站和基于云的服务帮助开发者存储和管理他们的代码以及跟踪和控制代码的更改**。
### Basic Information
### 基本信息
{{#ref}}
basic-github-information.md
{{#endref}}
## External Recon
## 外部侦查
Github repositories can be configured as public, private and internal.
Github 仓库可以配置为公共、私有和内部。
- **Private** means that **only** people of the **organisation** will be able to access them
- **Internal** means that **only** people of the **enterprise** (an enterprise may have several organisations) will be able to access it
- **Public** means that **all internet** is going to be able to access it.
- **私有**意味着**只有**组织中的人才能访问它们
- **内部**意味着**只有**企业中的人(一个企业可能有多个组织)才能访问它
- **公共**意味着**所有互联网**用户都可以访问它。
In case you know the **user, repo or organisation you want to target** you can use **github dorks** to find sensitive information or search for **sensitive information leaks** **on each repo**.
如果你知道**想要攻击的用户、仓库或组织**,你可以使用**github dorks**来查找敏感信息或搜索**每个仓库中的敏感信息泄露**。
### Github Dorks
Github allows to **search for something specifying as scope a user, a repo or an organisation**. Therefore, with a list of strings that are going to appear close to sensitive information you can easily **search for potential sensitive information in your target**.
Github 允许**通过指定用户、仓库或组织作为范围来搜索某些内容**。因此,使用一系列将出现在敏感信息附近的字符串,你可以轻松地**搜索目标中的潜在敏感信息**。
Tools (each tool contains its list of dorks):
工具(每个工具包含其 dorks 列表):
- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Dorks list](https://github.com/obheda12/GitDorker/tree/master/Dorks))
- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Dorks list](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Dorks list](https://github.com/hisxo/gitGraber/tree/master/wordlists))
- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Dorks 列表](https://github.com/obheda12/GitDorker/tree/master/Dorks))
- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Dorks 列表](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Dorks 列表](https://github.com/hisxo/gitGraber/tree/master/wordlists))
### Github Leaks
### Github 泄露
Please, note that the github dorks are also meant to search for leaks using github search options. This section is dedicated to those tools that will **download each repo and search for sensitive information in them** (even checking certain depth of commits).
请注意github dorks 也旨在使用 github 搜索选项查找泄露。此部分专门介绍那些将**下载每个仓库并搜索其中敏感信息**的工具(甚至检查某些深度的提交)。
Tools (each tool contains its list of regexes):
工具(每个工具包含其正则表达式列表):
- [https://github.com/zricethezav/gitleaks](https://github.com/zricethezav/gitleaks)
- [https://github.com/trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog)
@@ -47,202 +47,190 @@ Tools (each tool contains its list of regexes):
- [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets)
> [!WARNING]
> When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets!
> 当你在一个仓库中查找泄露并运行类似 `git log -p` 的命令时,不要忘记可能还有**其他分支和其他提交**包含秘密!
### External Forks
### 外部分支
It's possible to **compromise repos abusing pull requests**. To know if a repo is vulnerable you mostly need to read the Github Actions yaml configs. [**More info about this below**](./#execution-from-a-external-fork).
可以通过**滥用拉取请求来妥协仓库**。要知道一个仓库是否脆弱,你主要需要阅读 Github Actions yaml 配置。 [**更多信息见下文**](./#execution-from-a-external-fork)
### Github Leaks in deleted/internal forks
### Github 在删除/内部分支中的泄露
Even if deleted or internal it might be possible to obtain sensitive data from forks of github repositories. Check it here:
即使是删除或内部的,也可能从 github 仓库的分支中获取敏感数据。请在此查看:
{{#ref}}
accessible-deleted-data-in-github.md
{{#endref}}
## Organization Hardening
## 组织强化
### Member Privileges
### 成员权限
There are some **default privileges** that can be assigned to **members** of the organization. These can be controlled from the page `https://github.com/organizations/<org_name>/settings/member_privileges` or from the [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs).
可以为组织的**成员**分配一些**默认权限**。这些可以从页面 `https://github.com/organizations/<org_name>/settings/member_privileges` 或从 [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs) 控制。
- **Base permissions**: Members will have the permission None/Read/write/Admin over the org repositories. Recommended is **None** or **Read**.
- **Repository forking**: If not necessary, it's better to **not allow** members to fork organization repositories.
- **Pages creation**: If not necessary, it's better to **not allow** members to publish pages from the org repos. If necessary you can allow to create public or private pages.
- **Integration access requests**: With this enabled outside collaborators will be able to request access for GitHub or OAuth apps to access this organization and its resources. It's usually needed, but if not, it's better to disable it.
- _I couldn't find this info in the APIs response, share if you do_
- **Repository visibility change**: If enabled, **members** with **admin** permissions for the **repository** will be able to **change its visibility**. If disabled, only organization owners can change repository visibilities. If you **don't** want people to make things **public**, make sure this is **disabled**.
- _I couldn't find this info in the APIs response, share if you do_
- **Repository deletion and transfer**: If enabled, members with **admin** permissions for the repository will be able to **delete** or **transfer** public and private **repositories.**
- _I couldn't find this info in the APIs response, share if you do_
- **Allow members to create teams**: If enabled, any **member** of the organization will be able to **create** new **teams**. If disabled, only organization owners can create new teams. It's better to have this disabled.
- _I couldn't find this info in the APIs response, share if you do_
- **More things can be configured** in this page but the previous are the ones more security related.
- **基本权限**:成员将对组织仓库拥有 None/Read/write/Admin 权限。推荐使用**None**或**Read**。
- **仓库分叉**:如果不必要,最好**不允许**成员分叉组织仓库。
- **页面创建**:如果不必要,最好**不允许**成员从组织仓库发布页面。如果必要,可以允许创建公共或私有页面。
- **集成访问请求**:启用后,外部协作者将能够请求访问 GitHub OAuth 应用以访问该组织及其资源。通常是需要的,但如果不需要,最好禁用它。
- _我在 API 响应中找不到此信息,如果你找到了,请分享_
- **仓库可见性更改**:如果启用,具有**管理员**权限的**成员**将能够**更改其可见性**。如果禁用,只有组织所有者可以更改仓库的可见性。如果你**不**希望人们将内容**公开**,请确保此选项**禁用**。
- _我在 API 响应中找不到此信息,如果你找到了,请分享_
- **仓库删除和转移**:如果启用,具有**管理员**权限的成员将能够**删除**或**转移**公共和私有**仓库**
- _我在 API 响应中找不到此信息,如果你找到了,请分享_
- **允许成员创建团队**:如果启用,任何**成员**都将能够**创建**新**团队**。如果禁用,只有组织所有者可以创建新团队。最好将此选项禁用。
- _我在 API 响应中找不到此信息,如果你找到了,请分享_
- **此页面上可以配置更多内容**,但前面的内容与安全性相关性更大。
### Actions Settings
### Actions 设置
Several security related settings can be configured for actions from the page `https://github.com/organizations/<org_name>/settings/actions`.
可以从页面 `https://github.com/organizations/<org_name>/settings/actions` 配置多个与安全相关的设置。
> [!NOTE]
> Note that all this configurations can also be set on each repository independently
> 请注意,所有这些配置也可以在每个仓库中独立设置
- **Github actions policies**: It allows you to indicate which repositories can tun workflows and which workflows should be allowed. It's recommended to **specify which repositories** should be allowed and not allow all actions to run.
- [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization)
- **Fork pull request workflows from outside collaborators**: It's recommended to **require approval for all** outside collaborators.
- _I couldn't find an API with this info, share if you do_
- **Run workflows from fork pull requests**: It's highly **discouraged to run workflows from pull requests** as maintainers of the fork origin will be given the ability to use tokens with read permissions on the source repository.
- _I couldn't find an API with this info, share if you do_
- **Workflow permissions**: It's highly recommended to **only give read repository permissions**. It's discouraged to give write and create/approve pull requests permissions to avoid the abuse of the GITHUB_TOKEN given to running workflows.
- [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization)
- **Github actions 策略**:允许你指明哪些仓库可以运行工作流,哪些工作流应该被允许。建议**指定哪些仓库**应该被允许,而不是允许所有操作运行。
- [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization)
- **来自外部协作者的拉取请求工作流**:建议**要求所有**外部协作者的批准。
- _我找不到包含此信息的 API如果你找到了请分享_
- **从拉取请求运行工作流**:强烈**不建议从拉取请求运行工作流**,因为分叉源的维护者将获得使用具有读取权限的令牌访问源仓库的能力。
- _我找不到包含此信息的 API如果你找到了请分享_
- **工作流权限**:强烈建议**仅授予读取仓库权限**。不建议授予写入和创建/批准拉取请求的权限,以避免滥用授予运行工作流的 GITHUB_TOKEN。
- [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization)
### Integrations
### 集成
_Let me know if you know the API endpoint to access this info!_
_如果你知道访问此信息的 API 端点,请告诉我!_
- **Third-party application access policy**: It's recommended to restrict the access to every application and allow only the needed ones (after reviewing them).
- **Installed GitHub Apps**: It's recommended to only allow the needed ones (after reviewing them).
- **第三方应用访问策略**:建议限制对每个应用的访问,仅允许必要的应用(在审核后)。
- **已安装的 GitHub 应用**:建议仅允许必要的应用(在审核后)。
## Recon & Attacks abusing credentials
## 侦查与攻击滥用凭证
For this scenario we are going to suppose that you have obtained some access to a github account.
在此场景中,我们假设你已经获得了对一个 github 账户的某些访问权限。
### With User Credentials
### 使用用户凭证
If you somehow already have credentials for a user inside an organization you can **just login** and check which **enterprise and organization roles you have**, if you are a raw member, check which **permissions raw members have**, in which **groups** you are, which **permissions you have** over which **repos,** and **how are the repos protected.**
如果你以某种方式已经拥有组织内某个用户的凭证,你可以**直接登录**并检查你拥有的**企业和组织角色**,如果你是普通成员,检查普通成员拥有的**权限**、你所在的**组**、你对哪些**仓库**拥有的**权限**以及**这些仓库是如何保护的**
Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**.
请注意,**可能会使用 2FA**,因此你只能在能够**通过该检查**的情况下访问此信息。
> [!NOTE]
> Note that if you **manage to steal the `user_session` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
> 请注意,如果你**设法窃取了 `user_session` cookie**(当前配置为 SameSite: Lax你可以**完全冒充用户**而无需凭证或 2FA
Check the section below about [**branch protections bypasses**](./#branch-protection-bypass) in case it's useful.
请查看下面关于 [**分支保护绕过**](./#branch-protection-bypass) 的部分,以防有用。
### With User SSH Key
### 使用用户 SSH 密钥
Github allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
With this key you can perform **changes in repositories where the user has some privileges**, however you can not sue it to access github api to enumerate the environment. However, you can get **enumerate local settings** to get information about the repos and user you have access to:
Github 允许**用户**设置**SSH 密钥**,作为**代表他们部署代码的身份验证方法**(不应用 2FA
使用此密钥,你可以对用户拥有某些权限的仓库进行**更改**,但是你不能使用它访问 github api 来枚举环境。然而,你可以**枚举本地设置**以获取有关你有访问权限的仓库和用户的信息:
```bash
# Go to the the repository folder
# Get repo config and current user name and email
git config --list
```
如果用户将其用户名配置为他的 github 用户名,您可以访问他帐户中设置的 **公钥**,网址为 _https://github.com/\<github_username>.keys_您可以检查此内容以确认您找到的私钥是否可以使用。
If the user has configured its username as his github username you can access the **public keys he has set** in his account in _https://github.com/\<github_username>.keys_, you could check this to confirm the private key you found can be used.
**SSH 密钥** 也可以在存储库中设置为 **部署密钥**。任何拥有此密钥的人都将能够 **从存储库启动项目**。通常在具有不同部署密钥的服务器上,本地文件 **`~/.ssh/config`** 将提供与密钥相关的信息。
**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
#### GPG 密钥
#### GPG Keys
As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered.
Check locally if the current user has any key with:
如 [**这里**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md) 所述,有时需要签署提交,否则您可能会被发现。
在本地检查当前用户是否有任何密钥:
```shell
gpg --list-secret-keys --keyid-format=long
```
### 使用用户令牌
### With User Token
有关[**用户令牌的介绍,请查看基本信息**](basic-github-information.md#personal-access-tokens)。
For an introduction about [**User Tokens check the basic information**](basic-github-information.md#personal-access-tokens).
用户令牌可以用作**HTTPS下Git的密码**,或用于[**通过基本身份验证对API进行身份验证**](https://docs.github.com/v3/auth/#basic-authentication)。根据附加的权限,您可能能够执行不同的操作。
A user token can be used **instead of a password** for Git over HTTPS, or can be used to [**authenticate to the API over Basic Authentication**](https://docs.github.com/v3/auth/#basic-authentication). Depending on the privileges attached to it you might be able to perform different actions.
用户令牌的格式如下:`ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
A User token looks like this: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
### 使用Oauth应用程序
### With Oauth Application
有关[**Github Oauth应用程序的介绍,请查看基本信息**](basic-github-information.md#oauth-applications)。
For an introduction about [**Github Oauth Applications check the basic information**](basic-github-information.md#oauth-applications).
攻击者可能创建一个**恶意Oauth应用程序**,以访问接受它们的用户的特权数据/操作,可能作为网络钓鱼活动的一部分。
An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
这些是[Oauth应用程序可以请求的范围](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)。在接受之前,应该始终检查请求的范围。
These are the [scopes an Oauth application can request](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps). A should always check the scopes requested before accepting them.
此外,如基本信息中所述,**组织可以授予/拒绝第三方应用程序对与组织相关的信息/仓库/操作的访问**。
Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
### 使用Github应用程序
### With Github Application
有关[**Github应用程序的介绍请查看基本信息**](basic-github-information.md#github-applications)。
For an introduction about [**Github Applications check the basic information**](basic-github-information.md#github-applications).
攻击者可能创建一个**恶意Github应用程序**,以访问接受它们的用户的特权数据/操作,可能作为网络钓鱼活动的一部分。
An attacker might create a **malicious Github Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
此外,如基本信息中所述,**组织可以授予/拒绝第三方应用程序对与组织相关的信息/仓库/操作的访问**。
Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
## 破坏与滥用Github Action
## Compromise & Abuse Github Action
There are several techniques to compromise and abuse a Github Action, check them here:
有几种技术可以破坏和滥用Github Action,请在此查看:
{{#ref}}
abusing-github-actions/
{{#endref}}
## Branch Protection Bypass
## 分支保护绕过
- **Require a number of approvals**: If you compromised several accounts you might just accept your PRs from other accounts. If you just have the account from where you created the PR you cannot accept your own PR. However, if you have access to a **Github Action** environment inside the repo, using the **GITHUB_TOKEN** you might be able to **approve your PR** and get 1 approval this way.
- _Note for this and for the Code Owners restriction that usually a user won't be able to approve his own PRs, but if you are, you can abuse it to accept your PRs._
- **Dismiss approvals when new commits are pushed**: If this isnt set, you can submit legit code, wait till someone approves it, and put malicious code and merge it into the protected branch.
- **Require reviews from Code Owners**: If this is activated and you are a Code Owner, you could make a **Github Action create your PR and then approve it yourself**.
- When a **CODEOWNER file is missconfigured** Github doesn't complain but it does't use it. Therefore, if it's missconfigured it's **Code Owners protection isn't applied.**
- **Allow specified actors to bypass pull request requirements**: If you are one of these actors you can bypass pull request protections.
- **Include administrators**: If this isnt set and you are admin of the repo, you can bypass this branch protections.
- **PR Hijacking**: You could be able to **modify the PR of someone else** adding malicious code, approving the resulting PR yourself and merging everything.
- **Removing Branch Protections**: If you are an **admin of the repo you can disable the protections**, merge your PR and set the protections back.
- **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`).
- If you have **write access over the repo but you are not allowed to push code** because of the branch protection, you can still **create a new branch** and within it create a **github action that is triggered when code is pushed**. As the **branch protection won't protect the branch until it's created**, this first code push to the branch will **execute the github action**.
- **要求一定数量的批准**如果您破坏了多个帐户您可能只需从其他帐户接受您的PR。如果您只有创建PR的帐户则无法接受自己的PR。但是如果您可以访问仓库中的**Github Action**环境,使用**GITHUB_TOKEN**,您可能能够**批准您的PR**并以这种方式获得1个批准。
- _注意对于此以及代码所有者限制通常用户无法批准自己的PR但如果您可以您可以利用它来接受您的PR。_
- **在推送新提交时撤销批准**:如果未设置此项,您可以提交合法代码,等待有人批准,然后放入恶意代码并将其合并到受保护的分支中。
- **要求代码所有者的审查**:如果此项已激活且您是代码所有者,您可以让**Github Action创建您的PR然后自己批准它**。
- **CODEOWNER文件配置错误**时Github不会抱怨但也不会使用它。因此如果配置错误**代码所有者保护将不适用。**
- **允许指定的参与者绕过拉取请求要求**:如果您是这些参与者之一,您可以绕过拉取请求保护。
- **包括管理员**:如果未设置此项且您是仓库的管理员,您可以绕过此分支保护。
- **PR劫持**:您可能能够**修改其他人的PR**添加恶意代码自己批准结果PR并合并所有内容。
- **移除分支保护**:如果您是**仓库的管理员,您可以禁用保护**合并您的PR并重新设置保护。
- **绕过推送保护**:如果一个仓库**仅允许某些用户**在分支中发送推送(合并代码)(分支保护可能保护所有分支,指定通配符`*`)。
- 如果您对仓库**具有写入访问权限,但由于分支保护不允许推送代码**,您仍然可以**创建一个新分支**,并在其中创建一个**在代码推送时触发的github action**。由于**分支保护在分支创建之前不会保护该分支**,因此对该分支的第一次代码推送将**执行github action**。
## Bypass Environments Protections
## 绕过环境保护
For an introduction about [**Github Environment check the basic information**](basic-github-information.md#git-environments).
有关[**Github环境的介绍请查看基本信息**](basic-github-information.md#git-environments)
In case an environment can be **accessed from all the branches**, it's **isn't protected** and you can easily access the secrets inside the environment. Note that you might find repos where **all the branches are protected** (by specifying its names or by using `*`) in that scenario, **find a branch were you can push code** and you can **exfiltrate** the secrets creating a new github action (or modifying one).
Note, that you might find the edge case where **all the branches are protected** (via wildcard `*`) it's specified **who can push code to the branches** (_you can specify that in the branch protection_) and **your user isn't allowed**. You can still run a custom github action because you can create a branch and use the push trigger over itself. The **branch protection allows the push to a new branch so the github action will be triggered**.
如果一个环境可以**从所有分支访问**,则**没有保护**,您可以轻松访问环境中的机密。请注意,您可能会发现某些仓库**所有分支都受到保护**(通过指定其名称或使用`*`),在这种情况下,**找到一个可以推送代码的分支**,您可以**通过创建新的github action或修改一个来提取**机密。
请注意,您可能会发现边缘情况,其中**所有分支都受到保护**(通过通配符`*`),并且指定了**谁可以向分支推送代码**_您可以在分支保护中指定_而**您的用户不被允许**。您仍然可以运行自定义github action因为您可以创建一个分支并在其上使用推送触发器。**分支保护允许推送到新分支因此github action将被触发**。
```yaml
push: # Run it when a push is made to a branch
branches:
- current_branch_name #Use '**' to run when a push is made to any branch
branches:
- current_branch_name #Use '**' to run when a push is made to any branch
```
注意,**在创建**分支后,**分支保护将适用于新分支**,您将无法修改它,但在那时您已经提取了秘密。
Note that **after the creation** of the branch the **branch protection will apply to the new branch** and you won't be able to modify it, but for that time you will have already dumped the secrets.
## 持久性
## Persistence
- 生成**用户令牌**
- 从**秘密**中窃取**github令牌**
- **删除**工作流**结果**和**分支**
- 给**所有组织**更多权限
- 创建**webhooks**以提取信息
- 邀请**外部协作者**
- **移除****SIEM**使用的**webhooks**
- 创建/修改带有**后门**的**Github Action**
- 通过**秘密**值修改查找**易受攻击的Github Action以进行命令注入**
- Generate **user token**
- Steal **github tokens** from **secrets**
- **Deletion** of workflow **results** and **branches**
- Give **more permissions to all the org**
- Create **webhooks** to exfiltrate information
- Invite **outside collaborators**
- **Remove** **webhooks** used by the **SIEM**
- Create/modify **Github Action** with a **backdoor**
- Find **vulnerable Github Action to command injection** via **secret** value modification
### 冒名顶替提交 - 通过repo提交的后门
### Imposter Commits - Backdoor via repo commits
In Github it's possible to **create a PR to a repo from a fork**. Even if the PR is **not accepted**, a **commit** id inside the orginal repo is going to be created for the fork version of the code. Therefore, an attacker **could pin to use an specific commit from an apparently ligit repo that wasn't created by the owner of the repo**.
Like [**this**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e):
在Github中可以**从一个分叉创建一个PR到一个repo**。即使PR**未被接受**在原始repo中也会为代码的分叉版本创建一个**提交**id。因此攻击者**可以固定使用一个来自看似合法的repo的特定提交该提交并不是由repo的所有者创建的**。
像[**这个**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e)
```yaml
name: example
on: [push]
jobs:
commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e
- shell: bash
run: |
echo 'hello world!'
commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e
- shell: bash
run: |
echo 'hello world!'
```
For more info check [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
有关更多信息,请查看 [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
{{#include ../../banners/hacktricks-training.md}}