0. Cause:

A few days ago, received a penetration test assignment from a foreign target (company) for two weeks;

The goal is to provide cloud services platform similar to Ali Cloud in China;

After routine information gathering, three days of infiltration attempts proved fruitless… So I had to sacrifice my “killer” before work – Such.py. Stitched up some nice scanners, one-click XRAY multi-threaded batch scan + auto add Tasks to AWVS + Auto add Tasks to ARL +… Add assets and go home from work.

Arrived the second day a look scan result, in the heart secret way is not good, MD bad up ah…

There are no holes in the scanner, and all assets in Goby show only two open ports 80 and 443.

No panic, the problem is not big, there is still a long time, the next thing to do, is to sort out the ideas, start again.

In the assets collected prior to the reordering, an interesting 404 page was found on the side of the test target:

NoSuchBucket + BucketaName

Considering alicloud’s bucket hijacking bug, happiness comes all of a sudden.

1. A:

Log in to the cloud platform using the test account and attempt hijacking: 1. Click object storage service:

2. Click Create bucket:

BucketName = BucketName

4. Change the access control permission to public read/write:

5. Click on the object and create hack.txt:

6. Refresh 321.asd.com as follows:

The BucketName field is missing and the NoSuchBucket is now NoSuchCustomDomain. 7. NoSuchCustomDomain? So let’s set it up and go to Domain Management and try to bind the domain:

8. 321. asd.com/ access

9. Visit: 321.asd.com/hack.txt (hack.txt is what we just uploaded)

(Try uploading pictures, HTML and other files later)

[image.png- 8136F3-1631536782821-0]

Hijacking success! Bring it!

2. The result:

  1. After the bucket is deleted, 321.asd.com/ restore the bucket field:

Vulnerability: hijacking Bucket, and open anonymous read functionality. You can hang black pages or reference JS files, attackers can upload malicious JS files, to steal user information…

2021 Latest collation network security penetration testing/security learning (full set of video, big factory face classics, boutique manual, essential kit) a > point I < a

  1. We still have a few days to go. Keep working on it (Ji Xu Mo Yu). Penetration tests must be patient and focused