云主机accesskey泄露到图形化工具开发的示例分析


本篇文章为大家展示了云主机accesskey泄露到图形化工具开发的示例分析,内容简明扼要并且容易理解,绝对能使你眼前一亮,通过这篇文章的详细介绍希望你能有所收获。在日常渗透过程中我们经常遇到信息泄露出ALIYUN_ACCESSKEYID与ALIYUN_ACCESSKEYSECRET(阿里云API key),特别是laravel框架得debug信息。APP中也会泄露这些信息。我们说下阿里API有什么用吧,以下是官方说明:云服务器(Elastic Compute Service,ECS),可以调用API管理您的云上资源和开发自己的应用程序。ECS API支持HTTP或者HTTPS网络请求协议,允许GET和POST方法。您可以通过以下方式调用ECS API详情参考阿里云官方API文档:https://help.aliyun.com/document_detail/25484.html?spm=a2c4g.11186623.6.1276.12244f88jytZ8c
SDK下载地址:https://github.com/aliyun/aliyun-openapi-python-sdk
pip安装# Install the core librarypip install aliyun-python-sdk-core# Install the ECS management librarypip install aliyun-python-sdk-ecs# Install the RDS management librarypip install aliyun-python-sdk-rds调用查询ecs主机#!/usr/bin/env python#coding=utf-8from aliyunsdkcore.client import AcsClientfrom aliyunsdkcore.acs_exception.exceptions import ClientExceptionfrom aliyunsdkcore.acs_exception.exceptions import ServerExceptionfrom aliyunsdkecs.request.v20140526.DescribeInstancesRequest import DescribeInstancesRequest
client = AcsClient(”, ”, ‘cn-hangzhou’)
request = DescribeInstancesRequest()request.set_accept_format(‘json’)response = client.do_action_with_exception(request)# python2: print(response)print(str(response, encoding=’utf-8′))创建命令#!/usr/bin/env python#coding=utf-8from aliyunsdkcore.client import AcsClientfrom aliyunsdkcore.acs_exception.exceptions import ClientExceptionfrom aliyunsdkcore.acs_exception.exceptions import ServerExceptionfrom aliyunsdkecs.request.v20140526.CreateCommandRequest import CreateCommandRequestclient = AcsClient(”, ”, ‘cn-hangzhou’)request = CreateCommandRequest()request.set_accept_format(‘json’)response = client.do_action_with_exception(request)# python2: print(response)print(str(response, encoding=’utf-8′))这里会返回一个云助手命令id,返回结果:{“RequestId”: “E69EF3CC-94CD-42E7-8926-F133B86387C0″,”CommandId”: “c-7d2a745b412b4601b2d47f6a768d3a14″}#!/usr/bin/env python#coding=utf-8from aliyunsdkcore.client import AcsClientfrom aliyunsdkcore.acs_exception.exceptions import ClientExceptionfrom aliyunsdkcore.acs_exception.exceptions import ServerExceptionfrom aliyunsdkecs.request.v20140526.InvokeCommandRequest import InvokeCommandRequestclient = AcsClient(”, ”, ‘cn-hangzhou’)request = InvokeCommandRequest()request.set_accept_format(‘json’)respons免费云主机域名e = client.do_action_with_exception(request)# python2: print(response)print(str(response, encoding=’utf-8′)){“RequestId”: “E69EF3CC-94CD-42E7-8926-F133B86387C0″,”InvokeId”: “t-7d2a745b412b4601b2d47f6a768d3a14”}安全组部分就省略了,根据API文档这里先说下公共请求参数名称类型是否必需描述ActionString是API的名称。取值请参见API概览。AccessKeyIdString是访问密钥ID。AccessKey用于调用API,而用户密码用于登录 ECS管理控制台。SignatureString是您的签名。取值请参见签名机制。SignatureMethodString是签名方式。取值:HMAC-SHA1SignatureVersionString是签名算法版本。取值:1.0SignatureNonceString是签名唯一随机数。用于防止网络重放攻击,建议您每一次请求都使用不同的随机数。TimestampString是请求的时间戳。按照ISO8601标准表示,并需要使用UTC时间,格式为yyyy-MM-ddTHH:mm:ssZ。示例:2018-01-01T12:00:00Z 表示北京时间2018年01月01日20点00分00秒。VersionString是API版本号,格式为YYYY-MM-DD。取值:2014-05-26FormatString否返回参数的语言类型。取值范围: json xml默认值:xml2.1 GET请求https://ecs.aliyuncs.com/?Action=DescribeInstanceStatus&RegionId=cn-hangzhou&PageSize=1&PageNumber=1&InstanceId.1=i-bp1j4i2jdf3owlhe****&XML返回格式:1Runningi-bp1j4i2jdf3owlhe****581746C3444-9A24-4D7D-B8A8-DCBF7AC8BD66JSON返回格式{“PageNumber”: 1,”InstanceStatuses”: {“InstanceStatus”: [{“Status”: “Running”,”InstanceId”: “i-bp1j4i2jdf3owlhe****”}]},”TotalCount”: 58,”PageSize”: 1,”RequestId”: “746C3444-9A24-4D7D-B8A8-DCBF7AC8BD66”}2.2 POST请求POST / HTTP/1.1Host: ecs.aliyuncs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 0Action=DescribeInstanceStatus&RegionId=cn-hangzhou&PageSize=1&PageNumber=1&InstanceId.1=i-bp1j4i2jdf3owlhe****&返回跟GET方式一样图形化界面,没什么说的。附一张截图相信大家都明白了。上述内容就是云主机accesskey泄露到图形化工具开发的示例分析,你们学到知识或技能了吗?如果还想学到更多技能或者丰富自己的知识储备,欢迎关注云编程开发博客行业资讯频道。

相关推荐: VMware Horizon View 5.x系列之使用Li

介绍下如何配置Desktop Pools。在Horizon View环境中,支持3大类型的Desktop Pools: Automated Pool Manual Pool Terminal Services Pool这三种桌面池模式,是Horizon Vie…

免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。

Like (0)
Donate 微信扫一扫 微信扫一扫
Previous 02/04 16:35
Next 02/04 16:35