AWS - RDS Unauthenticated Enum

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

RDS

更多信息请查看:

AWS - Relational Database (RDS) Enum

公共端口

可以将数据库从互联网公开访问。攻击者仍然需要**知道用户名和密码,**IAM 访问,或一个 exploit 来进入数据库。

公开的 RDS 快照

AWS 允许授予任何人下载 RDS snapshots 的访问权限。你可以非常容易地从你自己的账户列出这些公开的 RDS snapshots:

# Public RDS snapshots
aws rds describe-db-snapshots --include-public

## Search by account ID
aws rds describe-db-snapshots --include-public --query 'DBSnapshots[?contains(DBSnapshotIdentifier, `284546856933:`) == `true`]'
## To share a RDS snapshot with everybody the RDS DB cannot be encrypted (so the snapshot won't be encryted)
## To share a RDS encrypted snapshot you need to share the KMS key also with the account


# From the own account you can check if there is any public snapshot with:
aws rds describe-db-snapshots --snapshot-type public [--region us-west-2]
## Even if in the console appear as there are public snapshot it might be public
## snapshots from other accounts used by the current account

公开的 RDS Cluster Snapshots

类似地,你可以查找集群快照

# Public RDS cluster snapshots
aws rds describe-db-cluster-snapshots --include-public

## Search by account ID
aws rds describe-db-cluster-snapshots --include-public --query 'DBClusterSnapshots[?contains(DBClusterSnapshotIdentifier, `284546856933:`) == `true`]'

# From the own account you can check if there is any public cluster snapshot with:
aws rds describe-db-cluster-snapshots --snapshot-type public [--region us-west-2]

公共 URL 模板

mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306
postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks