Finding multiple SSRF with aws metadata access on A BANK system
My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing How I was able Find multiple SSRF with aws metadata access ON a BANK System and Get access to there production server.
SPECIAL COVID-19 Note:
Don’t go outside without any reason . Stay home be safe and also safe other. Special request to my fellow bug-bounty hunter Take care of your health and get vaccinated.
TOOLS used for the exploitation
1. Subfinder (https://github.com/projectdiscovery/subfinder)
2. httpx (https://github.com/projectdiscovery/httpx)
3. gau(Corben) — https://github.com/lc/gau
4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls.
Story Behind the bug:
This is the write of my compromising the bank production and get access to 100GB customer High profile data by SSRF and escalating it get their aws production server customer stored data.
There was no Responsive disclosure program or Bugbounty program but still i report 15 SSRF aws metadata access bug and Many other critical bug because of them the customer would have suffer if it have goes to some bad guys hand. The Bank don’t even said THANK YOU but I was HAPPY by reporting the bug. So, bugbounty is not always about money, it also about helping the company to secured them.
Here it goes:
Suppose we assume the target name is example.com , as there no Responsive disclosure program or Bug-bounty program So I started hunting on the Main Domain.
To gather all the subdomain from internet archives i have used subfinder , waybackurls tool and gau.
subfinder -d example.com silent
gau -subs example.com
So the chance of missing the subdomain still exist so in-order to be ahead of the game I don’t want to miss any subdomain for testing so I used subfinder and pipe to waybackurls to get all the domain for all the subdomain if exist and save it to a file.
So the final command will look like this:
So in order to expand by target scope I decide to gather all subdomain and url endpoint for target.
gau -subs example.com | grep “=”>> vul1.txt
waybackurls example.com |grep “=” >> vul2.txt
subfinder -d example.com -silent | gau -subs | grep “=” >> vul3.txt
Now collecting all subdomain in one and sorting out the duplicates
cat vul1.txt vul2.txt vul3.txt | sort -u >> unique_sub.txt
NOW the actual SSRF hunting start:
Will Playing around main domain for couple hours with my burp I came across an endpoint “getTaxinvoice.jsp” which got my attention As it was used for tax invoice data. But While going through the main app i came to know that it was used by many other function like product tax invoice and sell tax invoice.
Its gave me the feeling that one or more function using the endpoint “getTaxinvoice.jsp” for the tax invoice data. So started fuzzing for the vulnerable paramter to get SSRF but no success . As i was Aware that it can used for other function, So i collect all the url from waybackurl and internet archive .
Now , I have all the url with endpoint from the waybackurl machine and gau and internet archive. So, I used my bash skill to collect all the endpoint from the unique_sub.txt.
cat unique_sub.txt | sed ‘s/^.*.com//’ | sed ‘s/?.*//’ >> endpoint_path.txt
So, above command will remove target.com and anything after “?” like below as flow
Now Once i have the all the endpoint now I append the endpoint with “getTaxinvoice.jsp” using the bash.
cat endpoint_path.txt | sed ‘s/$/\/getTaxinvoice.jsp/’
Now I have added the “getTaxinvoice.jsp” to all the endpoint path now i will the use my Magic parameter sparing tricks to find the vulnerable SSRF parameter.
xargs -a /root/magicparameter/ssrf.txt -I@ bash -c ‘for url in $(cat endpoint_path.txt | sed “s/$/\/getTaxinvoice.jsp/”); do echo “http://$url?@=http%3A%2F%2F169.254.169.254%2Flatest%2Fmeta-data/hostname”;done’ | httpx -silent -status-code -content-length -extract-regex “compute.internal”
I Finally got 6 more SSRF by same path on different subdomain using same endpoint and path.
After that was able to to extract the AWS access key and secret . And using those aws key and secret I was able to using the production server metadata where i can see the customer data for the BANK.
Reporting them was very hard as there was no email or any security disclosure program or no any bug-bounty. Finally the got their security team email I quickly reported the bug and in the next day got a call from their Security TEAM head that They will work on fixing it.
After seeing this my reaction …
I’m sure that a lot of security researcher had already see there process but this how I approach for Finding an endpoint and automating with to finding multiple vulnerable targets.
So Bug-bounty is not always about money, It is also about doing good to the society by help company to Fix the bug. Though the BANK don’t even said a thank you But there as My success that I have help them to secured their infrastructure.
That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability.
Thanks for reading :)
Santosh Kumar Sha — Security Researcher — Bugcrowd | LinkedIn
View Santosh Kumar Sha’s profile on LinkedIn, the world’s largest professional community. Santosh Kumar has 2 jobs…