Sleepy Dragon · 2013/06/28 16:25

0x00 Cast out bricks to attract jade

What do you think of when you see a parameter whose value is a URL?

According to wooyun’s case, the possible harm can be divided into three aspects:

1. Url redirection vulnerability. 2Copy the code

0x01 Details

URL redirection indicates the redirect

Url redirect science have hair before drops.wooyun.org/papers/58 loopholes.

Url hops may not be strictly filtered centrally:

First, there may be other 302 jump vulnerabilities combined with bypass under the whitelist codomain. 2 it is simple to determine whether a string contains white list names, available at http://www.attack.com/test.com/index.php or http://www.test.com.attack.com/index.php to bypass. Third, http://www.attack.com\test.com/index.php can be bypassed due to the difference between the backend host and the browser. The backend can make a difference if it just ends up getting /, including the PHP function parse_url that gets host as www.attack.com\test.comCopy the code

The underlying operation library supports other protocols that lead to reading local or probing network information

Examples from Wooyun:

WooYun: Micro blog – micro collection of multiple arbitrary file reading vulnerabilities

WooYun: Renren has a lot of security flaws in its ability to share web pages

To output the content of the obtained address, the backend uses curl library to support other protocols. If no filtering precautions are taken, the file protocol can be used to read local files and Telnet port information can be detected.

http://share.renren.com/parse_share.do?link=file:///etc/passwd http://share.renren.com/parse_share.do?link=file:///etc/sysconfig/ http://mark.appsina.com/read.php?sid=2247&type=0&url=telnet://221.179.193.1&pos=1&from=0&gsid=3_5bc7d139d8527229d2df38b6 765c6b91b8428eda66bd8c1e61b5df&vt=2Copy the code

No other protocols are supported but no network boundaries are set

Examples from Wooyun:

WooYun: How do I navigate Tencent’s internal network

WooYun: How do I navigate Sogou and Sohu’s internal networks

These two vulnerabilities are already open to the core white hat and have been fixed by the vendor, as an example.

What else can you do when you already have protocol control over urls that only allow HTTP access?

Try accessing the Internet cafe inside

http://wap.sogou.com/tc?url=http%3A%2F%2Fno.sohu.com%2F
Copy the code

You can use brute force to crack the tools of the secondary domain name to find the domain name of the Intranet to run a try, and then try to visit to see if it is successful ~!

0x02 Recovery Plan

Add the validity verification Token

We guarantee that all generated links are from our trust domain. By adding uncontrollable tokens to the generated links to verify the generated links, users can avoid generating their own malicious links and thus being exploited. However, if the function itself is relatively open, there may be certain restrictions.

Set strict whitelists and network boundaries

When the function requirements are relatively open, the protocol and accessible network must be strictly limited.