An SSRF vulnerability in zhihu main site can detect the Intranet
The https://www.zhihu.com/question/38548957/answer/77482000 was found to answer this question.
It is really a bit interesting. I answered the question of the subject using actual vulnerabilities. Is intranet security really not heavy? With this vulnerability, I can detect and access the intranet of an enterprise. If a vulnerability exists in an intranet application, hackers may access the Intranet.
When zhihu answers a question, the entered URL is automatically converted to the title. For example, entering http://wooyun.org/will become:
It is obvious that a request is made in the background.
Capture packets and find the request http://www.zhihu.com/scraper:
If the requested object is not properly controlled, the SSRF vulnerability will occur. The request may be sent to some Intranet addresses or addresses accessible by internal personnel, resulting in sensitive information leakage.
Because I cannot find the Intranet CIDR Block, take 127.0.0.1 as an example. www.127.0.0.1.xip. io is resolved to 127.0.0.1, And the request can be found that get is successful:
Includes URLs that I normally cannot access: https://status.zhihu.com/login