Intranet Information Leakage of Renren Network + Arbitrary File Reading on the master site

Some restrictions on Renren may cause intranet information leakage and Arbitrary File Reading on the master site. Share function on Renren homepage: Share 127.0.0.1. The following message is displayed: "Your browser does not support javascript. This will make you unable to use everyone normally. Click here to learn how to adjust your browser. ......" It can be concluded that: 1. You can enter 127.0.0.1 for sharing and the sharing is successful. 2. The preview function of the guessing link is implemented by using the curlib library or similar backend. The response content is retrieved and then fed back to the user. Because it is not a browser, js is not supported, and the <noscript> tag is triggered. Thus, an Intranet Information Leakage vulnerability occurs: sharing an intranet ip address. If the ip address is open to web Services, Information Leakage may occur through link preview. After all, the Intranet ip segment is too wide. We use js to implement a "scanner" for scanning (Code omitted ). The results are as follows:

To avoid further information leakage, the ip address in the figure has been identified, but from 172.21 and 172.18, it can be determined that it is indeed an intranet ip address. Continue to divergent ideas: 1, the Intranet may have some important web system without any verification, we find an ip, submit the http://172.xx.xx.xx/admin.do http://172.xx.xx.xx: 8080, etc. to test whether there is information leakage. For example, in the case above, by submitting a http://172.18.xx.xx/web/device/login? Lang = 1 Returns Information that identifies the H3C web end. If this web end has authentication bypass or other vulnerabilities, more information will be leaked. Arbitrary File Reading on the main site: We have guessed that the backend has called curlib or similar methods to implement link preview. curl supports multiple protocols, not just HTTP and HTTPS, such as ftp. The Renren network link preview will be handed over to the backend for processing without any restrictions on the Protocol. Therefore, we can also test the Intranet anonymous ftp by constructing FTP: // www.2cto.com. However, this is not the focus. curl also supports the local file protocol file: //, as follows: root!Repair suggestions:1. the url cannot be an intranet address. 2. The url can only be http or https.