近期 5h3rl0ck 老哥发现并成功利用了 Microsoft 的一款 AI 产品的SSRF(服务器端请求伪造)漏洞,产品为Microsoft Designer。
{"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('elhabtiesoufiane%40gmail.com')/drive/special('approot')/children","@odata.count": 33,"@odata.nextLink": "https://graph.microsoft.com/v1.0/me/drive/special/approot:/My%20stuff:/children?expand=thumbnails(select%3dmedium)&top=9&orderby=lastModifiedDateTime+desc&select=id%2cname%2ccreatedDateTime%2clastModifiedDateTime%2cthumbnails%2cfile%2cimage%2c%40microsoft.graph.downloadUrl&$skiptoken=Mjg","value": [{"@microsoft.graph.downloadUrl": "https://public.am.files.1drv.com/y4mKouM8V3c8qPmNuxA6Xuar9ZLAjp5mc_nmElgmPbykqyEx6fA2fIOqOt9JmGK9T7wrPrpGIFl6thL91UYUXJeYAjkoJ29DLcrxIJtjk3XjCK8XSi2rkNL_MN9gSl8jgukYpYIR7H2tPIbSWswzXmxbxgo6dOg3q5FfTbPFAMvlvzNuUzfyIp8aVBL0e4PkG5Z7NXkOJ3S0_3wzzvo2UBH90XlTf5n97OBLcTNLz5fTjo","id": null,"name": "check 9.jpg","createdDateTime": "2023-08-29T17:44:24.92Z","lastModifiedDateTime": "2023-08-29T18:07:58.943Z","file": {"mimeType": "image/jpeg","hashes": {"quickXorHash": "htg9DiY+4UVg4Utg7VVVLudD968=","sha1Hash": "77C14952BFA9BBC809B6267C88385B6C428EFABA","sha256Hash": "7225D72CBB652B45E5883BEB794BC5BB3F7B024CF5E6BAED24F243EEAB988918"}},"image": {"height": 800,"width": 800},"[email protected]": "https://graph.microsoft.com/v1.0/$metadata#users('elhabtiesoufiane%40gmail.com')/drive/special('approot')/children('FE1AD29AF25F99C0%2119434')/thumbnails","thumbnails": [{"medium": {"height": 176,"url": "SOME ONEDRIVE URL"}}]}]}
最后我们测试这个ssrf demo,通过内部 IP 访问了 Microsoft Designer的本地图像内容,并且还从元数据 url 请求服务器实例信息:
原文始发于微信公众号(军机故阁):Microsoft Designer AI SSRF漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论