Facebook Internal IP Disclosure - SSRF on Facebook

Durning the subdomain enumeration, I've got a subdomain which is : https://esbmbltest.thefacebook.com/

Which typically wasn't hosting anything.

Crawling the application, i figured out it is running "Oracle WebLogic UDDI Explorer"















Crawling or running dirb on the application will give the /uddiexplorer/ directory.
However, it has an option to search for Private Registry,
The UDDI Directory Explorer allows authorized users to publish Web services in private WebLogic Server UDDI registries and to modify information for previously published Web services.

However i was not an authorized user, but to fetch the deatils of private registry the appliaction will send a query to the internal system/server the IP was getting disclose within HTTP headers it was (192.168.1.103:8080)















This information can help an attacker to identify other vulnerabilities or it may help during the exploitation of other identified vulnerabilities, apart from that it disclose the information about the IP addressing scheme of the internal facebook network.

















However, facebook replied :
"The leak of an internal IP address is something we may fix, but we do not consider it a security vulnerability as it doesn't compromise the integrity of Facebook user data"













No Bounty was rewarded and the issue was closed on 26 August, hence i decided to disclose the bug.

However, on 11-12-2017 received mail from Facebook awarding 500$ for this bug, I started digging this and found someone continue this bug and found SSRF on Facebook.













 Thank you 
Dhiraj

11 comments:

  1. mr; https://twitter.com/Capitan_Alfa/status/974474659847647233

    ReplyDelete
  2. Heya i’m for the first time here. I found this board and I to find It truly helpful & it helped me out a lot. I hope to provide something back and aid others such as you helped me.
    What is My IP | My IP Address | IP Lookup | Speed Test

    ReplyDelete
  3. This is excellent information. It is amazing and wonderful to visit your site.
    Best Mobile Network Signal Repeater

    ReplyDelete
  4. 10.0.0.1 IP address is usually used for private networking. Moreover, the most of the router manufacturers use this IP version 4 address in as default gateway address for their routers.

    ReplyDelete
  5. 192.168.0.1 IP addresses are usually used for these purposes. If you compare public IP addresses, which can be found out by special web pages, and private 10.0.0.1 IP address, you will understand that public IPs must be unique in the Internet, but private IP must be unique only in LAN.

    ReplyDelete
  6. Thankyou for this blog its really interesting and informative, but there is some errors
    Which need to be recorrect by owner. See i also have some good blogs related to
    Technical services, you can check on my website.

    Avast Login
    garmin.com/express
    avg.com/retail
    bullguard support number

    ReplyDelete

  7. Roku(roku.com/link ) devices, Roku ( roku.com/link code) holds the separate spot for offering amazing entertainment by incorporating the latest technological features. You just need the connection to the internet network only. But, what if you are facing random network issues then it will be the most aggravating situation that you may ever face. Network issues (roku.com/link activation code) are a very common one, not only on Roku but for all internet dependent devices. You have to know some easy solutions to overcome these kinds of errors.

    ReplyDelete
  8. Great post I ever seen on the web. Its amazing and well more. I like this and have a great experience for reading your blog.
    Garmin Express

    ReplyDelete
  9. Great post I ever seen on the web. Its amazing and well more. I like this and have a great experience for reading your blog.
    Garmin Express

    ReplyDelete