利用WebRtc ( Firefox 、 Chrome )在支持Rtc的瀏覽器漏洞可以獲取用戶的真實內外網IP想寫寫一個聊天室的時候想要查看下用戶IP,加這麼一個功能,然後網上都是寫好的接口,就尋思着有沒有原生JS能獲取到的,結果查找到了個漏洞。
urls: “stun:stun.l.google.com:19302” 這是可以訪問到外網IP的 stun。
網上的demo用的是 stun.services.mozilla.com 毫無疑問的翻車 可能地址被牆了。
不信邪的我還真的找到了,但是處於安全性問題JS應該是沒有B/S相關的支持直接查詢外網的IP,可能需要後端的支持,
翻閱了很多大佬的博客和文章這個BUG出現在09年以前貌似 有點厲害了 且行且珍惜。
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<h4>
Demo for:
<a href="https://github.com/diafygi/webrtc-ips">
https://github.com/diafygi/webrtc-ips
</a>
</h4>
<p>
This demo secretly makes requests to STUN servers that can log your
request. These requests do not show up in developer consoles and
cannot be blocked by browser plugins (AdBlock, Ghostery, etc.).
</p>
<h4>Your local IP addresses:</h4>
<ul></ul>
<h4>Your public IP addresses:</h4>
<ul></ul>
<h4>Your IPv6 addresses:</h4>
<ul></ul>
<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
<script>
//get the IP addresses associated with an account
function getIPs(callback){
var ip_dups = {};
//compatibility for firefox and chrome
var RTCPeerConnection = window.RTCPeerConnection
|| window.mozRTCPeerConnection
|| window.webkitRTCPeerConnection;
var useWebKit = !!window.webkitRTCPeerConnection;
//bypass naive webrtc blocking using an iframe
if(!RTCPeerConnection){
//NOTE: you need to have an iframe in the page right above the script tag
//
//<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
//<script>...getIPs called in here...
//
var win = iframe.contentWindow;
RTCPeerConnection = win.RTCPeerConnection
|| win.mozRTCPeerConnection
|| win.webkitRTCPeerConnection;
useWebKit = !!win.webkitRTCPeerConnection;
}
//minimal requirements for data connection
var mediaConstraints = {
optional: [{RtpDataChannels: true}]
};
var servers = {iceServers: [{urls: "stun:stun.l.google.com:19302"}]};
//construct a new RTCPeerConnection
var pc = new RTCPeerConnection(servers, mediaConstraints);
function handleCandidate(candidate){
//match just the IP address
var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
var ip_addr = ip_regex.exec(candidate)[1];
//remove duplicates
if(ip_dups[ip_addr] === undefined)
callback(ip_addr);
ip_dups[ip_addr] = true;
}
//listen for candidate events
pc.onicecandidate = function(ice){
//skip non-candidate events
if(ice.candidate)
handleCandidate(ice.candidate.candidate);
};
//create a bogus data channel
pc.createDataChannel("");
//create an offer sdp
pc.createOffer(function(result){
//trigger the stun server request
pc.setLocalDescription(result, function(){}, function(){});
}, function(){});
//wait for a while to let everything done
setTimeout(function(){
//read candidate info from local description
var lines = pc.localDescription.sdp.split('\n');
lines.forEach(function(line){
if(line.indexOf('a=candidate:') === 0)
handleCandidate(line);
});
}, 1000);
}
//insert IP addresses into the page
getIPs(function(ip){
var li = document.createElement("li");
li.textContent = ip;
console.log(ip);
//local IPs
if (ip.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/)){document.getElementsByTagName("ul")[0].appendChild(li);
console.log(li);}
//IPv6 addresses
else if (ip.match(/^[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}$/))
{document.getElementsByTagName("ul")[2].appendChild(li);
console.log(li);}
//assume the rest are public IPs
else
{document.getElementsByTagName("ul")[1].appendChild(li);
console.log(li);}
});
</script>
</body>
</html>https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/