怎么分析Facebook Ads广告业务API接口的源代码泄露漏洞

时间：2023-05-12 04:36

发现漏洞

一个多月后，我就发现了存在Facebook Ads广告业务系统API中的一个漏洞。存在漏洞的API是一个图片处理接口，它用于Facebook商户账户上传广告图片，上传的图片会储存在一个名为“/adimages”的目录下，并用base64格式编码。所以，我的测试构想是，在这里的机制中，可以向上传图片中注入恶意Payload，经API转换为 Base64 格式后，再被Facebook传入服务器中。

以下为上传图片的POST请求：

POST /v2.10/act_123456789/adimages HTTP/1.1
Host: graph.facebook.com
Bytes=VGhpcyBpcyBtYWxpY2lvdXMgcGF5bG9hZC4=

由于Facebook服务器端不能有效地处理恶意Payload图片，最终其“Image Resizing Tool”图片处理工具返回了一个报错，在某个JSON响应内容的异常消息中，就包括了一些PHP库函数代码，这些代码来自不同的Facebook库文件，可以肯定的是，这应该属于Facebook源代码的一部份。

HTTP/1.1 200 OK{“error”:{“message”:”Invalid parameter”,”type”:”FacebookApiException”,”code”:100,”error_data”:”exception ‘Exception’ with message ‘gen_image_rescale_multi_thrift call to shrinkImageMulti failed with fbalgo exception: 43 (43: : IDAT: invalid distance        too far back)’ in /var/www/flib/resource/filesystem/upload/upload.php:1393
Stack trace:
#0 /var/www/flib/resource/filesystem/upload/upload.php(1662): gen_image_rescale_multi_thrift()
#1 /var/www/flib/ads/admanager/adupload/adupload.php(252):        gen_image_rescale_multi()
#2 /var/www/flib/ads/admanager/adupload/AdImageUtils.php(195): _gen_adupload_image_resize()
#3 /var/www/flib/ads/entities/creatives/photos/AdproCreativePhotoDownload.php(53): AdImageUtils::genResizeLocalFile()
#4        /var/www/flib/platform/graph/resources/adaccount/adimages/mutators/GraphAdAccountAdImagesPost.php(134): AdproCreativePhotoDownload::addLocalFileToCreativeLibrary()
#5 /var/www/flib/core/data_structures/utils/Arrays.php(440):        Closure$GraphAdAccountAdImagesPost::genImplementation#3()
#6 /var/www/flib/platform/graph/resources/adaccount/adimages/mutators/GraphAdAccountAdImagesPost.php(136): Arrays::genMapWithKey()
#7 /var/www/flib/ads/api/graph_base/GraphAdsWriteWithRedirectBase.php(22):        GraphAdAccountAdImagesPost->genImplementation()
#8 /var/www/flib/ads/api/graph_base/GraphAdsWriteWithRedirectBase.php(11): GraphAdsWriteWithRedirectBase->genDoCall()
#9 /var/www/flib/core/asio/gen_utils.php(24): GraphAdsWriteWithRedirectBase->genCall()
#10        /var/www/flib/platform/api/base/ApiBaseWithTypedApiData.php(204): genw()
#11 /var/www/flib/platform/api/base/ApiBase.php(85): ApiBaseWithTypedApiData->genCallWithApiDataBase()
#12 /var/www/flib/platform/graph/core/runner/GraphApiRunnerBase.php(373):        ApiBase->genMakeCall()
#13 /var/www/flib/platform/graph/core/GraphRequestProcessorBase.php(629): GraphApiRunnerBase->genCall()
#14 /var/www/flib/platform/graph/core/GraphRequestProcessorBase.php(45): GraphRequestProcessorBase->genExecuteSingleGraphRequestCore()
#15        /var/www/api/graph/server.php(168): GraphRequestProcessorBase->genExecuteSingleGraphRequest()
#16 /var/www/api/graph/server.php(174): gen_api_graph_server()
#17 /var/www/flib/core/asio/Asio.php(35): gen_api_graph_server_wrapper()
#18        (): Closure$Asio::enterAsyncEntryPoint()
#19 /var/www/flib/core/asio/Asio.php(37): HH\Asio\join()
#20 /var/www/api/graph/server.php(180): Asio::enterAsyncEntryPoint()
#21 {main}”,”error_subcode”:1487242,”is_transient”:false,”error_user_title”:”Image        Resize Failed”,”error_user_msg”:”Image Resize Failed:unknown reason”,”fbtrace_id”:”EN/o9hmqwZz”},”__fb_trace_id__”:”EN/o9hmqwZz”}

以上就是怎么分析Facebook Ads广告业务API接口的源代码泄露漏洞的详细内容，更多请关注Gxl网其它相关文章！