first commit

cgi/CVE-2016-5385/README.md

@@ -0,0 +1,53 @@
+# CGI Application Environment Variable Injection by HTTPoxy (CVE-2016-5385)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:
+
+- RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as `HTTP_PROXY`
+- `HTTP_PROXY` is a popular environment variable used to configure an outgoing proxy
+
+This leads to a remotely exploitable vulnerability. See <https://httpoxy.org> for further principles description.
+
+CVE-2016-5385 is one of CVEs that assign for HTTPoxy, here are the full CVEs list:
+
+- CVE-2016-5385: PHP
+- CVE-2016-5386: Go
+- CVE-2016-5387: Apache HTTP Server
+- CVE-2016-5388: Apache Tomcat
+- CVE-2016-6286: spiffy-cgi-handlers for CHICKEN
+- CVE-2016-6287: CHICKEN’s http-client
+- CVE-2016-1000104: mod_fcgi
+- CVE-2016-1000105: Nginx cgi script
+- CVE-2016-1000107: Erlang inets
+- CVE-2016-1000108: YAWS
+- CVE-2016-1000109: HHVM FastCGI
+- CVE-2016-1000110: Python CGIHandler
+- CVE-2016-1000111: Python Twisted
+- CVE-2016-1000212: lighttpd
+
+## Vulnerable environment
+
+Execute following command to start a Web application depending on PHP 5.6.23 and GuzzleHttp 6.2.0.
+
+```
+docker compose up -d
+```
+
+This [Web page](www/index.php) get its origin IP address at `http://httpbin.org/get`:
+
+![](1.png)
+
+At this moment, hostname IP is equal to original IP, no HTTP proxy.
+
+## Exploit
+
+Send a request with a crafted HTTP header that contains a available HTTP proxy address: `Proxy: http://*.*.122.65:8888/`:
+
+![](2.png)
+
+It is obvious that the original address in the response has become the IP address of the proxy server.
+
+Start a Netcat server at the `*.*.122.65` instead of HTTP proxy, we can capture the original request:
+
+![](3.png)