Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Simple function to check for the "Apache Killer" (see http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html)
<?php
function testForExploit($strUrl = NULL) {
// I would love to use “filter_var($strLongUrl, FILTER_VALIDATE_URL)” here,
// but let us be honest, it sucks even more than regular expressions do.
// (http://snipplr.com/view/14198/useful-regex-functions/)
if (!preg_match('/^(http|https|ftp):\/\/([A-Z0-9][A-Z0-9_-]*(?:\.[A-Z0-9][A-Z0-9_-]*)+):?(\d+)?\/?/i', $strUrl)) {
return false;
}
$oCurl = curl_init($strUrl);
curl_setopt_array($oCurl, array (CURLOPT_HTTPHEADER => array('Range: bytes=0-4')
,CURLOPT_RETURNTRANSFER => 1
,CURLOPT_TIMEOUT => 15
,CURLOPT_CONNECTTIMEOUT => 0
,CURLOPT_SSL_VERIFYHOST => 0
,CURLOPT_SSL_VERIFYPEER => 0
,CURLOPT_FOLLOWLOCATION => 1
,CURLOPT_HEADER => 1
,CURLOPT_NOBODY => 1
,CURLOPT_ENCODING => 'gzip'));
$strReturn = curl_exec($oCurl);
if (strpos($strReturn, 'Partial') !== false) {
echo "Probably exploitable: ".$strReturn."\n\n";
} else {
echo "Probably NOT exploitable: ".$strReturn."\n\n";
}
}
testForExploit('http://www.apache.org/');
?>
@mo6

This comment has been minimized.

Copy link

commented Aug 25, 2011

You should add "Accept-Encoding: gzip" to the HTTPHEADER as in the original exploit code.

@FabianBeiner

This comment has been minimized.

Copy link
Owner Author

commented Aug 25, 2011

Uh, is this really needed? Actually I have no idea. :)

@mo6

This comment has been minimized.

Copy link

commented Aug 25, 2011

@FabianBeiner

This comment has been minimized.

Copy link
Owner Author

commented Aug 25, 2011

Added, thanks! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.