Skip to content

Instantly share code, notes, and snippets.

@matt-allan

matt-allan/Caddyfile

Last active March 26, 2019 13:49
Show Gist options
  • Save matt-allan/a3bd019768586c6831a82f5459b555df to your computer and use it in GitHub Desktop.
Save matt-allan/a3bd019768586c6831a82f5459b555df to your computer and use it in GitHub Desktop.
Download ZIP
PHP Httpoxy example
Raw
README.md

A simple example of the httpoxy exploit. This example uses HTTP_AUTH_PASSWORD instead of HTTP_PROXY because PHP blacklisted the latter.

Setup

  1. Install Caddy.
  2. Install PHP and start php-fpm on port 9000.
  3. Copy Caddyfile and index.php from this example into a directory.
  4. Start Caddy: just type caddy in the directory from the last step.

Usage

If you run curl localhost:8080 The server will output the value of HTTP_AUTH_PASSWORD we set in the Caddyfile. If you pass the Auth-Password header it will override the environment variable.

» curl localhost:8080 
string(9) "secret123"
» curl -H 'Auth-Password: hunter2' localhost:8080
string(7) "hunter2"
Raw
Caddyfile
localhost:8080
fastcgi / 127.0.0.1:9000 php {
env HTTP_AUTH_PASSWORD secret123
}
rewrite {
regexp .*
ext /
to /index.php?{query}
}
log stdout
errors stdout
Raw
index.php
<?php
var_dump(getenv('HTTP_AUTH_PASSWORD'));
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment