Skip to content

Instantly share code, notes, and snippets.

@matt-allan
Last active Mar 26, 2019
Embed
What would you like to do?
PHP Httpoxy example

A simple example of the httpoxy exploit. This example uses HTTP_AUTH_PASSWORD instead of HTTP_PROXY because PHP blacklisted the latter.

Setup

  1. Install Caddy.
  2. Install PHP and start php-fpm on port 9000.
  3. Copy Caddyfile and index.php from this example into a directory.
  4. Start Caddy: just type caddy in the directory from the last step.

Usage

If you run curl localhost:8080 The server will output the value of HTTP_AUTH_PASSWORD we set in the Caddyfile. If you pass the Auth-Password header it will override the environment variable.

» curl localhost:8080 
string(9) "secret123"
» curl -H 'Auth-Password: hunter2' localhost:8080
string(7) "hunter2"
localhost:8080
fastcgi / 127.0.0.1:9000 php {
env HTTP_AUTH_PASSWORD secret123
}
rewrite {
regexp .*
ext /
to /index.php?{query}
}
log stdout
errors stdout
<?php
var_dump(getenv('HTTP_AUTH_PASSWORD'));
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment