Bugged behavior of wsgi_wrapper.py

mushorg / glastopf

Web Application Honeypot

http://glastopf.org

551 stars 172 forks source link

Bugged behavior of wsgi_wrapper.py #280

Closed alem0lars-yr closed 5 years ago

alem0lars-yr commented 7 years ago

Try to run:

curl 'http://localhost:8080/INTERNAL_TEST/vuln.php=http://bruh-srv.herokuapp.com/public/echo.php'

Note: Change 8080 with the port where glastopf is running.

However when the included file doesn't output the response headers (but just some php code, like the example above) the parser fails because header contains both the header (empty) and the body (containing the evaluated php code).

In that case, the file wsgi_wrapper fails in:

proto, code, msg = h.split(" ",2)

glaslos commented 7 years ago

Hi, thanks for the report. Any suggestions on how to fix it?

alem0lars-yr commented 7 years ago

It's not 100% clear to my why it is expected to return http content instead of just the plain content.

Could you explain why it parses the result from the sandbox as a http response ?

Thanks.

vorband commented 6 years ago

I know this is kind of a late follow-up, but I ran into this, too.

Imho, the commit https://github.com/mushorg/glastopf/commit/8b37e1dcdce175999703cb9776c44c4d3e57fab4 breaks the handling of rfi and php sandbox: It assumes that an http response code is always submitted in the response. However, if the sandbox is executed, it delivers raw text output.

A workaround is to change the line 56 of wsgi_wrapper.py from else: to something like elif "HTTP/" in h:

But maybe you have found a better solution.