警告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
发送请求"GET /index.htm HTTP/1.1\r\n:\r\n\r\n" 可导致该漏洞. BUG可能存在于client.cpp,
"//grab headers" section. And it is something like " 1-2 = -1" and similar to
memcpy(-1) ?
// grab headers
string :: size_type iNewLine = m_strReceiveBuf.find( "\r\n" ); string ::
size_type iDoubleNewLine = m_strReceiveBuf.find( "\r\n\r\n" );
strTemp = m_strReceiveBuf.substr( iNewLine + strlen( "\r\n" ), iDoubleNewLine
- iNewLine - strlen( "\r\n" ) );
while( 1 ) { string :: size_type iSplit = strTemp.find( ":"
); string :: size_type iEnd = strTemp.find( "\r\n" );
if( iSplit == string :: npos ) { UTIL_LogPrint( "client warning -
malformed HTTP request (bad header)\n" );
break; }
string strKey = strTemp.substr( 0, iSplit ); string strValue =
strTemp.substr( iSplit + strlen( ": " ), iEnd - iSplit - strlen( "\r\n" )
);//Bug here ??
rqst.mapHeaders.insert( pair<string, string>( strKey, strValue ) );
strTemp = strTemp.substr( iEnd + strlen( "\r\n" ) );
if( iEnd == string :: npos ) break; }
|