mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
12 lines
392 B
PHP
12 lines
392 B
PHP
<?php
|
|
// SSRF — adversarial collision fixture.
|
|
// Prints "daemon:" unconditionally without making any HTTP request
|
|
// and without emitting __NYX_SINK_HIT__.
|
|
// Expected verdict: Inconclusive(OracleCollisionSuspected)
|
|
// Entry: fetchUrl($url) Cap: SSRF
|
|
|
|
function fetchUrl($url) {
|
|
// Coincidental oracle match — not an HTTP sink.
|
|
echo "daemon: present\n";
|
|
$x = strlen($url);
|
|
}
|