中国网络渗透测试联盟

标题: 从WordPress错误日志里发现SQL注入扫描攻击 [打印本页]

作者: admin 时间: 2013-1-11 21:23
标题: 从WordPress错误日志里发现SQL注入扫描攻击

这篇文章介绍了当WordPress开启错误记录以后，根据error_log来发现SQL注入攻击的思路。
- G4 {) {6 i6 i/ C* d
7 ]2 B. P0 o4 ]. o) e8 |吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客，貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。/ c/ P6 H  x0 C3 d

# F2 `8 }' h% r- ~- ?4 v' b简单介绍一下这篇文章吧。  A# M! D8 z) b2 b% s# \

6 V  p; ?  @* m- U开启WP错误记录功能
+ k& B. H" h0 [9 Z) Y+ n只需要修改wp-config.php的如下几行：
1 ]. P8 K- B6 l
! a) V, s! t2 B# z! _4 Y@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描0 H1 c8 Y8 p7 h: s

; ^4 a+ J; V1 H0 S[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1\': v# X- N- p& h# Q" c
[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--
/ @! T+ n4 q" }- z" T, {, t[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--" `- |5 \2 T2 m6 N$ l& p
上面的日志就是在暴力猜解表的列数，那个巨大的十六进制值会被解析成null。 - e% n" L, B& b( l3 e. H6 \# y
SQL盲注扫描
! X2 G- S" D+ s- B6 n2 {攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。) p, [8 u  S& U* _1 f
, {$ g  w! x% V% N
[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--
" S* W: Q- ]' y; h- E[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)
0 x- D# \& I6 _& n2 {# oGoogle一下大规模扫描: r4 ^& D3 c. I

3 n+ c' {, h" K& c& s% ?2 \9 q/ K. @- B" d7 v* t
                        [attach]163[/attach]
; j/ v8 l- I4 b6 p1 `- v- f( _) w! m) B
/ W* {1 I- o% N) l

# A" `3 t( Y% }  M                            僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI（远程文件包含）攻击代码里的片段：
sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list；
}0 ]. m& [' |& p, [

Cocoa总结：文章比较简单，但是从日志来检测攻击貌似是目前流行的一个方向。

欢迎光临中国网络渗透测试联盟 (https://cobjon.com/)