中国网络渗透测试联盟

标题: 从WordPress错误日志里发现SQL注入扫描攻击 [打印本页]

作者: admin 时间: 2013-1-11 21:23
标题: 从WordPress错误日志里发现SQL注入扫描攻击

这篇文章介绍了当WordPress开启错误记录以后，根据error_log来发现SQL注入攻击的思路。
2 j. w7 u% {9 o( y" m' U1 \& U3 y- F4 G  ?$ A
吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客，貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。
9 z) M( c; V' ~0 `/ S7 H" l7 D7 F7 {% G6 U8 g* ^0 B# d7 C
简单介绍一下这篇文章吧。2 c% k. g% j# y" Y& ]1 J7 C
7 m2 p8 f8 c# I. x- S
开启WP错误记录功能; S6 W( y! G" Z  i7 S# p
只需要修改wp-config.php的如下几行：
9 Q% ]4 |6 T* [' D  k( C5 }2 L- z4 i$ o& |; Z
@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描. C4 s0 D. j+ B8 h2 S4 a& w: j
* z! R4 t- J  h$ O
[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1\'  t- D, e2 _( w( q0 Z
[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--
4 c5 h3 B- y) \! f; ~[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--+ E+ h. E4 \2 Z5 ?: O
上面的日志就是在暴力猜解表的列数，那个巨大的十六进制值会被解析成null。 ' ?1 b9 Y+ }& O( t. B
SQL盲注扫描( x& W. q; {1 g  ]
攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。) j5 c+ G. J% v: |  G% `
( a/ s) N% s, p) T' o; v
[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--5 D3 ^) E) y; s, O5 s8 p
[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)
* J! Z' ?+ l/ |" jGoogle一下大规模扫描
8 P7 e, I( f  m8 k1 f' J1 A$ k% X7 h7 v5 E

' D* S. x6 J8 d. S* L                         [attach]163[/attach]; d9 x/ y  b; {8 I8 ?, I
) a: Z: z! H) @" B' v# w
! _: v/ y8 O0 b! \- G

! g3 Z6 z! d# w: ~% D% n6 Q4 p                            僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI（远程文件包含）攻击代码里的片段：
sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list；; @/ L/ f% `6 {

Cocoa总结：文章比较简单，但是从日志来检测攻击貌似是目前流行的一个方向。

欢迎光临中国网络渗透测试联盟 (https://cobjon.com/)