|
- 这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。$ e3 s9 |3 m- h, t, T8 v- J
% k3 X7 S; k, A7 }' ~# U
吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。0 h0 D z. e' B% ~4 V4 h, l
8 c; g8 v9 L- e: n/ g# z1 d简单介绍一下这篇文章吧。4 M8 y( u+ |2 D/ h5 j6 C( A: v
$ @: o7 U) i: d9 l0 h% W8 J) t, l开启WP错误记录功能
5 _, V( C; I' v* D只需要修改wp-config.php的如下几行:- V1 V" O1 h1 |7 y" I( j
: f* S& t1 T" O3 v& w! v" D@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描1 D( b7 `: g8 ?
3 Q0 `% R4 [6 h8 y u
[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\'
9 |8 i4 v7 S, j) f6 v5 C: b U[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--; i$ i1 R* R& w+ h* S7 V$ S! {5 [
[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--
. T( O, W' r/ O0 ?上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。 ! d) H+ S: J A* {3 h/ [: A- P
SQL盲注扫描1 o9 Z6 I9 @5 t6 h) }* \5 u; I2 |
攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。8 y* ?' t( P! Y5 I' v5 H+ E' L
" L, b' M# V% n[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--9 ~5 W* e2 U5 G9 u/ [+ e5 |$ ^
[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)
! x0 W/ }1 L7 ~Google一下大规模扫描& x L7 [/ Z. p( ~; t$ j
$ p ^0 z; E% w& s5 f
2 V/ y! `3 w) C0 H
2 \1 u+ L! t/ s
8 m7 b7 d- U8 F' f) Q0 z
, |" M% `! U- m/ v. p- S( w
: S, q7 a, J3 t3 D# ~, G 僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段: - sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list;" z( j0 w% d0 s2 b0 z' L/ @
! U' I) o0 ?$ r: k+ l5 K+ g% oCocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。
$ Q8 ?" y' T& I( a5 F; a |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|