|
- 这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。
3 d) t4 F& w. s+ n3 `2 |& w2 b y' T3 c6 x( Z3 Y7 h
吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。/ d* `4 [% K" Q$ r
5 v/ g3 S( Y) t简单介绍一下这篇文章吧。 ^1 j% k% M/ q! Q8 x% ^
/ |8 P+ ^' ~/ @: E: ^# J% Z- ]开启WP错误记录功能 R; k/ P- C" R4 {. ?! V
只需要修改wp-config.php的如下几行:
- u8 `) {( d& q9 o
5 [1 @/ C* H' A8 M* j9 [@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描# b! ?+ A4 Q# z8 @' o
3 h |3 p# }4 v. C' j/ r" V+ y[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\'+ T1 N; I$ j. D* C
[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--
* ~) {- w, j: Q! B7 L3 l[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--
6 i5 j5 S( i; t! n上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。 0 T- c0 X) k. j+ A
SQL盲注扫描
$ R$ a4 F+ U* i! `# X攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。
+ H! M8 n; M8 h' Q; H3 \6 m; E; C& G) J* T V* ]8 K& Y" A
[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--
! `0 v( F7 c2 c" M: F# [8 \/ D[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)
% F2 Z- \' }% _3 L, |Google一下大规模扫描
$ y# r& F/ q0 e- `( C% N8 M
4 P- S2 v, o4 B0 R9 F0 S5 x, v- t! a: `/ }* G
8 g$ W5 _6 v$ x9 V; p8 v
- V, t4 J0 b" K0 Z/ m0 E+ p4 u' m* W/ q4 B- i( j% t3 J
3 E* P/ c. Q4 q, O5 z H
僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段: - sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list;
$ J9 ?. |6 d/ ` o! u4 b( n, V , G* V/ v# T4 F2 s9 l+ i& W
Cocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。0 s8 f& d6 U0 _0 H
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|