|
|
- 这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。
& O9 P1 r4 d7 f. Y" f9 ^; P- B2 j4 l, q" j
吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。
3 @/ N' {+ c# q3 I4 d8 E* F' b; W, m+ W( W) B$ }9 r( a
简单介绍一下这篇文章吧。% t- n8 I5 a5 s0 N( K* G
* W2 m* n& i. }- `, L2 p开启WP错误记录功能
4 `4 O6 ^9 {8 X7 m8 h# N' h只需要修改wp-config.php的如下几行:
; s' o) v+ x g5 P3 T7 W1 w) K, S. ~0 X, L
@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描) R B* x+ B9 |8 @2 d% Y z8 E: }( t+ q
8 t4 @) Y' d$ w; ?' ]7 K
[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\'
7 `; D& Z7 O$ C% Z2 P1 K[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--
' f3 @7 D h( ?8 Q: j7 b2 n8 D( K[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--( O& U: S' l" U
上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。 % B6 a5 E1 o. q' e, j
SQL盲注扫描
' ^9 A8 F/ w: `, W% i* O攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。
/ U0 b1 T! }0 Z. K2 l4 v6 }* U7 Z2 S) U+ a
[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--
2 E7 \5 g3 i8 ~3 [: l0 {! }7 G[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0) h) l+ } H& S; i! Z
Google一下大规模扫描
& J( F9 Z7 a3 ?8 _: s, s# g. s, ]0 l/ p# O
1 i2 L R' L' \9 s) l& { % K6 R* {4 B. f' y+ d
8 L0 r" a6 |/ Q# x1 |! B; P, { F3 N7 o- a
- [; u$ E9 C; p, k1 e( g% s. ] 僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段: - sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list;
0 V+ k: c2 X# _7 n2 h7 Y
4 {( u# n* w/ f$ Q+ k
Cocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。. w) P* l0 P2 B4 L( V1 Y+ x
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|
发表于 2013-1-11 21:23:34
收藏
支持
反对