|
|
- 这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。# C- u# Q6 y8 d! s: g) p* x: L
) L9 E- p5 o1 A8 S吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。. `# a9 R/ o$ [/ d7 B' E
( @4 U3 _- o! H" J0 v
简单介绍一下这篇文章吧。; k: @9 e- {8 i% d& _( E+ R5 {# x/ ?
$ q0 l4 ~2 E! I% S% d
开启WP错误记录功能& n) R0 E2 \6 p8 u
只需要修改wp-config.php的如下几行:
5 k7 d. }' e; Z1 m1 {
$ Y; f* V; I$ R& b% j@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描' k2 ^# O4 _. D( g3 `) } l
. B. U. ^9 i* n5 w _
[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\'$ X y( B1 \8 c3 |
[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--2 X5 m$ i% E7 \- T# I
[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--
) o9 ]! W3 I* n3 i上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。 & i, k$ ~- `/ C2 o; ^- o
SQL盲注扫描
# w* \+ \, a9 a% q攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。
, w8 G& g. K; t+ X; X" j5 b$ ]3 V# f/ g
' Q7 I# q$ t/ b7 b0 Q0 ?[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--4 E5 J" P# S9 `
[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)
# F1 ^8 p* S/ v! i: {8 Q& g9 G; tGoogle一下大规模扫描
" g3 H6 [) a2 Z B/ K+ N& V4 I
, j' X- K* @5 a) u6 r9 T
$ U. O& x$ z) H2 f' M * p0 F8 m ?2 ~! I5 b: a
! W8 X+ O7 P# r
6 J7 |8 D) `3 L; N1 v7 @0 d4 S) G9 Y7 `/ H2 g4 h
僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段: - sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list;
% m* Y" q- v' Y1 q
% Y) e6 ~, N& y0 t6 j+ `
Cocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。
# S3 f' g6 f" o$ C8 m9 ? |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|
发表于 2013-1-11 21:23:34
收藏
支持
反对