从WordPress错误日志里发现SQL注入扫描攻击

admin · 发表于 2013-1-11 21:23:34

这篇文章介绍了当WordPress开启错误记录以后，根据error_log来发现SQL注入攻击的思路。
3 M" Q$ ?2 m# _: x8 ?4 H$ m; g/ j* a4 W8 m3 y
吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客，貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。
/ x" g  b% c$ x+ P
' H: g8 `$ n& j$ s简单介绍一下这篇文章吧。& z& E- ^: V4 F8 }+ S

* h: ^! k+ _# Q" X9 o3 F+ v  ?开启WP错误记录功能
6 ^: s' j2 R  }% B! `" Z只需要修改wp-config.php的如下几行：
2 b/ H( Q# P9 R# y/ ~$ _4 [) u, P( J6 r7 T# L
@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描
+ ~  j! y$ C8 g! Q( j
  ^. I2 _8 o" S# _[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1\'! ]3 U2 `: z7 l- U4 y: a; g
[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--
, h# R& G, x1 E+ L3 r! Y1 R5 z[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--
% y: l- z0 T# J- I$ m) G/ ^( L上面的日志就是在暴力猜解表的列数，那个巨大的十六进制值会被解析成null。 ' t& O! F- }& p' G! I' M, ]
SQL盲注扫描7 e' R7 B$ \  ]( R9 \! w  Q
攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。
8 i% j) I* C1 c
6 A9 c9 ~) l. k0 W6 Z6 K[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--3 f3 m5 n# x) @! g$ T0 U' X
[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)
3 s- |7 O4 r$ ^; D4 L0 e, XGoogle一下大规模扫描
" c$ Q' l& e1 Z/ ~, H0 V) _: [! W# w1 H4 S3 s+ x3 [2 k
% x! D4 e. F; ~' Q

/ F4 t$ K3 ^/ {" D- ?
- J6 [$ O  @' Z* D) G3 x. }. q7 [
4 ^( d) s( l$ x6 I# |/ J- }
. F+ k7 s2 f+ g7 m                            僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI（远程文件包含）攻击代码里的片段：
sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list；
+ X3 O5 `4 O9 O, q

Cocoa总结：文章比较简单，但是从日志来检测攻击貌似是目前流行的一个方向。

		自动登录	找回密码
密码			立即注册

从WordPress错误日志里发现SQL注入扫描攻击

本帖子中包含更多资源

相关帖子