|
|
- 这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。
; h9 @ V/ b! E5 J* S) Z
8 X/ n3 p3 M/ z' J6 M吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。( P- u$ ~5 K! g. Q6 h' H' s6 l4 }" f
) {( P! b n, s4 A8 K4 f. ?简单介绍一下这篇文章吧。
) _ R" J, ]# H0 `" d" _1 c2 s! R% |' ]. j6 Z! x
开启WP错误记录功能7 w2 Q: F5 \5 ?( ?( C7 d+ Y
只需要修改wp-config.php的如下几行:
& m4 k8 v' S: v5 v4 P; H6 d0 H/ G# O& I3 j
@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描
+ E4 v4 q( @/ o' {$ }6 _
6 F0 K4 C2 Z. L' E[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\'4 P H9 B8 ~" e) R& a
[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--
( Z4 x5 c& F4 }( a[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--4 C. M4 S* M \! R9 k3 t% ^2 B4 X
上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。 & ?) _% ]' l3 M$ C
SQL盲注扫描
8 K9 S8 q) O% g# \; u攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。
' e) S" r7 A7 S( [6 d
1 M& S( F8 j# a6 B! L1 K3 t[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--
: t' v9 O# _# u( ?- s+ v' G[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)
k1 y- ]# i |+ [) {- \Google一下大规模扫描
) h @- `' \% v! [, m
n! Q: B8 w9 _) y3 n1 c; [# c( J( M! W
; V/ ^0 ^+ [+ W! a4 a9 B
% e1 e9 T7 D2 n5 ^' p9 k) T* R5 {, d q
* ~; l) R* C. K& [, l
僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段: - sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list;
/ h, R, z0 v+ i: Y( C! `
x% a& x, S# H7 A1 U2 g; y/ D8 v2 qCocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。& Q# H' h. \/ z' ^+ c" e
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|
发表于 2013-1-11 21:23:34
收藏
支持
反对