|
- 这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。
. e8 G& Q4 U5 ~9 O ]5 F& u7 N% x
吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。
- J [) x" Q7 N7 F
0 [) R/ F: V+ z0 i) ?简单介绍一下这篇文章吧。
: f8 b0 V9 @4 F$ {: i. G8 I; [! X
3 ]# t, Z" q8 O开启WP错误记录功能
7 u- S9 c1 N: O6 V H& |只需要修改wp-config.php的如下几行:: B/ P* o" v% ^8 r0 W
* W) w% R1 c2 a r/ Y/ S
@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描
& _" c5 |7 ^5 N* g r# {2 m/ F# O& n5 d3 K
[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\'. R3 d- n+ Y- \" K0 x, ?
[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--9 U; q- c+ x5 ^5 ?) _9 I
[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--
+ l# ?0 Y. y6 R1 O6 G, Y上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。
5 Q8 q- F$ k2 J5 G1 @SQL盲注扫描
) { C% l8 ~2 e: T$ l攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。4 I* @9 j) W! S5 J, N
Z% Z( F# \# W7 t[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--
9 B! t' Y* }. f w, U+ P9 T: A[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)2 u& ^, c' `+ }5 J1 x, n$ H
Google一下大规模扫描! ?9 } X: O) w4 V9 K+ W
' |& F7 t2 q3 N. H% a3 v
, K- J+ a: ~7 y4 r
+ `% y X% c, Y
* R8 H2 m9 y# S0 v3 L; w! g5 C1 g' R
9 I4 A8 J; K" y& E5 w7 D6 w 僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段: - sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list;
: Z0 ]& Q9 q0 F @' M1 I4 ^
4 S9 ]& V1 b9 z' KCocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。
) t: o7 I* |; S2 P; u& d |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|