|
- 这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。
& P4 N$ ^+ L9 d! k' ~3 w& g# y. K! f9 j7 e" Y; B9 e
吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。8 \- _; O8 J2 @
$ s/ ]* R/ I, V! M& B+ n* r
简单介绍一下这篇文章吧。4 l, y# _$ w+ K) c* T
$ ^4 Z& O1 x M7 C3 B开启WP错误记录功能, @% c3 W9 D2 S
只需要修改wp-config.php的如下几行:3 l' w/ n2 }" C
1 B5 x/ u1 B; P/ E+ M/ s@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描 U9 {2 t/ R; V' Y) X
, g) W5 _, K1 L9 q1 m* Q& @[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\'
0 D/ Q, a0 T% | n) |% u4 o- {[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--; j* Q ~" Q" S0 H& T
[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--
T4 F0 v0 Y/ J: n& y; J; g6 x上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。 9 W3 U4 ?) p( c2 E5 J: a L% ^* @
SQL盲注扫描8 W% g/ t$ F4 q
攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。2 C0 p4 Y/ R# O" ?3 n! w# m
0 _3 I! f' U7 y! w. y' s: B
[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--5 S9 @) q. V- W9 z: a
[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)* N" \. n" M, g' Y. h/ {
Google一下大规模扫描
+ D4 U9 w. `& Z4 y K# b: r# J, W* Z6 q. A- q8 d3 d6 E3 W
* ~3 h1 C: g7 f+ L, `% ^
$ T& c! i% O/ L
7 Y; L# O+ B9 k/ I( o* f: }9 y1 v. }+ J# R) j( }
! r6 {6 `( p/ p- [, y$ J% f8 N
僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段: - sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list;
5 g1 N {( n6 b
- }8 c: e$ k% A4 xCocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。' _, f, r y/ W" F4 Q/ c) T. O
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|