从WordPress错误日志里发现SQL注入扫描攻击

admin · 发表于 2013-1-11 21:23:34

这篇文章介绍了当WordPress开启错误记录以后，根据error_log来发现SQL注入攻击的思路。  ^" q. i" h6 M

$ i% A/ p: U5 S2 L) l6 V* Q吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客，貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。1 ^0 }& W9 r0 D- x) i$ ~
* I7 `) c1 `* P& B
简单介绍一下这篇文章吧。
' w  W1 u. Y) n
/ r. L# s7 V; f3 F2 B1 |开启WP错误记录功能4 a& b. W, l! V5 ~) M4 }3 E) r
只需要修改wp-config.php的如下几行：
1 ^& ]1 G6 ~0 f. U. t
5 z3 ~- I9 q( q( G) v- V4 _@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描5 A2 P+ ~9 a" D# R8 _4 v  _7 h
, X7 O) n, R& Q/ Q
[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1\'  S# @- r, N: a- N! Z, `% Z
[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--
* I' Y; N6 v9 _; U5 w[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--7 [. I7 H, ~5 H" k( k
上面的日志就是在暴力猜解表的列数，那个巨大的十六进制值会被解析成null。   T% ]4 s' j4 ~; c4 [; w. M
SQL盲注扫描0 P! U- z; J" @; K$ F' t7 O0 l, C
攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。# Y5 v8 p$ M/ L# V" x$ L

3 r+ A, r( z8 U7 R[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--) A7 I2 A% r1 E  }0 V% m+ D5 F5 T
[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)3 |) Z  o; Z% A( S" Q
Google一下大规模扫描
% E9 p2 s; s5 V, }6 j
( X2 F5 y( m0 J
0 [. b& Q1 ?9 p# a  A* Z/ t6 Q, H                            S6 r! z0 Y: o
3 W) ?. w0 f- z( ^6 ~8 l8 b, I! V' \5 o
$ F$ {' m/ I. b- R- l
1 P! x+ T7 W( T8 ?0 G
                           僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI（远程文件包含）攻击代码里的片段：
sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list；
( |' Q' J9 G0 U& t: v% X

Cocoa总结：文章比较简单，但是从日志来检测攻击貌似是目前流行的一个方向。

		自动登录	找回密码
密码			立即注册

从WordPress错误日志里发现SQL注入扫描攻击

本帖子中包含更多资源

相关帖子