|
|
- 这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。; v- C ~8 A5 o, V6 {
6 e+ g) \# E* p吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。
/ w+ G( k" o4 [; @9 \ a- Y B
/ s# l) s1 H8 y [简单介绍一下这篇文章吧。% K% l+ u* A, g) @8 ]8 m7 s) O7 y
& F' _# G+ |4 c
开启WP错误记录功能) n8 l9 z& q5 `
只需要修改wp-config.php的如下几行:
2 d/ r' e# b+ i) ?- c" C A$ ~8 i# q7 ^
@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描/ X) z% [. X `- \1 g( @6 n3 h) f
) t8 B j$ ?; p& u1 w5 ^
[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\' t# ~7 o& C) u$ y% W
[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--- F P9 m7 h5 G' H l2 C& A) w
[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--+ Y% b( ^% m$ |- f9 ~6 ~
上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。 ( L% r% i# E$ P% A7 W" e) @
SQL盲注扫描! i6 Z& s Q: P
攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。
$ X& n6 l) q: Y) t2 K0 G9 s- R) @7 E) S) H9 e$ c& D
[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--+ P, W! m* C: K; v0 O
[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)
, K" g! d9 r0 E; c! lGoogle一下大规模扫描
# X: B- `, |2 \& N6 l1 S( Z
: J: Q! s: @# l5 O! P8 O |9 T$ W, s. u3 m8 K
! X* U/ z9 D1 y9 o* d0 T7 H2 w2 B# S, m, K! |3 k/ g
: T: U8 F! j* l8 S
% _5 g/ Q, R/ O! w5 m8 A r. ` 僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段: - sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list;8 u, U. L2 W9 Y9 x$ ?: J
7 n, L* ^ Y' o2 o; ?: m Q6 \& @Cocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。
+ W0 n# p( g: v" B0 E8 v" F; W |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|