这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。3 I9 S7 b: U6 p9 S) [" M Q; e
# d" y5 i) V; W7 J8 ?" R4 Z% a
吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。 ' G4 k# I/ o0 r5 ^ W8 g+ T : p$ {& G' R# y- U简单介绍一下这篇文章吧。1 N7 z, J/ W. v4 i& t
% n* k8 l; }2 U' Y: Z% {
开启WP错误记录功能 0 I9 G+ p3 W, p U只需要修改wp-config.php的如下几行:- \* L8 v* l. Y; O( M
. L7 ~; N. t+ P* x% K. J@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描$ U$ J( {" H$ Z0 q2 a) z
1 k2 q/ _: V/ ]5 C ]. L[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\' + k, O+ w; t+ H1 u0 T9 H[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--2 H/ W1 p9 b: ]/ z0 R
[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536-- / W8 [1 Q- M" u+ l上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。 3 P) ?$ l; g+ v1 J( GSQL盲注扫描4 g) J- N0 S9 N9 V
攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。 8 Z% u- H t6 _' {( [( J# \ ) \ v& ~, q# f0 {, o7 D3 u[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--; M' {. i* W3 m3 ^" b2 T
[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0). [/ J0 W, R$ w/ L2 }. {
Google一下大规模扫描 ; M. _- S n5 Y, Y4 b1 z& v4 _% Q F1 }/ Y
3 r- C+ l& W2 r: |5 n9 y: s8 O/ z [attach]163[/attach] ; \& n6 m; m& q4 r # a1 Y9 o( f' Z5 J2 c5 j- U9 |: B4 S. I) M, T: z4 O- A
! P6 d! i# Z m3 C$ e4 m 僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段:
sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list; ' p; g% J3 I; k0 l7 @; o; b