|
|
- 这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。1 |) Y; Y4 g$ c) }9 N8 m
" Z2 ?8 G7 P) r' d4 x& h
吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。( R% {) w. | O. E2 J. B
+ V: N* v' c/ V7 y; Z: q简单介绍一下这篇文章吧。9 ^* x. a! b0 k; J7 d, `; O
* ~7 u% Y U4 n9 \# J: D开启WP错误记录功能4 i, T6 A0 V H' Z( p: [
只需要修改wp-config.php的如下几行:8 D# ?$ K; N4 \: y9 w: @5 P7 S2 m
3 D8 K( ]4 Q# t$ K8 d
@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描2 ]2 S4 h% s6 m- Q
' H5 @; ?5 ^& H) }/ h/ o5 g7 g9 C[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\'5 d: z+ I9 p& }+ s$ o
[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--- u4 o; U: m* d9 o; G$ J" s
[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--
: v- }" B6 b- l$ \8 q9 v上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。
1 z3 F# ^+ E( iSQL盲注扫描
" O" ~! e; b+ I: g攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。9 k/ `! [* a) l- V
( `8 R2 `5 r/ _[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--
$ u% I% S& T' t% L0 O3 D! \( n5 |[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)
- }$ ^5 H+ R" j t% X2 PGoogle一下大规模扫描4 G) g5 Y5 f! y9 @6 I$ A7 b& |7 D
* S$ R* t* p7 w- V. |- Q; p4 y& v
* V _' X; @+ A
- [4 u% W3 V9 \- [$ n! c% v& d5 C4 |# c$ Q
" {& B/ E% L- i; ~
8 C5 z3 ]2 K5 F/ U1 t6 \ 僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段: - sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list;0 k3 Y! n+ h T' e
" S. s* y- V+ ~& FCocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。9 C6 V2 U: y9 L$ [, H$ g6 S
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|
发表于 2013-1-11 21:23:34
收藏
支持
反对