|
|
- 这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。( X0 B8 `$ {& ~ Z, t8 b
+ ]4 K, H' [- m+ ]吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。
- x8 \: k; ? h2 f( ^8 h
$ u" \( x6 W5 w7 f$ t- g简单介绍一下这篇文章吧。
; y4 l+ h: v& G) `; t
8 b' D h o. J u开启WP错误记录功能
0 y$ M5 h" m; f6 x2 ^5 n+ W只需要修改wp-config.php的如下几行:
/ o2 Z7 i! d& e9 v# H3 c/ E, }; p/ w" }2 e1 b; M: \5 d/ M
@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描
- C' Z, d9 U3 j& p# v
+ M* ]9 {5 P1 S[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\'
9 z, z% ~8 w: e( b7 v" L[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--
3 T, x+ o1 g3 u( d! L8 j* _$ d& A[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--- L+ E% k& f5 P3 m, m; Y0 v
上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。 1 H( F. |2 m$ }, |4 z
SQL盲注扫描
+ C- s$ @% I, S% |! Q1 l# Z( `! z攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。
- v1 g b t2 D! P$ I. q2 g6 o9 T* T- N5 g& c Y' H- k* @) ~% a
[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--$ o8 D' L! N0 H1 k
[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)
% ^( H6 M, Y. y- S4 l' s2 @Google一下大规模扫描
% _$ o# E8 c- |# X0 [/ L: X
: U- L$ A; c. p1 j2 ^7 s0 R! k% [% A, T# P
/ E" o. g9 U5 T0 M- ?. L% q: l) G! g2 d
. I% j6 _. \8 @( N6 Y9 R7 l* c+ x# Z$ F. t
僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段: - sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list;0 D V) W7 q% c6 m3 @, m
6 H, @7 {. _' o* L4 g" W- Z+ Q8 W
Cocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。. r6 s7 o9 |0 @! n
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|
发表于 2013-1-11 21:23:34
收藏
支持
反对