|
|
- 这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。
7 c7 n# {& A5 i: N6 T- f9 [" U9 h0 G% A
吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。6 N! S( M" r- d
2 k" c( u2 E7 {! A3 W5 B+ O/ B* _
简单介绍一下这篇文章吧。$ ?, D2 G) h1 F
. d2 o6 w6 _9 Y开启WP错误记录功能7 {* N2 |; i( x$ u8 X/ B
只需要修改wp-config.php的如下几行:$ T ?. F# v0 `4 m2 f* A
/ I3 l% o2 S0 `! I4 t+ \4 C@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描 F5 K" X' G. Z: W' l ~, R& O4 p0 W
5 a) E) c0 X, {- j
[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\'
; ^# ?( o4 p4 k1 @0 |: n% W[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--
% U v# B* u9 r, v5 g, H[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--
& L0 m% O$ z" @5 [上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。
6 q5 O; v* o( nSQL盲注扫描
' M0 U! Z {! s" X) N! J攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。0 y6 h/ H+ a( G. Z$ c- ?
" R3 y$ S% v @+ @+ J3 Q
[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--
# U7 b+ H& S1 Q9 x0 [[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)
) M7 I/ b4 X: ^% u+ J7 v2 pGoogle一下大规模扫描; w- Q \% X; A4 d. {
; q1 R1 H4 v8 @; q7 q
; y" |1 j7 h# [
* W) S( d9 Q9 {) L# K9 P* t0 T9 Y7 H4 U0 ?2 J/ n
" Z( C9 o' n- ]8 t1 J
# w; w' I7 C+ u
僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段: - sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list;
. g+ j2 Y( A$ v- _
5 s7 p) u# K6 [" {' eCocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。! `6 f: u; f9 ^) p7 n+ b5 \
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|
发表于 2013-1-11 21:23:34
收藏
支持
反对