|
|
- 这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。6 K0 y$ M8 v% A' F, Q0 ^& ?
7 L' f: u8 t3 v1 A* a# _: ~吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。
, _4 l |) ^. J. H
) q9 c E1 j+ h7 b& C简单介绍一下这篇文章吧。, F& `5 c x/ x* J& {
( q# J7 A$ F( v. a2 P开启WP错误记录功能
* X% c/ m$ G- Z- Y" ?只需要修改wp-config.php的如下几行:: z8 Z) C6 l: T8 @
U3 v& H1 R: L! R$ X@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描3 b2 U3 |. X$ G8 s7 b7 p7 _+ b
1 W) k- v$ @7 y1 G/ P5 ?/ h[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\'
- p8 I2 k# Q) g7 @[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--
6 p+ J8 ^( X" x# m1 R[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--. }% E8 n& I' I1 @
上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。 0 a! \1 T. W4 R! ^- f8 V
SQL盲注扫描- M+ i, ?9 P0 T
攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。9 R3 C! G' E' J
* Q. _, S) p: m* j) C+ e
[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--. x2 p1 {, G2 B7 y: r6 m7 P4 Y
[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)4 G6 C* S0 E5 H2 k% v9 T9 Q
Google一下大规模扫描
$ Q: R- z; v. M* e5 S
' C1 u7 M, }7 k2 N9 T6 H
h7 H+ C- m6 V6 ]5 ?4 q! q* V9 p
0 a7 J( i( h! K. N1 h! D4 C, x
/ R: }; P" g! w# @* A
& w, }8 F) [- g/ a8 l8 w$ w0 ]% F# j" _ V, C) Z/ s
僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段: - sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list;
' M( b1 y+ `3 J: f) ^2 v
2 |3 V; z/ Y( W6 W
Cocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。
) @, f# S" `! }3 W7 k3 ? |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|
发表于 2013-1-11 21:23:34
收藏
支持
反对