从WordPress错误日志里发现SQL注入扫描攻击

admin · 发表于 2013-1-11 21:23:34

这篇文章介绍了当WordPress开启错误记录以后，根据error_log来发现SQL注入攻击的思路。" e& V+ H- X0 i' {+ q8 M/ s
2 c! y2 _. n" U( _" q
吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客，貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。% |2 |  W0 D$ N4 A
: Z" o' j( L# w: i0 ~
简单介绍一下这篇文章吧。
; ^2 v4 l0 m0 \/ _" l$ S  F0 E% s! I  \' [% j2 y7 b) @/ Y% c2 o
开启WP错误记录功能
, Y9 U6 \( _7 g' H只需要修改wp-config.php的如下几行：; H+ x, a# h% F: Y% z

. r( L' h5 c) s/ x! h9 Y( Z3 T@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描5 j  \0 N# ~3 Q; h& B

  T' v8 {1 y# N; b4 m2 m1 k[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1\'
2 M  C/ s" [, h[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--
* T- W+ W6 U$ {) g% g0 V8 o[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--
2 L" k# l  g* [5 B* E上面的日志就是在暴力猜解表的列数，那个巨大的十六进制值会被解析成null。
& E8 }3 f* v0 g4 B! O- a7 [1 RSQL盲注扫描: A& M1 B, Q9 U) K3 f+ p
攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。6 i1 @0 R% q* g6 L( L1 K$ e

( l5 L( ?+ B5 @1 L! i& P) z5 j  t[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--
0 p2 B& \) ?6 j[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)2 a) g! Q  N6 M; X2 Q' s! \+ J, Q
Google一下大规模扫描
9 |: V) X( V! g6 \' z1 u& F4 ?. t- T5 m2 v4 v

2 h+ [) q' i" t9 b6 D                         . B3 p4 ]. m5 d1 A/ \2 Q

% c4 B3 T& ?* O; c) W* h8 \6 b* Q& e  o  Q4 y; n+ d

; F% Z+ s/ I! Q: m                            僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI（远程文件包含）攻击代码里的片段：
sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list；
l/ O2 \7 D3 L& a

Cocoa总结：文章比较简单，但是从日志来检测攻击貌似是目前流行的一个方向。

		自动登录	找回密码
密码			立即注册

从WordPress错误日志里发现SQL注入扫描攻击

本帖子中包含更多资源

相关帖子