|
- 这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。! ~% t6 i) h! s' U* e0 f( q, i
! A& D( ]/ j. E6 T; M& |吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。! T+ I5 m; R3 i
, _) d) c/ e, j) F简单介绍一下这篇文章吧。+ X8 \' k/ z# I9 R
( i; a2 K; _1 x) u" ~* c5 w开启WP错误记录功能
2 y' h1 }9 N) N( E( a/ }只需要修改wp-config.php的如下几行:
. \; Q8 a& w3 G' Q- Y9 M2 M( [+ O' x3 N6 W& S* @, G
@ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/example.com/logs/php_error.log');SQL 注入扫描% V! p2 b) H" X1 W0 M5 j1 U
^; Y/ r$ V! K7 c
[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1\'2 O Z( W; f& c/ E
[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--
8 C, f8 z" ^* f+ o7 v[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--+ Y2 y7 c; H/ ~* r/ n/ U2 E
上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。 8 y% U$ P, ~5 n3 s4 \
SQL盲注扫描. r w) A+ w0 f; C6 F' c& d
攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。( \0 n3 h, k) m- x0 \" ~
$ f0 m4 n( ]8 n& w1 {
[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--% N! z1 F- y8 u
[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)
" c9 o- g6 R; \) SGoogle一下大规模扫描# T; N% o2 |4 s
" S$ D9 [( f3 l' A$ a% G% s* k
+ o8 C1 u. t9 ` } + o! W s1 ^" D
" B) Q! k; ~$ k4 [7 q" a
1 N( F4 V u( C6 q3 R/ h" e% v. F( t9 {
' r1 u' T* T# m" c! f 僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段: - sub google() { my @list; my $key = $_[0]; for (my $i=0; $i<=400; $i+=10){ my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i); my $res = &search_engine_query($search); while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) { if ($1 !~ /google/){ my $link = $1; my @grep = &links($link); push(@list,@grep); } } } return @list;
, O% c* H; @+ S
/ } O; a0 M) g' UCocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。
7 m* W: W; Y/ c* z3 _3 k% j1 A |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|