从WordPress错误日志里发现SQL注入扫描攻击

分类:
分享到:

这篇文章介绍了当WordPress开启错误记录以后,根据error_log来发现SQL注入攻击的思路。

吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客,貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。

简单介绍一下这篇文章吧。

  1. 开启WP错误记录功能
    只需要修改wp-config.php的如下几行:
    @ini_set('log_errors','On');
    @ini_set('display_errors','Off');
    @ini_set('error_log','/home/example.com/logs/php_error.log');
  2. SQL 注入扫描
    [07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1\'
    [07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--
    [07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--
    上面的日志就是在暴力猜解表的列数,那个巨大的十六进制值会被解析成null。
  3. SQL盲注扫描
    攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。
    [07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--
    [07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)
  4. Google一下大规模扫描

    僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI(远程文件包含)攻击代码里的片段:
    sub google() {
        my @list;
        my $key = $_[0];
        for (my $i=0; $i<=400; $i+=10){
            my $search = ("http://www.google.com/search?q=".&key($key)."&num=100&filter=0&start=".$i);
            my $res = &search_engine_query($search);
            while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) {
                if ($1 !~ /google/){
                my $link = $1;
                    my @grep = &links($link);
                    push(@list,@grep);
                }
            }
        }
        return @list;

Cocoa总结:文章比较简单,但是从日志来检测攻击貌似是目前流行的一个方向。

参考资料:

下篇预告:Google知识图谱搜索


本文地址:http://www.hcocoa.com/2012/12/17/SQLi-Scanning-Detected-in-WordPress-Error-Logs
原创文章如转载,请注明链接: 转自HCocoa的博客
你可能还会对下列文章感兴趣: