从WordPress错误日志里发现SQL注入扫描攻击 - 网站

这篇文章介绍了当WordPress开启错误记录以后，根据error_log来发现SQL注入攻击的思路。

 

吸引Cocoa的是这个博客其实是TrustWave公司下属的一个叫Spiderlab团队的官方博客，貌似比较有意思。例如它提到了Honeypot Alert这个标签里的文章都是分析他们一个Web蜜罐的Apache access_log日志的。

 

简单介绍一下这篇文章吧。

 

开启WP错误记录功能

只需要修改wp-config.php的如下几行：

@ini_set('log_errors','On');

@ini_set('display_errors','Off');

@ini_set('error_log','/home/example测试数据/logs/php_error.log');

SQL 注入扫描

[07-Dec-2012 02:40:49] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1\'' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1\'

[07-Dec-2012 02:40:50] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536--

[07-Dec-2012 02:40:53] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x313032353438303035' at line 1 for query SELECT text, author_id, date FROM  WHERE id = 999999.9 UNION ALL SELECT 0x31303235343830303536,0x31303235343830303536--

上面的日志就是在暴力猜解表的列数，那个巨大的十六进制值会被解析成null。

SQL盲注扫描

攻击者使用了类似"waitfor delay"和"benchmark"这样的函数来盲注。

[07-Dec-2012 02:43:21] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1; if (1=1) waitfor delay \'00:00:05\'--

[07-Dec-2012 02:43:27] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = -1 and if(1=1,BENCHMARK(8623333, MD5 (0x41)),0)' at line 1 for query SELECT text, author_id, date FROM  WHERE id = -1 and if(1=1,BENCHMARK(8623333,MD5(0x41)),0)

Google一下大规模扫描

僵尸网络控制着可能使用被感染主机来识别潜在的目标。下面是该公司的蜜罐捕获到的一个RFI（远程文件包含）攻击代码里的片段：

sub google() {

    my @list;

    my $key = $_[0];

    for (my $i=0; $i<=400; $i+=10){

        my $search = ("http://HdhCmsTestgoogle测试数据/search?q=".&key($key)."&num=100&filter=0&start=".$i);

        my $res = &search_engine_query($search);

        while ($res =~ m/<a href="\"?http:\/\/([^">\"]*)\//g) {

            if ($1 !~ /google/){

            my $link = $1;

                my @grep = &links($link);

                push(@list,@grep);

            }

        }

    }

    return @list；

 

Cocoa总结：文章比较简单，但是从日志来检测攻击貌似是目前流行的一个方向。

 

参考资料：

[Honeypot Alert] SQL Injection Scanning Detected in WordPress Error Logs

SpiderLabs Anterior

查看更多关于从WordPress错误日志里发现SQL注入扫描攻击 - 网站的详细内容...