- Su Yucheng
- 031803108
1. Experimental purpose
Let students understand the following information and master specific log analysis methods:
- Analyzing website server (Web Server) logs is an important method for website analysis
- Server logs record a lot of operating information of the website server. This information can help security managers analyze website traffic and visitor behavior on the website.
2. Experimental principles
Web access logs record various original information such as Web server reception and processing requests and runtime errors. By conducting security analysis on WEB logs, it can not only help network administrators understand the security status of the server in real time, but also help analyze security attack behavior characteristics, trace the attacker's IP, and restore the site when the website has been hacked and caused economic losses. Attack paths, find security vulnerabilities in the website and fix them
Common web servers such as Weblogic, Apache, Nginx, IIS, Tomcat, etc. all have their own log files. For example, Apache has two log files, namely access.log (user access log) and error.log (error log when Apache is running). You can use grep -i "CustomLog" /etc/httpd/conf/httpd.conf to view Path to Apache logs
Apache logs have three formats: combined format, common format and custom format. The following is an example of logs in combined format:
127.0.0.1 - - [11/Jun/2018:12:47:22 +0800] "GET /login.html HTTP/1.1" 200 786 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"
Through this log, we can clearly know the user IP, as well as when, what operating system and browser the user used, what method they used to request which page of the website, whether the access was successful, etc., more Apache For log format instructions, see the reference link.
From the above analysis, we can know that the web server will record every request from the client, so how to distinguish between normal requests and malicious attack requests? From the attacker's perspective, when an attacker penetrates a website, it will include a large number of scanning requests and requests to perform malicious operations, and both types of requests have their own characteristics in the logs. For example, a scanning request will access a large number of non-existent The address is reflected in the log as a large number of 404 response status codes. When an attacker conducts a malicious attack on the server, if the log records are filtered with select as the keyword, and constraints such as access time and status codes are added, the management The operator can query the recent possible successful injection attacks.
Common security analysis methods for WEB logs:
Determine the time range of the intrusion, use this as a clue, search for suspicious logs within the range according to the time, and further investigate, finally identify the attacker, and restore the attack process
After invading a website, attackers usually leave a backdoor to maintain permissions to facilitate access again. Therefore, they can query the logs to see if there are any script files that have been created or updated recently, and whether there is any file upload behavior, and use this as a basis. Clues to conduct analysis
Determine the source of the attack, for example, you can restore the attack path by locating the attacker’s IP
For large-scale log data, data mining and statistical analysis technology must be used to perform intelligent analysis and processing. For ordinary-sized log files, it is recommended to use visual tools such as EmEditor and Apache log viewer under Windows for analysis. Under LINUX, you can Combine grep, awk and other commands to perform log analysis manually
Basic knowledge related to this experiment: SQL blind injection
Blind SQL injection: When the programmer hides the built-in error message in the database and replaces it with a general error message, SQL injection cannot judge the execution result of the injected statement based on the error message, which is called blind injection. The basic principle is: since the result cannot be judged based on the error message, it can only be judged based on the difference between the logical truth and falsehood of the returned result. For basic steps, see the reference link https://www.cnblogs.com/zixuanfy/p/6002545.html
2. Experimental topics
Analyze the Web log and find the flag. The flag format is flag{XXXXXX}
Tips: URL transcoding, SQL blind injection, 200 status code indicates correct guess, 400 status code indicates incorrect guess
3. Experimental environment
- Online transcoding platform https://tool.leavesongs.com/
- Notepad or other log viewing tool, such as Apache log viewer
- A Linux or Windows host
- Reference links:
- https://help.aliyun.com/document_detail/28987.html
- https://blog.csdn.net/qq_23936389/article/details/94000757
- https://www.cnblogs.com/zixuanfy/p/6002545.html
4. Experimental procedures and results
The topic is about logs injected by sqlmap using the dichotomy method. There are many methods, including tearing by hand and analysis based on characteristics.
Here is an example. If you are familiar with Apache logs, you should know that the access.log will record the Response status code and the length of the Response packet. If the guess is correct or wrong, the length returned is different.
Taking the 24th digit of the guess as an example, when the guess is correct, the returned status code is 200 and the length is 1765; when the guess is incorrect, the status code is 404 and the length is 5476.
And it can be concluded that when sqlmap uses the dichotomy method for injection, the correct value is the last injection > the more correct value + 1, which is 125. Simply write a script and match it
# coding:utf-8
import re
import urllib
f = open('access.log','r')
lines = f.readlines()
datas = []for line in lines:
t = urllib.unquote(line)
if '1765' in t and 'flag' in t: # 过滤出与flag相关,正确的猜解
datas.append(t)
flag_ascii = {}
for data in datas:
matchObj = re.search( r'LIMIT 0,1\),(.*?),1\)\)>(.*?) AND', data)
if matchObj:
key = int(matchObj.group(1))
value = int(matchObj.group(2))+1
flag_ascii[key] = value # 使用字典,保存最后一次猜解正确的ascii码
flag = ''
for value in flag_ascii.values():
flag += chr(value)
print flag
Running can get:
flag{sqlm4p_15_p0werful}
