Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "how to analyze the MySQL log". Many people will encounter such a dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Common database attacks include weak password, SQL injection, privilege escalation, backup theft and so on. By analyzing the database log, we can find the attack behavior, further restore the attack scene and trace the source of the attack.

1. Mysql log analysis

General query log can record successful connections and queries executed each time, and we can use it as part of security to provide a basis for fault analysis or investigation after a hacker incident.

1. View the log configuration information show variables like'% general%';2, enable the log SET GLOBAL general_log = 'On';3, and specify the log file path # SET GLOBAL general_log_file =' / var/lib/mysql/mysql.log'

For example, when I visit / test.php?id=1, we get a log like this:

190604 14:46:14 14 Connect root@localhost on 14 Init DB test14 Query SELECT * FROM admin WHERE id = 114 Quit `

Let's parse it by column:

The first column: Time, the time column, the first is the date, and the last one is the hour and minute. Some of the reasons are not shown because these sql statements are executed almost simultaneously, so the time is not recorded separately. The second column: Id, which is the thread ID of the first column from show processlist. For long connections and some time-consuming sql statements, you can find out exactly which thread is running. The third column: Command, operation type, such as Connect is to connect to the database, Query is to query the database (add, delete and change are displayed as a query), you can worry about some specific operations. The fourth column: Argument, details, such as Connect root@localhost on means to connect to the database, and so on, what query operation is done after connecting to the database below. 2. Login success / failure

Let's do a simple test, use my own weak password tool to scan, the dictionary setting is relatively small, 2 users, 4 passwords, a total of 8 groups.

The log record in MySQL looks like this:

Time Id Command Argument190601 22:03:20 98 Connect root@192.168.204.1 on 98 Connect Access denied for user 'root'@'192.168.204.1' (using password: YES) 103 Connect mysql@192.168.204.1 on 103 Connect Access denied for user' mysql'@'192.168.204.1' (using password: YES) 104 Connect mysql@192.168.204.1 on 104 Connect Access denied for user 'mysql'@'192.168.204.1' (using password: YES) 100 Connect root@192.168.204.1 on 101 Connect root@192.168.204.1 on 101 Connect Access denied for user' root'@'192.168.204.1' (using password: YES) 99 Connect root@192.168.204.1 on 99 Connect Access denied for user 'root'@'192.168.204.1' (using password: YES) 105 Connect Mysql@192.168.204.1 on 105Connect Access denied for user 'mysql'@'192.168.204.1' (using password: YES) 100Query set autocommit=0102 Connect mysql@192.168.204.1 on 102Connect Access denied for user' mysql'@'192.168.204.1' (using password: YES) 100Quit `

Do you know which one is successful in the process of password guessing?

Using the blasting tool, a record of successful password guessing goes like this:

190601 22:03:20 100 Connect root@192.168.204.1 on 100 Query set autocommit=0100 Quit

However, if you do it in other ways, it may be a little different.

Navicat for MySQL login:

190601 22:14:07 Connect root@192.168.204.1 on 106 Query SET NAMES utf8106 Query SHOW VARIABLES LIKE 'lower_case_%'106 Query SHOW VARIABLES LIKE' profiling'106 Query SHOW DATABASES

Command line login:

190601 22:17:25 111111111Query select @ @ version_comment limit 1190601 22:17:56 111Quit

The difference is that different database connection tools are different in the process of database initialization. Through this difference, we can simply tell that the user is connected to the database.

In addition, whether you are a blasting tool, Navicat for MySQL, or the command line, login failures have the same record.

Record of login failure:

102 Connect mysql@192.168.204.1 on 102 Connect Access denied for user 'mysql'@'192.168.204.1' (using password: YES)

Use the shell command for a simple analysis:

# what IP is exploding? Grep "Access denied" mysql.log | cut-d "'"-f4 | uniq-c | sort-nr27 192.168.204.What is the blasting user name dictionary? Grep "Access denied" mysql.log | cut-d "'"-f2 | uniq-c | sort-nr13 mysql12 root1 root1 mysql

In log analysis, we need to pay special attention to some sensitive operations, such as deleting tables, preparing libraries, reading and writing files, and so on. Keywords: drop table, drop function, lock tables, unlock tables, load_file (), into outfile, into dumpfile.

Sensitive database tables: SELECT * from mysql.user, SELECT * from mysql.func

3. SQL injection invasion traces

In the process of exploiting SQL injection vulnerabilities, we will try to use the-os-shell parameter of sqlmap to obtain shell, which may leave some temporary tables and custom functions created by sqlmap if done carelessly. Let's first take a look at the usage and principle of the sqlmap os-shell parameter:

1. Construct a SQL injection point and open port 8080 for Burp listening.

Sqlmap.py-u http://192.168.204.164/sql.php?id=1-- os-shell-- proxy= http://127.0.0.1:8080

The HTTP communication process is as follows:

Create a temporary file tmpbwyov.php, execute system commands by visiting the Trojan, and return to the page to display.

Tmpbwyov.php:

A temporary table sqlmapoutput is created, the stored procedure execution system command is called to write the data to the temporary table, and then the data from the temporary table is displayed to the front end.

By looking at the recently created suspicious files in the website directory, you can determine whether a sql injection vulnerability attack has occurred.

Inspection method:

1. Check whether there are some Trojan files in the website directory:

2. Check whether there are traces of UDF and MOF rights.

Check the directory for exception files

Mysql\ lib\ plugin

C:/windows/system32/wbem/mof/

Check whether the function is deleted

Select * from mysql.func

3. Combined with web log analysis.

This is the end of "how to analyze the MySQL log". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.