Hands-On: Attack SQL Injection (en)
This module will guide you in conducting forensic investigations on SQL injection attacks that occur on a Linux server. We will analyze system logs, particularly Apache and Snort logs, to identify indicators of compromise (IoC) associated with this attack. Additionally, we will use Wireshark to capture network traffic in real-time and observe suspicious activities.
Preparation
- Access to the Linux Server: Ensure you have root access or a user with sufficient rights to read the system logs.
- Text Editor: Use a text editor like Vim, Nano, or Emacs to view the log contents.
- Wireshark: Install and configure Wireshark to capture network traffic.
- Basic SQL Understanding: It's important to understand the basics of SQL to interpret queries that may have been injected by an attacker.
Log Analysis
/var/log/apache2/access.log
The Apache log records every request received by the web server. To analyze this log, look for:
- Unusual Requests: Pay attention to requests that contain special characters such as single quotes ('), double quotes ("), or percent signs (%). These could indicate an injection attempt.
- Suspicious IP Addresses: Look for IP addresses that frequently appear with strange request patterns.
- Error 404: Although not always indicative of an attack, unusual 404 errors can be a clue.
- Invalid Parameters: Note any URL parameters that are excessively long or contain inappropriate characters.
Example log entry:
192.168.1.100 - - [06/Jun/2023:00:01:00 +0800] "GET /index.php?id=1' OR '1=1'-- HTTP/1.1" 200 500 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
In the example above, the characters `' OR '1=1'--` added to the `id` parameter are a hallmark of SQL injection attacks.
2. /var/log/snort/alert
The Snort log contains alerts about suspicious activities detected by the intrusion detection system. Look for alerts related to SQL injection such as:
- SQL Injection Rules: Snort has specific rules to detect patterns of SQL injection attacks.
- Suspicious HTTP Requests: Pay attention to HTTP requests that contain SQL injection payloads.
/var/log/snort/snort.log
The Snort log also contains more detailed information about each event that occurs, including captured packets. This log can be used for further analysis if needed.
Using Wireshark
- Start Capture: Run Wireshark and select the network interface you want to monitor.
- Filter: Use filters such as `http.request.uri contains "SQL"` or `http.request.method == "POST"` to sift through relevant traffic.
- Analysis: Pay attention to HTTP packets that contain suspicious parameters. Decode HTTP packets to see the payload being sent.
Next Steps
- Gather Additional Information: If you find indicators of compromise, collect additional information such as timestamps, IP addresses, and request details.
- In-Depth Analysis: Conduct a thorough analysis of the collected data to identify the root cause of the attack.
- Clean the System: Remove suspicious files, update passwords, and fix any identified vulnerabilities.
- Implement Preventive Measures: Apply preventive measures such as parameterized queries, input validation, and web application firewalls (WAF) to prevent similar attacks in the future.
Notes
- This module only provides an overview. The forensic process for SQL injection can be more complex depending on the type of attack and system configuration.
- It is important to understand the context: Log analysis should be performed with consideration of the system and application environment context.
- Use Additional Tools: In addition to Wireshark, you can also use other forensic tools like tcpdump, grep, and specialized log analysis tools.