How to check web server logs for SQL injection?

apache-2.2 php web-server log-files sql
11,091

Solution 1

If your web server logs are logging the query parameters, then search for known SQL (e.g. SELECT) through the logs.

If they're not logging query parameters, then you're unlikely to find anything by searching the logs, rather you'll have to look for patterns - for example a repeated URL that wouldn't normally be repeated.

Solution 2

I've been using this Linux command string to identify possible SQL injections:

egrep -i '\bUNION\b|\bSELECT\b|\bCHAR\b' $access_log

You could add in other key terms as well, but those were the ones I was finding in my logs.

To generate a list of offending IP addresses, get a little fancier:

egrep -i '\bUNION\b|\bSELECT\b|\bCHAR\b' $access_log | sed -n 's/\([0-9\.]\+\).*/\1/p' | sort | uniq -c

Which tallies up the offending IPs by the number of instances: 

    335 160.153.153.31
   1197 175.138.67.67
    508 76.72.165.79
    208 92.60.66.184
    111 95.143.64.185
Share:
11,091

Related videos on Youtube

Frank Martin
Author by

Frank Martin

Updated on September 18, 2022

Comments

  • Frank Martin
    Frank Martin over 1 year

    If I have a PHP site hosted on Apache and someone hacks it using SQL injection, is there a way I can find out exactly which script caused this by looking at my web server logs?
    Or using some other way?

  • Frank Martin
    Frank Martin about 11 years
    Ok this brings me to another question. How do you log query parameters?
  • Frank Martin
    Frank Martin about 11 years
    One more thing. Shall I look into access logs or error logs?
  • Jenny D
    Jenny D about 11 years
    The error logs should show failed hack attempts, not successful ones. So start with the access logs. To see how to change what's getting logged, maybe making a separate log for query parameters only, look at httpd.apache.org/docs/2.2/mod/mod_log_config.html .
  • 4wk_
    4wk_ over 2 years
    I understand both point of view about "occurrences and impacts", and this answer does not deserve downvotes considering it's the same as the other one, but with awk, which is fine.
  • ARaj123
    ARaj123 over 2 years
    Can sql statements in query parameters be encoded or are they all recognizable? Is there something other than plain english sql statements that I should be looking for in these logs?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

apache2: bad user name www-data
Why do we really need apache + php if php can run as web server?
PHP via FastCGI: "terminated by calling exit()"
Which apache/mysql/php package is best for windows?
Difference between Apache AddType and AddHandler directives?
Are PHP session files ever deleted?
How to detect in PHP, if it is running on Apache, Nginx or some other webserver?
Why is the response on localhost so slow?
PHP not being parsed in apache2, php module is installed and enabled
substring query in codeigniter