对EventLog Analyzer数据库日志功能实现的简单分析
学习思考
发布于:2022-12-22
最后更新: 2023-4-26
次查看
type
Post
status
Published
date
Dec 22, 2022
slug
126
summary
数据库日志模块功能实现的简单分析
tags
工具
category
学习思考
icon
password
漏洞编号
No.
同步状态
状态
已完成
Author
0. EventLog Analyzer简介1. DLL文件2. 格式文件3. IDEA反编译4. 审核日志5. SQL注入测试6. 开启审计日志7. 策略相关事件id列表8. 总结9. Oracle数据库10. 后话
 

0. EventLog Analyzer简介

EventLog Analyzer是卓豪旗下一款安全信息和事件管理(SIEM)软件,用于实时监控网络设备、应用程序和操作系统的日志数据。它能够自动化地处理日志数据,并生成报告,以帮助安全管理员及时检测和响应潜在的威胁。EventLog Analyzer还可以分析日志数据,识别内部和外部威胁,并提供警报和通知,以支持快速响应和修复。此外,它还能够跟踪符合法规要求的日志记录,并生成符合各种合规性标准的报告。
 
本文是对其数据库日志模块功能实现的简单分析,在想要实现类似功能的时候可以作为参考。

1. DLL文件

首先从进程中定位到一个可疑的收集日志进程 SysEvtCol.exe ,从名字上看应该是日志收集的exe,位置:
C:\ManageEngine\EventLog_Analyzer\EventLog Analyzer\bin\SysEvtCol.exe
但是从其调用的dll来看,一时间没有有效发现
往上回看其父进程
C:\ManageEngine\EventLog_Analyzer\EventLog Analyzer\jre\bin\java.exe
先筛除系统dll,排查EA自带的可疑dll。从名字上看发现一个importLog.dll
C:\ManageEngine\EventLog_Analyzer\EventLog Analyzer\lib\native\importLog.dll
notion image
查看引用的dll,很明显看到有 ADVAPI32.dll 的相关eventlog函数
notion image
通过导出的函数名猜测此部分是获取sa用户服务的EventLog
notion image
接着注意到AdventnetOper.dll ,进一步查看发现有许多注册表键值和环境变量之类的增删改查函数,结合导出函数名猜测是操作注册表部分
notion image
notion image

2. 格式文件

SysEvtCol.exe导入IDA
notion image
../logs 目录中打开 eventlog.txt
notion image
从 winLogs 内容上看猜测是EA向其数据库获取EVENTLOG内容的查询日志
notion image
根据parserLogs的记录查看MSSQL.xml
notion image
明显是解析EVENTLOG日志中MSSQL的格式文件
notion image
应该是软件先获取到所有的EVENT日志,存进pgsql数据库后,通过不同的xml格式文件分类提取到前端

3. IDEA反编译

  • 文件夹导入idea反编译
根据 importLog.dllExport 定位到文件\ManageEngine\EventLog_Analyzer\EventLog Analyzer\lib\EventLogService.jar!\com\adventnet\sa\server\imp\ImportEvtLogs.class
notion image
native方法引用了本地库,猜测关键的导入 event 操作还是在 importLog.dll
  • importLog.dll 导入ida
notion image
cpp编译的dll
notion image
调用了ADVAPI32.dll 中相关的EventLog函数
microsoftlearn用法:https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-readeventloga

4. 审核日志

默认审核日志是关闭的,可在ssms中开启
notion image
此处被写入了应用程序日志,日志记录如下
notion image
相关的注册表位置:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MSSQL$<InstanceName>$Audit\EventSourceFlags ,此值为0时,不允许通过多个服务器审核事件向SQL Server安全日志写入
 
取出eventLog写入文件
notion image

5. SQL注入测试

搭建靶场:https://github.com/Larryxi/MSSQL-SQLi-Labs
notion image
注入时间是 17:29
审计日志中记录了对应的查询语句
notion image
有对应的事件,但是没有sql攻击报表(即没有识别出为sql注入)
notion image
notion image
跑sqlmap进行测试,时间 11:14
sqlmap -u 'http://192.168.249.212/sqli/MSSQL-SQLi-Labs/less-1.asp?id=1' -p id --level 5 --dbs -vvv
notion image
应用程序日志中均有记录
notion image
后端也正常收集
notion image
但sql注入报表(预定义报表)部分没有数据
notion image
编辑不了预定义报表,也无法查看预定义报表的内容。
自定义一个简单的报表测试,内容为数据库查询语句中包含CASE WHEN字符 ,选择设备为本机器,默认日志来源是windows eventlog
notion image
notion image
可推测预定义报表的来源也是默认的windows eventlog ,但是由于内置规则没识别出注入语句,
 
调整payload后再次测试sql,特征明显,有闭合单引号有注释符,时间 16:10
notion image
修改一下自定义报表条件
notion image
自定义报表可识别
notion image
推测:根据内置/自定的规则从eventlog中筛选出sql注入事件
 

6. 开启审计日志

eventlog详情如下,eventid:33205,通过JDBC连接数据库开启审核和审核策略
💡
审核事件: audit_schema_version:1 event_time:2022-11-30 06:51:16.3535404 sequence_number:1 action_id:AUSC succeeded:true is_column_permission:false session_id:53 server_principal_id:1 database_principal_id:0 target_server_principal_id:0 target_database_principal_id:0 object_id:0 user_defined_event_id:0 transaction_id:0 class_type:A duration_milliseconds:0 response_rows:0 affected_rows:0 client_ip:192.168.249.217 permission_bitmask:00000000000000000000000000000000 sequence_group_id:00000000-0000-0000-0000-000000000000 session_server_principal_name:sa server_principal_name:sa server_principal_sid:01 database_principal_name: target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:DESKTOP-1P14TIC database_name: schema_name: object_name: statement: additional_information:<action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><session><![CDATA[ME_LOG3609eba5bb3_96a5_488a_86de_7da88d6bcddd$A]]></session><action>event enabled</action><startup_type>manual</startup_type><object><![CDATA[audit_event]]></object></action_info> user_defined_information: application_name:jTDS connection_id:9F7DA3E0-7681-433F-B490-75CFB8F976AA data_sensitivity_information: host_name:DESKTOP-1P14TIC
开启审核sql语句
USE [master]
GO

/****** Object:  Audit [ME_LOG3609eba5bb3_96a5_488a_86de_7da88d6bcddd]    Script Date: 2022/11/30 15:23:10 ******/
CREATE SERVER AUDIT [ME_LOG3609eba5bb3_96a5_488a_86de_7da88d6bcddd]
TO APPLICATION_LOG WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE, AUDIT_GUID = '000f42ac-3e36-46c8-9903-5d24c6d97dbb')
ALTER SERVER AUDIT [ME_LOG3609eba5bb3_96a5_488a_86de_7da88d6bcddd] WITH (STATE = ON)
GO
新建审核策略sql语句
USE [master]
GO

CREATE SERVER AUDIT SPECIFICATION [ME_LOG360a9914bde_1851_49bd_ab19_8ed8393992c1]
FOR SERVER AUDIT [ME_LOG3609eba5bb3_96a5_488a_86de_7da88d6bcddd]
ADD (SCHEMA_OBJECT_ACCESS_GROUP),
ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP),
ADD (FAILED_LOGIN_GROUP),
ADD (SUCCESSFUL_LOGIN_GROUP),
ADD (DATABASE_CHANGE_GROUP),
ADD (DATABASE_OBJECT_CHANGE_GROUP),
ADD (DATABASE_PRINCIPAL_CHANGE_GROUP),
ADD (SCHEMA_OBJECT_CHANGE_GROUP),
ADD (SERVER_PRINCIPAL_CHANGE_GROUP),
ADD (LOGIN_CHANGE_PASSWORD_GROUP),
ADD (SERVER_STATE_CHANGE_GROUP)
WITH (STATE = ON)
GO
审核策略相关sql语句

EXEC sp_altermessage 211,'WITH_LOG',TRUE  #将现有消息211记录到windows应用程序日志中
EXEC sp_altermessage 427,'WITH_LOG',TRUE
610,2509,2510,2514,8440,9100,15612,15615.....


SELECT MAX(SUSER_SNAME([Transaction SID])) USERNAME , @@ServerName servername, DB_NAME() dbname,MAX([Begin Time]) BEGINTIME,MAX([End Time]) ENDTIME,MAX([Transaction SID]) TransactionSID,MAX(AllocUnitName) AllocUnitName,MAX([Current LSN]) CURR FROM fn_dblog(NULL,NULL) WHERE [Transaction ID] IN (SELECT distinct([Transaction ID]) FROM fn_dblog(NULL,NULL) WHERE  OPERATION='LOP_DELETE_ROWS' ) Group by [Transaction ID] ORDER BY CURR ASC

select @@SERVERNAME,LOGINNAME,SID,CREATEDATE,UPDATEDATE,SYSADMIN,SECURITYADMIN,SERVERADMIN,SETUPADMIN,PROCESSADMIN,DISKADMIN,DBCREATOR,BULKADMIN,REPLACE(RTRIM(LTRIM(REPLACE((case when SYSADMIN = 1 then 'SysAdmin,' else '' end) + (case when SECURITYADMIN = 1 then 'SecurityAdmin,' else '' end) +(case when SERVERADMIN = 1 then 'ServerAdmin,' else '' end) +(case when SETUPADMIN = 1 then 'SetupAdmin,' else '' end) + (case when PROCESSADMIN = 1 then 'ProcessAdmin,' else '' end) + (case when DBCREATOR = 1 then 'DBCreator,' else '' end) + (case when BULKADMIN = 1 then 'BulkAdmin,' else '' end),',',' '))),' ',',')as Roles from master..syslogins where updatedate > '1800-01-01 00:00:00.000'
参考:https://learn.microsoft.com/zh-cn/sql/relational-databases/system-stored-procedures/sp-altermessage-transact-sql?view=sql-server-ver16

7. 策略相关事件id列表

共45个id,
EXEC sp_altermessage 211,'WITH_LOG',TRUE   #将现有消息211记录到windows应用程序日志中
EXEC sp_altermessage 28048,'WITH_LOG',TRUE
EXEC sp_altermessage 18488,'WITH_LOG',TRUE
EXEC sp_altermessage 18487,'WITH_LOG',TRUE
EXEC sp_altermessage 18486,'WITH_LOG',TRUE
EXEC sp_altermessage 18471,'WITH_LOG',TRUE
EXEC sp_altermessage 18470,'WITH_LOG',TRUE
EXEC sp_altermessage 18468,'WITH_LOG',TRUE
EXEC sp_altermessage 18467,'WITH_LOG',TRUE
EXEC sp_altermessage 18466,'WITH_LOG',TRUE
EXEC sp_altermessage 18465,'WITH_LOG',TRUE
EXEC sp_altermessage 18464,'WITH_LOG',TRUE
EXEC sp_altermessage 18463,'WITH_LOG',TRUE
EXEC sp_altermessage 18462,'WITH_LOG',TRUE
EXEC sp_altermessage 18461,'WITH_LOG',TRUE
EXEC sp_altermessage 18456,'WITH_LOG',TRUE
EXEC sp_altermessage 18451,'WITH_LOG',TRUE
EXEC sp_altermessage 18401,'WITH_LOG',TRUE
EXEC sp_altermessage 15538,'WITH_LOG',TRUE
EXEC sp_altermessage 15537,'WITH_LOG',TRUE
EXEC sp_altermessage 28046,'WITH_LOG',TRUE
EXEC sp_altermessage 18455,'WITH_LOG',TRUE
EXEC sp_altermessage 18454,'WITH_LOG',TRUE
EXEC sp_altermessage 18453,'WITH_LOG',TRUE
EXEC sp_altermessage 17311,'WITH_LOG',TRUE
EXEC sp_altermessage 17308,'WITH_LOG',TRUE
EXEC sp_altermessage 5011,'WITH_LOG',TRUE
EXEC sp_altermessage 916,'WITH_LOG',TRUE
EXEC sp_altermessage 300,'WITH_LOG',TRUE
EXEC sp_altermessage 262,'WITH_LOG',TRUE
EXEC sp_altermessage 230,'WITH_LOG',TRUE
EXEC sp_altermessage 229,'WITH_LOG',TRUE
EXEC sp_altermessage 18100,'WITH_LOG',TRUE
EXEC sp_altermessage 825,'WITH_LOG',TRUE
EXEC sp_altermessage 806,'WITH_LOG',TRUE
EXEC sp_altermessage 17557,'WITH_LOG',TRUE
EXEC sp_altermessage 15615,'WITH_LOG',TRUE
EXEC sp_altermessage 15612,'WITH_LOG',TRUE
EXEC sp_altermessage 9100,'WITH_LOG',TRUE
EXEC sp_altermessage 8440,'WITH_LOG',TRUE
EXEC sp_altermessage 2514,'WITH_LOG',TRUE
EXEC sp_altermessage 2510,'WITH_LOG',TRUE
EXEC sp_altermessage 2509,'WITH_LOG',TRUE
EXEC sp_altermessage 610,'WITH_LOG',TRUE
EXEC sp_altermessage 427,'WITH_LOG',TRUE

仅id:211,28048,18488,18487,18486,18471,18470,18468,18467,18466,18465,18464,18463,18462,18461,18456,18451,18401,15538,15537,28046,18455,18454,18453,17311,17308,5011,916,300,262,230,229,18100,825,806,17557,15615,15612,9100,8440,2514,2510,2509,610,427
 

8. 总结

开启审计日志存入EventLog(Application)—定时备份该日志—定时读取到前端显示—前端自定义报表/告警规则
 
 

9. Oracle数据库

安装参考:https://cloud.tencent.com/developer/article/1601516
创建数据库:
密码:Oracle19
notion image
notion image
直接创建用户的话会遇到公用用户名或角色名无效的问题,首先需要进行切换容器等操作
select sys_context('USERENV','CON_NAME') from dual; //查看当前容器
select con_id, dbid, name, open_mode from v$pdbs;  //查看所有容器
alter pluggable database [ORACLEDB] open;  //切换容器
select con_id, dbid, name, open_mode from v$pdbs;  //再次查看容器状态
alter session set container=[ORACLEDB];  //修改会话的容器
之后新建用户
CREATE USER OT IDENTIFIED BY Orcl1234;
GRANT CONNECT, RESOURCE, DBA TO OT;  //授权
select username, user_id, account_status from dba_users where username like '%OT%';  //查看用户
注:连接的时候需要使用用户名为OT AS SYSDBA
CREATE TABLE customers
  (
    customer_id NUMBER 
                GENERATED BY DEFAULT AS IDENTITY START WITH 320 
                PRIMARY KEY,
    name         VARCHAR2( 255 ) NOT NULL,
    address      VARCHAR2( 255 )         ,
    website      VARCHAR2( 255 )         ,
    credit_limit NUMBER( 8, 2 )
  );
审计日志开启
SQL> show parameter audit;  //查询审计日志情况,audit_trail的值为DB时开启,none时关闭
SQL> alter system set audit_sys_operations=TRUE scope=spfile;
SQL> alter system set audit_trail=db[,extended] scope=spfile;  --开启审计
SQL> shutdown immediate;
SQL> startup;  --重启数据库以应用更改
审计日志关闭
SQL> alter system set audit_trail = none scope=spfile;
SQL> shutdown immediate;
SQL> startup;
 
登录日志
Audit trail: LENGTH: '332' ACTION :[7] 'CONNECT' DATABASE USER:[3] 'SYS' PRIVILEGE :[4] 'NONE' CLIENT USER:[12] 'xxx' CLIENT TERMINAL:[7] 'unknown' STATUS:[4] '1017' DBID:[10] '3012978260' SESSIONID:[10] '4294967295' USERHOST:[10] 'xxx-pc' CLIENT ADDRESS:[56] '(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.129.1)(PORT=55590))' ACTION NUMBER:[3] '100' . --失败

Audit trail: LENGTH: '331' ACTION :[7] 'CONNECT' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[12] 'xxx' CLIENT TERMINAL:[7] 'unknown' STATUS:[1] '0' DBID:[10] '3012978260' SESSIONID:[10] '4294967295' USERHOST:[10] 'xxx-pc' CLIENT ADDRESS:[56] '(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.129.1)(PORT=55592))' ACTION NUMBER:[3] '100' . --成功
 
其他审计策略
SQL> connect system/password -- 审计登陆用户
SQL> audit connect
-- 如下是常用的几个审计举例

--审计所有对表的操作
SQL> audit all on table;

--审计用户test对表的所有操作
sql> audit table by test;

--审计任何用户删除用户test表的操作
SQL> AUDIT DELETE ANY test.TABLE;

--审计任何用户删除失败的情况
SQL> AUDIT DELETE ANY TABLE WHENEVER NOT SUCCESSFUL;

--只审计删除成功的情况
SQL> AUDIT DELETE ANY TABLE WHENEVER SUCCESSFUL;

--审计SYSTEM用户对表user.table的delete,update,insert操作
SQL> AUDIT DELETE,UPDATE,INSERT ON user.table by SYSTEM;
 

10. 后话

第一次做此类逆向的工作,过程中技术不够专业,逻辑不够清晰,分析程度较浅,可能也忽略了很多关键点,此文仅作记录。
Dedecms article_coonepage_rule.php SQL注入漏洞(CVE-2022-23337)WeiPHP 5.0 sql注入漏洞bind_follow
3R1CCHENG
3R1CCHENG
宏愿叫天蝎座旅行