[转载]http://www.room702.cn/index.php/archives/244
注入分析: LogParser "select time,c-ip,cs-uri-stem,cs-uri-query,sc-status,cs(User-Agent) from ex080228.log where cs-uri-query LIKE '%select%'" 查询日志文件:ex080228.log , 查询关键字:select ================================================== 反射型XSS分析: LogParser "select time,c-ip,cs-uri-stem,cs-uri-query,sc-status,cs(User-Agent) from ex080228.log where cs-uri-query LIKE '%<script>%'" 查询日志文件:ex080228.log ,查询关键字:<script> ================================================== 特定时间记录搜索: LogParser "select time,c-ip,cs-uri-stem,cs-uri-query,sc-status,cs(User-Agent) from ex080228.log where time between TIMESTAMP( '09:07:00', 'hh:mm:ss' ) and TIMESTAMP( '09:08:00', 'hh:mm:ss' )" 查询日志文件:ex080228.log ,搜索时间段:09:07:00 至 09:08:00 ================================================== 根据IP地址统计访问情况: LogParser "select date,time,c-ip,cs-uri-stem,cs-uri-query,cs(User-Agent),sc-status from ex080228.log WHERE IPV4_TO_INT(c-ip) BETWEEN IPV4_TO_INT('172.16.9.0') AND IPV4_TO_INT('172.16.9.255')" 查询日志文件:ex080228.log , 搜索IP段:172.16.9.0/24 ================================================== 目录猜解搜索: LogParser "select time,c-ip,count(time) as BAD from ex080228.log where sc-status=404 group by time,c-ip having BAD>5" 查询日志文件:ex080228.log , 搜索错误次数大于N次:5 ================================================== 表单破解搜索: LogParser "select time,c-ip,cs-uri-stem,count(time,cs-uri-stem) as BAD from ex090609.log where sc-status=200 and cs-method='POST' group by time,c-ip,cs-uri-stem having BAD>4" 查询日志文件:ex090609.log , 搜索同一秒内POST次数大于N次:4 ================================================== 异常User-Agent搜索: LogParser "select time,c-ip,cs-uri-stem,cs-uri-query,sc-status,cs(User-Agent) from ex080228.log where cs(User-Agent) NOT LIKE 'Mozilla%'" 查询日志文件:ex080228.log , 搜索User-Agent:全部未以Mozilla开头的User-Agent ================================================== 不正常的HTTP Method LogParser "select time,c-ip,cs-method,cs-uri-stem from ex090609.log where cs-method in ('HEAD';'OPTIONS';'PUT';'MOVE';'COPY';'TRACE';'DELETE')" 查询日志文件:ex090609.log , 搜索异常方法:('HEAD';'OPTIONS';'PUT';'MOVE';'COPY';'TRACE';'DELETE')"