WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#10841 closed defect (bug) (worksforme)

admin-ajax.php SQL INJECTION!!

Reported by: ulgaming Owned by: westi
Milestone: Priority: highest omg bbq
Severity: blocker Version: 2.8.4
Component: Security Keywords: sql injection
Focuses: Cc:

Description

My site has been hacked 2 - 3 times from this file by the same hacker! The hacker goes to wp-login.php and tries to access wp-admin/admin-ajax.php . From there he can do sql injection!

He even caused damaged to the site from the same file by changing a lot of table data, but i restored it somehow(from backup).

Change History (11)

comment:2 scribu5 years ago

Are you sure it's not related to a plugin?

comment:3 scribu5 years ago

  • Milestone changed from Unassigned to 2.8.5

comment:4 westi5 years ago

  • Cc westi added
  • Owner changed from ryan to westi
  • Status changed from new to assigned

Please send more information about this to security@…

Please include a list of plugins that you are running on the site
Extracts from the webserver access logs showing the hack
Details about what WordPress version and plugin versions you are running.

Thanks

comment:5 ulgaming5 years ago

Yes, it's not related to a plugin. All plugins were disabled when this happened(except Wassup which i used to track the guy, had to enable it to track him when he had already hacked the site 2 times).

  • 07:37:34 ->/
  • 07:39:47 ->/wp-admin/
  • 07:39:48 ->/wp-login.php?redirect_to=http://www.animeshout.com/wp-admin/
  • 07:39:58 ->/wp-login.php
  • 07:41:03 ->/
  • 07:41:19 ->/staff-list
  • 07:46:33 ->/wp-admin/admin-ajax.php

As soon as he goes to that page, he executes a MySQL query, and changes the user, pass and email of an editor and renames his user to "kamine".

  • LOGGED IN USER: Kamine
  • Probably hack attempt!
  • us OS: Win2008
  • BROWSER: Firefox 3
  • RESOLUTION: 1920x1080
  • 07:37:34 ->/
  • 07:39:47 ->/wp-admin/
  • 07:39:48 ->/wp-login.php?redirect_to=http://www.animeshout.com/wp-admin/
  • 07:39:58 ->/wp-login.php
  • 07:41:19 ->/staff-list
  • 07:46:33 ->/wp-admin/admin-ajax.php

When this happened, the editor wasn't online. Moreover, it's impossible for an editor or even an admin to change a user's login name.

comment:6 ulgaming5 years ago

The blog uses WordPress 2.8.4.

comment:7 Denis-de-Bernardy5 years ago

any updates on this?

comment:8 dwright5 years ago

As soon as he goes to that page, he executes a MySQL query, and changes the user, pass and email of an editor and renames his user to "kamine".

is there any additional (specific) information about this exploit? (i.e. what query?, params?, get/post, etc,... do you have access to your web server logs?)

comment:9 hakre5 years ago

Things which might be helpfull: Start admin, get the list of hooks regsitered for admin-ajax, review the code for places where wpdb is used. WPDB must use the prepare (not the escape) member to properly escape values.

Is it possible for the reporter to have 2.8.5 run and test wether this still applies or not?

comment:10 dwright5 years ago

  • Cc david_v_wright@… added

comment:11 ryan5 years ago

  • Milestone 2.9 deleted
  • Resolution set to worksforme
  • Status changed from assigned to closed

Closing pending feedback.

Note: See TracTickets for help on using tickets.