#10841 closed defect (bug) (worksforme)
admin-ajax.php SQL INJECTION!!
Reported by: | ulgaming | Owned by: | westi |
---|---|---|---|
Milestone: | Priority: | highest omg bbq | |
Severity: | blocker | Version: | 2.8.4 |
Component: | Security | Keywords: | sql injection |
Focuses: | Cc: |
Description
My site has been hacked 2 - 3 times from this file by the same hacker! The hacker goes to wp-login.php and tries to access wp-admin/admin-ajax.php . From there he can do sql injection!
He even caused damaged to the site from the same file by changing a lot of table data, but i restored it somehow(from backup).
Change History (12)
#4
@
15 years ago
- Cc westi added
- Owner changed from ryan to westi
- Status changed from new to assigned
Please send more information about this to security@…
Please include a list of plugins that you are running on the site
Extracts from the webserver access logs showing the hack
Details about what WordPress version and plugin versions you are running.
Thanks
#5
@
15 years ago
Yes, it's not related to a plugin. All plugins were disabled when this happened(except Wassup which i used to track the guy, had to enable it to track him when he had already hacked the site 2 times).
- 07:37:34 ->/
- 07:39:47 ->/wp-admin/
- 07:39:48 ->/wp-login.php?redirect_to=http://www.animeshout.com/wp-admin/
- 07:39:58 ->/wp-login.php
- 07:41:03 ->/
- 07:41:19 ->/staff-list
- 07:46:33 ->/wp-admin/admin-ajax.php
As soon as he goes to that page, he executes a MySQL query, and changes the user, pass and email of an editor and renames his user to "kamine".
- LOGGED IN USER: Kamine
- Probably hack attempt!
- us OS: Win2008
- BROWSER: Firefox 3
- RESOLUTION: 1920x1080
- 07:37:34 ->/
- 07:39:47 ->/wp-admin/
- 07:39:48 ->/wp-login.php?redirect_to=http://www.animeshout.com/wp-admin/
- 07:39:58 ->/wp-login.php
- 07:41:19 ->/staff-list
- 07:46:33 ->/wp-admin/admin-ajax.php
When this happened, the editor wasn't online. Moreover, it's impossible for an editor or even an admin to change a user's login name.
#8
@
15 years ago
As soon as he goes to that page, he executes a MySQL query, and changes the user, pass and email of an editor and renames his user to "kamine".
is there any additional (specific) information about this exploit? (i.e. what query?, params?, get/post, etc,... do you have access to your web server logs?)
#9
@
15 years ago
Things which might be helpfull: Start admin, get the list of hooks regsitered for admin-ajax, review the code for places where wpdb is used. WPDB must use the prepare (not the escape) member to properly escape values.
Is it possible for the reporter to have 2.8.5 run and test wether this still applies or not?
#11
@
15 years ago
- Milestone 2.9 deleted
- Resolution set to worksforme
- Status changed from assigned to closed
Closing pending feedback.
#12
@
8 years ago
I recently had this attempt done to me via the file admin-ajax.php but my wordfence caught it fortunately. Would love to see the injection code they used though. I got this message after I wrote an article about "hacking" and I had a comment come in and as I went to edit my post, I get the message that wordfence blocked access from an intruder to that file. hmmmm crazy.
And, it's not only me: http://forum.bytesforall.com/showthread.php?t=1683