WordPress.org

Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 15 months ago

#10841 closed defect (bug) (worksforme)

admin-ajax.php SQL INJECTION!!

Reported by: ulgaming Owned by: westi
Milestone: Priority: highest omg bbq
Severity: blocker Version: 2.8.4
Component: Security Keywords: sql injection
Focuses: Cc:

Description

My site has been hacked 2 - 3 times from this file by the same hacker! The hacker goes to wp-login.php and tries to access wp-admin/admin-ajax.php . From there he can do sql injection!

He even caused damaged to the site from the same file by changing a lot of table data, but i restored it somehow(from backup).

Change History (12)

#2 @scribu
9 years ago

Are you sure it's not related to a plugin?

#3 @scribu
9 years ago

  • Milestone changed from Unassigned to 2.8.5

#4 @westi
9 years ago

  • Cc westi added
  • Owner changed from ryan to westi
  • Status changed from new to assigned

Please send more information about this to security@…

Please include a list of plugins that you are running on the site Extracts from the webserver access logs showing the hack Details about what WordPress version and plugin versions you are running.

Thanks

#5 @ulgaming
9 years ago

Yes, it's not related to a plugin. All plugins were disabled when this happened(except Wassup which i used to track the guy, had to enable it to track him when he had already hacked the site 2 times).

  • 07:37:34 ->/
  • 07:39:47 ->/wp-admin/
  • 07:39:48 ->/wp-login.php?redirect_to=http://www.animeshout.com/wp-admin/
  • 07:39:58 ->/wp-login.php
  • 07:41:03 ->/
  • 07:41:19 ->/staff-list
  • 07:46:33 ->/wp-admin/admin-ajax.php

As soon as he goes to that page, he executes a MySQL query, and changes the user, pass and email of an editor and renames his user to "kamine".

  • LOGGED IN USER: Kamine
  • Probably hack attempt!
  • us OS: Win2008
  • BROWSER: Firefox 3
  • RESOLUTION: 1920x1080
  • 07:37:34 ->/
  • 07:39:47 ->/wp-admin/
  • 07:39:48 ->/wp-login.php?redirect_to=http://www.animeshout.com/wp-admin/
  • 07:39:58 ->/wp-login.php
  • 07:41:19 ->/staff-list
  • 07:46:33 ->/wp-admin/admin-ajax.php

When this happened, the editor wasn't online. Moreover, it's impossible for an editor or even an admin to change a user's login name.

#6 @ulgaming
9 years ago

The blog uses WordPress 2.8.4.

#7 @Denis-de-Bernardy
9 years ago

any updates on this?

#8 @dwright
9 years ago

As soon as he goes to that page, he executes a MySQL query, and changes the user, pass and email of an editor and renames his user to "kamine".

is there any additional (specific) information about this exploit? (i.e. what query?, params?, get/post, etc,... do you have access to your web server logs?)

#9 @hakre
9 years ago

Things which might be helpfull: Start admin, get the list of hooks regsitered for admin-ajax, review the code for places where wpdb is used. WPDB must use the prepare (not the escape) member to properly escape values.

Is it possible for the reporter to have 2.8.5 run and test wether this still applies or not?

#10 @dwright
9 years ago

  • Cc david_v_wright@… added

#11 @ryan
9 years ago

  • Milestone 2.9 deleted
  • Resolution set to worksforme
  • Status changed from assigned to closed

Closing pending feedback.

#12 @ravenousravendesign
15 months ago

I recently had this attempt done to me via the file admin-ajax.php but my wordfence caught it fortunately. Would love to see the injection code they used though. I got this message after I wrote an article about "hacking" and I had a comment come in and as I went to edit my post, I get the message that wordfence blocked access from an intruder to that file. hmmmm crazy.

Note: See TracTickets for help on using tickets.