Make WordPress Core

Opened 15 years ago

Closed 15 years ago

Last modified 8 years ago

#10841 closed defect (bug) (worksforme)

admin-ajax.php SQL INJECTION!!

Reported by: ulgaming's profile ulgaming Owned by: westi's profile westi
Milestone: Priority: highest omg bbq
Severity: blocker Version: 2.8.4
Component: Security Keywords: sql injection
Focuses: Cc:

Description

My site has been hacked 2 - 3 times from this file by the same hacker! The hacker goes to wp-login.php and tries to access wp-admin/admin-ajax.php . From there he can do sql injection!

He even caused damaged to the site from the same file by changing a lot of table data, but i restored it somehow(from backup).

Change History (12)

#2 @scribu
15 years ago

Are you sure it's not related to a plugin?

#3 @scribu
15 years ago

  • Milestone changed from Unassigned to 2.8.5

#4 @westi
15 years ago

  • Cc westi added
  • Owner changed from ryan to westi
  • Status changed from new to assigned

Please send more information about this to security@…

Please include a list of plugins that you are running on the site
Extracts from the webserver access logs showing the hack
Details about what WordPress version and plugin versions you are running.

Thanks

#5 @ulgaming
15 years ago

Yes, it's not related to a plugin. All plugins were disabled when this happened(except Wassup which i used to track the guy, had to enable it to track him when he had already hacked the site 2 times).

  • 07:37:34 ->/
  • 07:39:47 ->/wp-admin/
  • 07:39:48 ->/wp-login.php?redirect_to=http://www.animeshout.com/wp-admin/
  • 07:39:58 ->/wp-login.php
  • 07:41:03 ->/
  • 07:41:19 ->/staff-list
  • 07:46:33 ->/wp-admin/admin-ajax.php

As soon as he goes to that page, he executes a MySQL query, and changes the user, pass and email of an editor and renames his user to "kamine".

  • LOGGED IN USER: Kamine
  • Probably hack attempt!
  • us OS: Win2008
  • BROWSER: Firefox 3
  • RESOLUTION: 1920x1080
  • 07:37:34 ->/
  • 07:39:47 ->/wp-admin/
  • 07:39:48 ->/wp-login.php?redirect_to=http://www.animeshout.com/wp-admin/
  • 07:39:58 ->/wp-login.php
  • 07:41:19 ->/staff-list
  • 07:46:33 ->/wp-admin/admin-ajax.php

When this happened, the editor wasn't online. Moreover, it's impossible for an editor or even an admin to change a user's login name.

#6 @ulgaming
15 years ago

The blog uses WordPress 2.8.4.

#7 @Denis-de-Bernardy
15 years ago

any updates on this?

#8 @dwright
15 years ago

As soon as he goes to that page, he executes a MySQL query, and changes the user, pass and email of an editor and renames his user to "kamine".

is there any additional (specific) information about this exploit? (i.e. what query?, params?, get/post, etc,... do you have access to your web server logs?)

#9 @hakre
15 years ago

Things which might be helpfull: Start admin, get the list of hooks regsitered for admin-ajax, review the code for places where wpdb is used. WPDB must use the prepare (not the escape) member to properly escape values.

Is it possible for the reporter to have 2.8.5 run and test wether this still applies or not?

#10 @dwright
15 years ago

  • Cc david_v_wright@… added

#11 @ryan
15 years ago

  • Milestone 2.9 deleted
  • Resolution set to worksforme
  • Status changed from assigned to closed

Closing pending feedback.

#12 @ravenousravendesign
8 years ago

I recently had this attempt done to me via the file admin-ajax.php but my wordfence caught it fortunately. Would love to see the injection code they used though. I got this message after I wrote an article about "hacking" and I had a comment come in and as I went to edit my post, I get the message that wordfence blocked access from an intruder to that file. hmmmm crazy.

Note: See TracTickets for help on using tickets.