WP Hack attempt?

Sharksfan

New member
May 28, 2009
1,088
22
0
WI
I was looking at statpress logs on a wordpress site of mine tonight and saw this "page visited" link:

forum=-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/*

I tried viewing that URL on my website and it doesn't return results from MySQL fortunately -it just gives a standard not found error. This is probably because I'm using perma-links and a couple of plugins which (as I understand it) thwart any SQL+url hacks.

Is that what this is?
 


Looks like they were targeting the wp-forum plugin which hasn't been patched in decades. Do you have that installed on your blog?
 
they're trying to gather user logins by passing a SQL statement through a GET request. the function to list forums or something must have been letting all requests through unfiltered and/or had not been using prepared statements in a previous version. the slashes escape the characters when input through PHP, so that's why the statement doesn't work when you copy/paste it.
 
Thanks guys.

I did not have the wp-forum plugin installed - and I changed passwords immediately after noticing.
 
When you see SQL query like that, they're attempting to do a SQL Injection hack. You'd be surprised how often it works when people don't sanitize their inputs.

Basically whats happening is that they are attempted to escape the string passed, so that it becomes a command. So for example if you had something like.

"SELECT * FROM Table Where id=".$userid." yada yada".

Well if userid isn't sanitized (especially since php can spit out either a integer or string) they could cause the SQL statement to become multilined. The first obviously would fail cuz its an impartial, but then it would also execute the rest of the string. You can typically fix this using mysql_real_escape_string() around the variable in some cases, which would escape the characters that would allow the execution. Unfortunately most people who get hit, aren't developers :/