Attack information of the Photo Gallery by 10Web from WebARX
As you can observe from the graph above, the attacks had been spiking on, may 16th at 10 PM and could 17th at 7 AM. During the spike, the strike count raised as higher as 1158 on the 16th and 1168 on the 17th. After 12 AM on 17th Might the attacks began to lower ending with 2 attacks on the 17th at 12 AM.
Evaluation Of The Strike
After an analysis, it appears that a malicious user is trying to find sites which have a vulnerable version of the plugin installed. We discovered the Write-up payload below being delivered
19 000 times against WordPress websites over an interval of roughly 36 hrs. [action] => bwg_frontend_data
[bwg_research_0] => 1# %DFGDFG"))/**/UNION/**/ALL/**/SELECT/**/TABLE_SCHEMA,TABLE_NAME,'','','','','','','','','','','','',''/**/as/**/dummy_3/**/from/**/details_schema.tables#FGDFGDFG))#
[gallery_kind] => album_compact_preview
[kind_0] => album
This payload appears to perform basic UNION SQL injection attack that will try to inject different data in to the result group of the query that your malicious user may use to determine in case a vulnerable version of the plugin is, actually, running on the website.
All requests were delivered with exactly the same user broker: Mozilla/5.0 (Home windows NT 6.1; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0.
Several IP addresses were found in the attack, the very best 10 are the following:
126.96.36.199 – United states – DigitalOcean
188.8.131.52 – Russia – OOO System of data-facilities Selectel
184.108.40.206 – France – OVH SAS
220.127.116.11 – France – OVH SAS
18.104.22.168 – France – OVH SAS
22.214.171.124 – France – OVH SAS
126.96.36.199 – France – OVH SAS
188.8.131.52 – Hungary – Szervernet Ltd
184.108.40.206 – United states – Centrilogic
220.127.116.11 – Singapore – DigitalOcean
Evaluation Of The Plugin
The payload above helps it be clear that the problem resides in the
wp_ajax_nopriv_bwg_frontend_information AJAX actions which both call a function
frontend_information which calls a chain of other functions which ultimately results in the file that’s susceptible to SQL injection: /frontend/versions/design.php.
Within this file, there exists a function called get_image_rows_data
which utilizes the
bwg_lookup_* parameter. From the payload utilized by the malicious consumer, we are able to see that it really is in fact where in fact the issue resides. Information from the user-provided bwg_search_* parameter was utilized straight in the SQL query which triggered this SQL injection vulnerability to can be found.
If we have a look at the differences between edition 1.5.54 and 1.5.55 of the plugin
here, you can view that the patched version provides the using the $wpdb->prepare functionality which mitigates the vulnerability. Timeline
May 15th: Vulnerability was disclosed Might 15th: Vulnerability was patched in version 1.5.55 May 16th: Attacks detected contrary to the vulnerability
If you’re concerned your website may be hacked, please be sure to follow the
WordPress malware removal guide or get quick professional help with this WordPress malware removal service.
Analyzing The Photo Gallery by 10Web SQL Injection Vulnerability appeared first on WebARX.