June 14, 2021

WP-Slimstat vulnerability exposes WordPress websites to SQL injection attacks

wp-slimstat-plugin-logo(LiveHacking.Com) – A recent security advisory from Sucri has revealed that the popular WordPress plugin WP-Slimstat is vulnerable to SQL injection attacks because of a weak secret key.

If exploited fully the bug could allow hackers to use SQL injection attacks to download sensitive information from a susceptible site’s database, including username, and (hopefully) hashed passwords. According to Sucri it could even be possible, in certain situations, for the attacker to find the WordPress Secret Keys and then takeover the site completely.

The problem is with the secret key used by the plugin to sign data sent to/from the client. The key used is in fact the MD5 hash of the plugin’s installation timestamp. Although it would be impossible to guess the exact date and time of the plugin installation, it might be possible to guess the approximate date and therefore drastically reduce the number of combinations.

Only the correct year is needed to reduce the number of possibilities down to 30 million values, which according to Sucri is computable in around 10 minutes using modern setups. Part of the problem is that MD5 hashes are quite breakable using modern CPU/GPU combinations.

Once the correct MD5 hash has been discovered then fake data can be sent to the plugin. Then, due to a second bug – which allows an attacker to insert arbitrary data into an unserialize() call, the attacker can execute arbitrary SQL queries and allow them  to get any data they want from the database.

“This is a dangerous vulnerability, you should update all of your websites using this plugin as soon as possible,” wrote  Marc-Alexandre Montpas on Sucri’s blog.

WP-Slimstat is an analytics tool. Its listing on WordPress shows it has been downloaded more than 1.3 million times. People who operate websites that use the plugin should update immediately. All versions before 3.9.6 are vulnerable.

PayPal fixes a SQL injection vulnerability, pays researcher $3,000 reward for discovery

paypal-logo(LiveHacking.Com) – PayPal has paid out $3000 in reward money to a security researcher who found and reported an SQL injection vulnerability.  The payout, which comes under PayPal’s bounty program, went to researchers at Vulnerability Laboratory who discovered a blind SQL Injection vulnerability in the official Paypal website.

According to an advisory sent to the Full Disclosure security mailing list, the vulnerability allows remote attackers to inject SQL commands on the affected application dbms. The vulnerability is located in the Confirm Email module with the bound vulnerable id input field.

By exploiting the vulnerability  the injected SQL command is executed when the Confirm Email module reloads the page. To exploit the vulnerability a normal, low-privileged user account is required on PayPal.

Although the posting included a proof of concept, the underlying problem was fixed by PayPal within a very short amount of time once the vulnerability was discovered.  This all happened on 12th January 2013 and there is no evidence that the vulnerability was actually exploited in the wild.

Reward schemes for finding security related bugs have become common in the security industry with companies like Google and Facebook paying out substantial rewards to verifiable vulnerabilities in their software. Google recently announced its third Pwnium competition—Pwnium 3 which will  focus on Chrome OS. The search giant is making available up to $3.14159 million USD in rewards for demonstrable attacks against a base (WiFi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS.

Since PayPal handles millions of dollars of transactions per day it is important that it has this extra level of help from ethical hackers, however as you can imagine the company doesn’t publicize any vulnerabilities found!

SQL injection attacks up by 69%

(LiveHacking.Com) – FireHost, a secure cloud hosting company, are reporting that it has seen a 69% increase in SQL Injection attacks during the second quarter of 2012. During Q1 the company blocked some 277,000 attacks, but during Q2 that figure rose to nearly 500,000.

Most modern websites rely on a backend database to store the contents of the site and to power an authentication system. During an SQL injection attack the hacker tries to manipulate data entered into web forms to influence the SQL commands which are executed in the background. If the hacker gets it right, they can manipulate the site or circumvent user authentication. The danger comes when websites use the information entered into a web form without any validation or verification.

SQL injections have been associated with many high profile security breaches, particularly the attacks on Sony during 2011 and are thought to be the method used by hackers who recently stole passwords from LinkedIn, eHarmony and Yahoo!.

“Many, many sites have lost customer data in this way,” said Chris Hinkley, CISSP – a Senior Security Engineer at FireHost. “SQL Injection attacks are often automated and many website owners may be blissfully unaware that their data could actively be at risk. These attacks can be detected and businesses should be taking basic and blanket steps to block attempted SQL Injection, as well as the other types of attacks we frequently see.”

FireHost has also seen an increase in Cross-site Scripting (XSS) attacks, Directory Traversals, and Cross-site Request Forgery (CSRF) attacks. Interestingly the majority of attacks came from within the United States (83%). Southern Asia came in second with 8%, while Europe was in third. FireHost also notes the rise in automated attacks launched by hackers. The warning is clear for every website owner and every security specialist.

Ruby on Rails SQL Injection Vulnerability Found

(LiveHacking.Com) – A SQL injection vulnerability has been found in the Active Record component of Ruby on Rails. Active Record connects classes to a relational database tables giving applications a persistence layer.

According to the security advisory a vulnerability has been found in the way Active Record handles nested query parameters. An attacker can use a specially crafted request to inject some forms of SQL into an application’s SQL queries. For an application to be vulnerable it needs to directly pass request parameters to the `where` method of an ActiveRecord class like this: Post.where(:id => params[:id]).all

To exploit this weakness, an attacker needs to make a request that causes `params[:id]` (see above) to return a specially crafted hash. This will will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.

There is a workaround where vulnerable code needs to be changed so that the parameter is cast to the expected value. For example:

Post.where(:id => params[:id]).all

is changed to this:

Post.where(:id => params[:id].to_s).all

The Ruby on Rails team have released new versions to fix the problem. Affected versions are 3.0.0 and all later versions, however 2.3.14 is not affected. The fixed Versions are 3.2.4, 3.1.5, 3.0.13. The latest versions can be downloaded from here.

All users running an affected release should upgrade immediately.

American Express Fixes SQL Injection Vulnerability In Its Website

(LiveHacking.Com) – The well known credit card company American Express has fixed an SQL injection security vulnerability on its web site that allowed direct access to the server’s database. Originally found by student Nils Kenneweg, American Express move quickly to plug the hole and issued a statement saying that the vulnerability was never exploited and that its customer data has remained intact.

Nils discovered the vulnerability when he notice that the website did not validate data passed to a search function. Crafting special search queries then gave access to the database. Nils reported the vulnerability to the German security website Heise Security who in turn told its English equivalent The H Security, as well as informing American Express.

There is some doubt about American Express’ auditing of this problem as with direct access to the database, it couldn be possible to access to the data without leaving traces.

SQL injection Attack Hits Over 1 Million ASP.NET Pages (and Counting)

(LiveHacking.Com) – An SQL injection attack that infects web pages and causes drive by downloads of malware is spreading rampantly. Reported last week by Armorize, the SQL injection attack which targets ASP.NET sites, had infected some 180,000 pages. The Register reported on Friday that this number had grown to over 600,000. Now according to Google search the number of infected web pages is over 1,000,000.

Infected sites carry invisible links to sites including jjghui.com and nbnjkl.com. These sites in turn redirect to several other websites, including www3.strongdefenseiz.in and www2.safetosecurity.rr.nu, that include hidden code to exploit known vulnerabilities in Adobe PDF, Adobe Flash or Java. Any PC with un-patched versions of these programs will most likely become infected with malware. Servers used in the attack have IP addresses based in the US and Russia.

This current round of SQL injection attacks seem to be similar to the LizaMoon attacks which appeared in March and April of this year. The Security company Securi has noted that registration information for the domains used in this attack are the same as the one used on the earlier Lizamoon domains:

Technical Contact:
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803

One thing worth noting is that at the time of the LizaMoon attacks Google mentioned that:

“Google Search results aren’t always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.”

Sites can be scanned to make sure they are clean (or not) at http://sitecheck.sucuri.net

Sqlninja 0.2.5 Released

Sqlninja 0.2.5 has been released. Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server. With reference to its project website, its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Sqlninja Features:

  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
  • Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
  • Privilege escalation to sysadmin group if ‘sa’ password has been found
  • Creation of a custom xp_cmdshell if the original one has been removed
  • Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
  • Evasion techniques to confuse a few IDS/IPS/WAF
  • Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
  • Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping


In order to use sqlninja, the following Perl modules need to be present:

  • NetPacket
  • Net-Pcap
  • Net-DNS
  • Net-RawIP
  • IO-Socket-SSL

You will also need the Metasploit Framework 3 on your box to use the metasploit attack mode, and also a VNC client if you use the VNC payload.

More Information & download links:

  1. Demo Video
  2. Project Documentation
  3. Download Page