Wordpress MySQL injection attack on form

Hi, I have a form on my website (http://vegdc.com/suggestion/) and someone is using MySQL injection to alter my database to set the default values for the form.

The code below is supposed to help with this, but it has not helped:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||:wink:.* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]

I am at a loss!

  • Patrick

    Hi there @Nicole

    I hope you're well today!

    Do you know who or what is doing this on your site? Is it an external attack, or, more likely, a custom plugin or doubtfully-coded theme that is doing it?

    Perhaps the form you are using has been improperly coded. What plugin are you using for that form? Or is it a hard-coded form in a template?

    That would be the first thing to check IMO. See this article for help on that:

  • Nicole

    Thanks so much for getting back to me. I'm using a hard-coded form from a template that I purchased. Unfortunately, the author of the template refuses to help because I added code to autologin a user to the form (in his template, people have to log in to use the form) - so by his definition, I altered the theme, and he won't cover support for that.

    How can I go about finding out who/what is doing this to my site? It's running on an Apache server that I admin. Thank you so much!

  • Nicole

    Here's the output of sqlmap - which seems to say that there are no vulnerabilities at that url ("http://vegdc.com/suggestion")

    [15:21:10] [WARNING] using '/root/.sqlmap/output' as the output directory
    [15:21:10] [WARNING] you've provided target URL without any GET parameters (e.g. http://www.site.com/article.php?id=1) and without providing any POST parameters through --data option
    do you want to try URI injections in the target URL itself? [Y/n/q] Y
    [15:45:27] [INFO] testing if the target URL is stable. This can take a couple of seconds
    [15:45:29] [WARNING] URI parameter '#1*' does not appear dynamic
    [15:45:31] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
    [15:45:32] [INFO] heuristic (XSS) test shows that URI parameter '#1*' might be vulnerable to XSS attacks
    [15:45:32] [INFO] testing for SQL injection on URI parameter '#1*'
    [15:45:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    [15:45:33] [WARNING] reflective value(s) found and filtering out
    [15:45:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
    [15:45:52] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
    [15:45:59] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
    [15:46:06] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
    [15:46:13] [INFO] testing 'MySQL inline queries'
    [15:46:15] [INFO] testing 'PostgreSQL inline queries'
    [15:46:16] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
    [15:46:17] [INFO] testing 'Oracle inline queries'
    [15:46:18] [INFO] testing 'SQLite inline queries'
    [15:46:19] [INFO] testing 'MySQL > 5.0.11 stacked queries'
    [15:46:25] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
    [15:46:31] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
    [15:46:37] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
    [15:46:43] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable
    [15:46:43] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
    [15:46:43] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
    [15:47:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
    [15:48:07] [INFO] checking if the injection point on URI parameter '#1*' is a false positive
    [15:48:08] [WARNING] false positive or unexploitable injection point detected
    [15:48:08] [WARNING] URI parameter '#1*' is not injectable
    [15:48:08] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')
    [15:48:08] [WARNING] HTTP error codes detected during run:
    404 (Not Found) - 80 times

  • Ash

    Hello @Nicole

    Are you sure the injection is happening from this form? You may try to contact any server administrator if there is any security hole in your server. Also, make sure ftp is closed.

    About the coding standard, to prevent mysql injection in wordpress, you can take a look at this link:

    Specially the prepare statement.

    But it would be better to contact a server guru regarding this issue.


  • Ash

    Hello @Nicole

    I am really sorry, but you got me wrong :slight_frown:

    and part of the reason I paid for this support subscription was so that I could ask questions like this.

    Of course you can ask question, there is no problem with that. What I meant to say that as I am not a server expert, maybe you can talk to any server expert if there is any security hole in the server.

    Anyway, would you please make sure mod_security is enabled in your server?
    Make sure you are using wp_nonce_field in the form: http://codex.wordpress.org/Function_Reference/wp_nonce_field
    And make sure you are using prepare statement to process the data: http://codex.wordpress.org/Class_Reference/wpdb

    Please let us know about this.


Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.