[CentOS] C5 MySQL injection attack ("Union Select")

Thu Mar 24 03:21:03 UTC 2016
Always Learning <centos at u64.u22.net>

mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
readline 5.1


I spotted something strange and immediately installed a routine to
automatically impose an iptables block when the key used for database
access is excessively long.

My URL was something like this

...../...../.....php?key=123456

The injection was something like this

...../...../.....php?key=876711111111111111111111111111' UNION SELECT
13,CONCAT([X],count(*),[X],13,13,13,13,13,13 FROM
information_schema.TABLES WHERE `TABLE_NAME` LIKE "%wp_users%"   -- /*
order by 'as

There are no user permission on information_schema.

There seems to be 2 versions of the coding floating around on Austrian
and Russian IPs. One is ineffective but the other works. It seems the
author is expert in the intricate structure and design of SQL.



-- 
Regards,

Paul.
England, EU.      England's place is in the European Union.