See this 5 min video @ https://vid.me/HH8k
Sorry to post as an issue but wanted immediate attention of @danielkerr
I know the attacker needs admin access to the site.
Attack SQL Query @ https://gist.github.com/robinflyhigh/4e13f7c444a3664441c150d125a18abe
Reason for logging it as an issue is these type of SQL script should not be executed https://gist.github.com/robinflyhigh/4e13f7c444a3664441c150d125a18abe
And if you have admin access you cannot view server files but then these type of attack happens they can have access to site files as well.
Sorry once again for posting and wasting your precious time.
@robinflyhigh are u stupid!
if u have access to the admin you can download a backup of the whole db decode the all the password hases or upload a hacking mod script to the extension installer! etc..!
but no not this clown!
so this clown not only logs into his own store using the username / password admin / admin but comes up with a bullshit hack of the error log rather than uploading a extension mod which one give him full access to the files.
this guy is an idiot! hes not a a hacker!
We have several clients site got hacked by this simple attack. The key is that they have simple admin name and password like "123456 and "admin". Once hacker gets in, he will change the error.log -> error.php, and then...
We just mod the code from changing error.log extension to *.php. Many new sites get hacked by this trick, guess they should be warne.
i really hope that was not your video you uploaded!
Nope, that's not my video @danielkerr
the user is the vulnerability if they use admin as their default login and poassword 1234.
its just the same as using a 5 character password for your web hosting! you will be hacked! very easy to get the login name from errors.
there person who posted this video would not know php properly., hes guessing what hes doing. it will be some guy poorly educated from some 3rd world country. vietnam, india, pakistain. etc..
use some common sense these guys cant code properly. maybe cheap services but you end up unsecure, slow, spaghetti code.
the fact he posted this video shows hes a low level programmer. probably making money from post crap like this.
another point is you also not only need access to the admin but permissions to access the settings page!
just wasted 30 minutes on this because the poster could not work it out for him self.
also after the release of the cloud i plan to add 2 factor authentication to the admins.