Wordpress SQL injection

Today it came out that there is yet another SQL injection in WordPress Blogs.


This code exploits the Wordpress Plugin Upload File, and allows an attacker to execute an arbitrary command on the hosting machine. If you host your Blog Locally, this is an enormous problem! The exploit (Discovered by a russian hacker http://eserg.ru ) ,  is one of a myriad of security issues recently exposed by Hackers- leaving bloggers worldwide vulnerable.  

What is a Arbitrary Command?
   This is when an attacker is able to exploit a security vulnerability in a program, to execute commands on YOUR computer. For example, in this case, By simply executing this SQL query
null/**/union/**/all/**/select/**/concat(user_login,0x3a,user_pass)/**/from/**/wp_users/*
On your server- he is able to add/remove users, Delete Files, and install any number of viruses.

Be on the lookout in the next week for a patch from www.wordpress.com/www.wordpress.org

Hi, Im Here to fix your computer.

How Many of us work in a hectic, stressed environment- where deadlines and bottom-lines rule your workweek? In the course of a day, How many idiotic requests do you get to do seemly mundane chores?  How Often has this happened?

You: {Bored and Seeking an excuse to take a break}
Phone Repairman: "Hi, Coorporate sent me over to do some work on your Phoneline"
You: "Oh, Alright- About How Long Will it take?"
PR: "Ten Minutes, Twenty Tops- I have some other stuff to do- so if your busy I can come back during lunch"
You: "Alright, Thanks!"

What happened here? You just gave a rival company full access to your office!
You: But he can't do anything! He doesn't Have My Password!
Me: *Hits You in the Head*

Lets go through this- He could (in Ten Minutes)
A. Steal A Hard Drive
B. Install a Hardware Keylogger

In twenty Minutes
A. Do a Stealth Boot Onto Your Computer
B. Install Software Keylogger and Screen Capture Device
C. Comb through trade secret documents, and walk out with them unquestioned.
D. Confiscate Hidden Bank documents, Client Credit cards, Even Blackmail.

Would You Give A Thief A Key? Would You Give a Murderer A Knife?
            Would You Give A Meth Addict A Pipe?

You wouldn't do it with a Hacker either, 10% of Hacking is Intelligence: 89% is Persistence: And 1% Is Technological Prowess.

Hackers won't be the typical grungy teen whilst looking for information:

When in doubt, the best way to obtain information in a social engineering attack is just to be friendly. The idea here is that the average user wants to believe the colleague on the phone and wants to help, so the hacker really only needs to be basically believable. Beyond that, most employees respond in kind, especially to women. Slight flattery or flirtation might even help soften up the target employee to co-operate further, but the smart hacker knows when to stop pulling out information, just before the employee suspects anything odd. A smile, if in person, or a simple “thank you” clenches the deal. And if that’s not enough, the new user routine often works too: “I’m confused, (batting eyelashes) can you help me?”



Need More Info/ Training?
Let Me Secure Your Network!
Gillis57@gmail.com

Or, If for some god-awful reason you actually want to know what I'm doing
twitter.com/Gillis57
gillis57.googlepages.com