Re: [sqlmap-users] wrong file size checking with os-shell
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] wrong file size checking with os-shell
|
From: Robin W. <ro...@di...> - 2012-09-14 14:48:26
|
On 14 September 2012 13:49, Miroslav Stampar <mir...@gm...> wrote:
> Hi.
>
> Original stager(.php) size is indeed 703 bytes, so sqlmap is not wrong in
> your case. You can check it by going into ./shell and running: "find
> backdoor.*_ stager.*_ -type f -exec python ../extra/cloak/cloak.py -d -i
> '{}' \;"
>
> If you want to debug you could try watching traffic with -v 5 or by
> capturing it with -t traffic.txt. Maybe something interesting could be found
> there.
I backed up my output directory then deleted and re-checked out
everything and now it is working. I guess something got cached based
on an old version of the shell.
Robin
> Kind regards,
> Miroslav Stampar
>
> On Fri, Sep 14, 2012 at 2:12 PM, Robin Wood <ro...@di...> wrote:
>>
>> Looks like you've updated the shell sent over with os-shell but not
>> updated the size that the script checks to see if it exists.
>>
>> Robin
>>
>> [13:08:22] [WARNING] unable to retrieve the web server document root
>> please provide the web server document root [/var/www/]:
>> /var/www/html/upload/
>> [13:08:29] [WARNING] unable to retrieve any web server path
>> please provide any additional web server full path to try to upload
>> the agent [Enter for None]:
>> [13:08:30] [WARNING] unable to upload the file stager on
>> '/var/www/html/upload'
>> [13:08:30] [INFO] trying to upload the file stager via UNION technique
>> do you want confirmation that the file
>> '/var/www/html/upload/tmpuivks.php' has been successfully written on
>> the back-end DBMS file system? [Y/n]
>> [13:08:33] [INFO] the file has been successfully written and its size
>> is 6969 bytes, but the size differs from the local file
>> '/tmp/tmpo2EvI1' (703 bytes)
>> [13:08:33] [WARNING] expect junk characters inside the file as a
>> leftover from UNION query
>> [13:08:33] [WARNING] HTTP error codes detected during testing:
>> 404 (Not Found) - 2 times
>> [13:08:33] [INFO] fetched data logged to text files under
>> '/home/robin/tools/web/sqlmap/output/192.168.50.22'
>>
>>
>> ------------------------------------------------------------------------------
>> Got visibility?
>> Most devs has no idea what their production app looks like.
>> Find out how fast your code is with AppDynamics Lite.
>> http://ad.doubleclick.net/clk;262219671;13503038;y?
>> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
|