Re: [sqlmap-users] SQLMap Stager Uploader
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] SQLMap Stager Uploader
|
From: Miroslav S. <mir...@gm...> - 2011-01-23 20:48:09
|
Hi all.
There has been a major "revisit" of methods used in --os-shell. We'll
try to do some more inspection of those, but all in all now it works
far better than before. Just to warn that this doesn't mean that it
will work always, as permissions are most problematic in this case,
but should do in cases when previous one failed to do so while it
could/should.
KR
On Sun, Jan 23, 2011 at 7:38 PM, yonny mutai <yo...@go...> wrote:
> Cool n thanks
>
> On Sun, Jan 23, 2011 at 9:28 PM, Miroslav Stampar
> <mir...@gm...> wrote:
>>
>> currently i am rewriting that all logic.
>>
>> will report
>>
>> kr
>>
>> On Sun, Jan 23, 2011 at 6:28 PM, yonny mutai <yo...@go...>
>> wrote:
>> > Hi Miroslav,
>> > I found out it was apparmour which was hindering mysql from writing
>> > the
>> > file.. It now writes the file but the script fails with the message
>> > "unable
>> > to upload the file stager on '/var/www/'.. although the file exists in
>> > the
>> > directory and when the script does a GET on the file it gets it .
>> > which web application language does the web server support?
>> > [1] ASP
>> > [2] ASPX
>> > [3] PHP (default)
>> > [4] JSP
>> >>
>> > [20:23:35] [WARNING] unable to retrieve the web server document root
>> > please provide the web server document root [/var/www/]:
>> > [20:23:35] [WARNING] unable to retrieve any web server path
>> > please provide any additional web server full path to try to upload the
>> > agent [/var/www/]:
>> > [20:23:36] [WARNING] unable to upload the file stager on '/var/www/'
>> > [20:23:36] [INFO] Fetched data logged to text files under
>> > '/pentest/database/sqlmap/output/127.0.0.1'
>> >
>> > 127.0.0.1 - - [23/Jan/2011:20:23:34 +0300] "POST
>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-" "Opera/9.62
>> > (Windows NT 5.1; U; pt-BR) Presto/2.1.1"
>> > 127.0.0.1 - - [23/Jan/2011:20:23:36 +0300] "POST
>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5983 "-" "Opera/9.62
>> > (Windows NT 5.1; U; pt-BR) Presto/2.1.1"
>> > 127.0.0.1 - - [23/Jan/2011:20:23:36 +0300] "GET /tmpubtee.php HTTP/1.1"
>> > 200
>> > 241 "-" "Opera/9.62 (Windows NT 5.1; U; pt-BR) Presto/2.1.1"
>> > sylar@Sylar:/pentest/database/sqlmap$ ls -lhtr /var/www/
>> > total 324K
>> > drwxrwxrwx 4 mysql mysql 4.0K 2010-06-16 08:37 mutillidae
>> > drwxrwxrwx 15 mysql mysql 4.0K 2010-11-02 12:15 3G_data_promo
>> > -rwxrwxrwx 1 mysql mysql 6.9K 2010-12-21 16:47 41.js
>> > -rwxrwxrwx 1 mysql mysql 13K 2010-12-21 16:48 index.html
>> > drwxrwxrwx 8 mysql mysql 4.0K 2011-01-08 11:40 vux
>> > -rwxrwxrwx 1 mysql mysql 39K 2011-01-16 22:41 mutillidae1.5.zip
>> > -rw-r--r-- 1 mysql mysql 1.3K 2011-01-19 12:24 ppx.php
>> > -rw-rw-rw- 1 mysql mysql 1.3K 2011-01-23 20:23 tmpubtee.php
>> >
>> >
>> > On Thu, Jan 20, 2011 at 1:15 AM, yonny mutai <yo...@go...>
>> > wrote:
>> >>
>> >> I have tried both --os-pwn and --os-shell.I have set my metasploit
>> >> path
>> >> in my sqlmap.conf.. I'm running this on Linux.The application connects
>> >> to
>> >> the db as root.I have also tried --read-file and its also not
>> >> suceessful.Maybe its the mysql version... I logged in as root to the db
>> >> and
>> >> tried to run select hex(load_file("__PATH__")) and it also returns
>> >> null...
>> >> I'll try installing a lower version to see how it behaves..
>> >>
>> >> On Thu, Jan 20, 2011 at 1:00 AM, Miroslav Stampar
>> >> <mir...@gm...> wrote:
>> >>>
>> >>> hi again.
>> >>>
>> >>> i wrongly mixed --os-shell and --os-pwn. for --os-pwn you need
>> >>> metasploit.
>> >>>
>> >>> are you using sqlmap on windows or on linux? where is your metasploit
>> >>> located (you haven't use the --msf-path=MSFPATH option)?
>> >>>
>> >>> if on linux then there would be a critical message "unable to locate
>> >>> Metasploit Framework 3 installation...." if no --msf-path specified
>> >>> (except proper environment variable is set), while on windows that
>> >>> message is in form of warning (we should change it to critical abort
>> >>> too) which says "[22:50:05] [WARNING] some sqlmap takeover
>> >>> functionalities are not yet supported
>> >>> on Windows. Please use Linux in a virtual machine for out-of-band
>> >>> features. sqlm
>> >>> ap will now carry on ignoring out-of-band switches"
>> >>>
>> >>> kr
>> >>>
>> >>>
>> >>> On Wed, Jan 19, 2011 at 10:37 PM, yonny mutai <yo...@go...>
>> >>> wrote:
>> >>> > Thanks for your response Miroslav,
>> >>> > I have tried setting the permissions for the directories do
>> >>> > that
>> >>> > they
>> >>> > are owned by the apache process ... but still it doesnt seem to
>> >>> > work.Here
>> >>> > are the access logs:
>> >>> > 127.0.0.1 - - [20/Jan/2011:00:30:15 +0300] "POST
>> >>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-"
>> >>> > "Mozilla/5.0
>> >>> > (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo
>> >>> > Firefox/3.6.9"
>> >>> > 127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "POST
>> >>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-"
>> >>> > "Mozilla/5.0
>> >>> > (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100915 Gentoo
>> >>> > Firefox/3.6.9"
>> >>> > 127.0.0.1 - - [20/Jan/2011:00:30:19 +0300] "GET /tmpuvwtu.php
>> >>> > HTTP/1.1"
>> >>> > 404
>> >>> > 488 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9)
>> >>> > Gecko/20100915 Gentoo Firefox/3.6.9"
>> >>> > 127.0.0.1 - - [20/Jan/2011:00:30:49 +0300] "POST
>> >>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 5949 "-"
>> >>> > "Mozilla/5.0
>> >>> > (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729
>> >>> > Slackware/13.0
>> >>> > Firefox/3.5.2"
>> >>> > 127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "POST
>> >>> > /mutillidae/index.php?page=login.php HTTP/1.1" 200 3123 "-"
>> >>> > "Mozilla/5.0
>> >>> > (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729
>> >>> > Slackware/13.0
>> >>> > Firefox/3.5.2"
>> >>> > 127.0.0.1 - - [20/Jan/2011:00:30:51 +0300] "GET /tmpucqwh.php
>> >>> > HTTP/1.1"
>> >>> > 404
>> >>> > 488 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2)
>> >>> > Gecko/20090729
>> >>> > Slackware/13.0 Firefox/3.5.2"
>> >>> > and the permissions
>> >>> > sylar@Sylar:/pentest/database/sqlmap$ ls -lht /var/www/
>> >>> > drwxrwxrwx 8 www-data www-data 4.0K 2011-01-08 11:40 vux
>> >>> > -rwxrwxrwx 1 www-data www-data 102K 2010-12-21 17:24 fc4.js
>> >>> > -rwxrwxrwx 1 www-data www-data 6.9K 2010-12-21 16:47 41.js
>> >>> > drwxrwxrwx 4 www-data www-data 4.0K 2010-06-16 08:37 mutillidae
>> >>> > ... and I have the most latest state of the code from svn
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > On Thu, Jan 20, 2011 at 12:24 AM, Miroslav Stampar
>> >>> > <mir...@gm...> wrote:
>> >>> >>
>> >>> >> hi yonny.
>> >>> >>
>> >>> >> few questions.
>> >>> >>
>> >>> >> do you have write permissions "for all" at the "target" directory
>> >>> >> (for
>> >>> >> example: /var/www/Multidae)? at which directory does Multidae
>> >>> >> reside
>> >>> >> at your debian machine? what have you entered as "target directory"
>> >>> >> when sqlmap asked you?
>> >>> >>
>> >>> >> as you can guess, most occuring problem with "stager" are the write
>> >>> >> permissions for the web servers process.
>> >>> >>
>> >>> >> KR
>> >>> >>
>> >>> >> On Wed, Jan 19, 2011 at 8:06 PM, yonny mutai
>> >>> >> <yo...@go...>
>> >>> >> wrote:
>> >>> >> > Hi,
>> >>> >> > Wonderful tool.... Seems like the stager uploader has ceased
>> >>> >> > to
>> >>> >> > work...
>> >>> >> > anyone to help with this please..
>> >>> >> > To add more info that might help in troubleshooting :
>> >>> >> > DB : mysql Ver 14.14 Distrib 5.1.41, for debian-linux-gnu
>> >>> >> > (i486)
>> >>> >> > using
>> >>> >> > readline 6.1
>> >>> >> > App: The vulnerable Multidae app
>> >>> >> > Command Used: ./sqlmap.py --level 5 --risk 3 --parse-errors
>> >>> >> > --os-pwn
>> >>> >> > --time-sec 10 -a txt/user-agents.txt --text-only
>> >>> >> > --threads
>> >>> >> > 1
>> >>> >> > --timeout 39 -u
>> >>> >> > "http://127.0.0.1/mutillidae/index.php?page=login.php"
>> >>> >> > --method "POST" --data
>> >>> >> > "user_name=txv&password=txv&Submit_button=Submit"
>> >>> >> >
>> >>> >> > Rgds
>> >>> >> >
>> >>> >> >
>> >>> >> >
>> >>> >> > ------------------------------------------------------------------------------
>> >>> >> > Protect Your Site and Customers from Malware Attacks
>> >>> >> > Learn about various malware tactics and how to avoid them.
>> >>> >> > Understand
>> >>> >> > malware threats, the impact they can have on your business, and
>> >>> >> > how
>> >>> >> > you
>> >>> >> > can protect your company and customers by using code signing.
>> >>> >> > http://p.sf.net/sfu/oracle-sfdevnl
>> >>> >> > _______________________________________________
>> >>> >> > sqlmap-users mailing list
>> >>> >> > sql...@li...
>> >>> >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >>> >> >
>> >>> >> >
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >> --
>> >>> >> Miroslav Stampar
>> >>> >>
>> >>> >> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> >>> >> Mobile: +385921010204 (HR 0921010204)
>> >>> >> PGP Key ID: 0xB5397B1B
>> >>> >> Location: Zagreb, Croatia
>> >>> >
>> >>> >
>> >>> >
>> >>> > --
>> >>> >
>> >>> >
>> >>> > Regards
>> >>> > Yonny Mutai
>> >>> >
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Miroslav Stampar
>> >>>
>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> >>> Mobile: +385921010204 (HR 0921010204)
>> >>> PGP Key ID: 0xB5397B1B
>> >>> Location: Zagreb, Croatia
>> >>
>> >>
>> >>
>> >> --
>> >>
>> >>
>> >> Regards
>> >> Yonny Mutai
>> >
>> >
>> >
>> > --
>> >
>> >
>> > Regards
>> > Yonny Mutai
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
>> > Finally, a world-class log management solution at an even better
>> > price-free!
>> > Download using promo code Free_Logger_4_Dev2Dev. Offer expires
>> > February 28th, so secure your free ArcSight Logger TODAY!
>> > http://p.sf.net/sfu/arcsight-sfd2d
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>> >
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>
>
>
> --
>
>
> Regards
> Yonny Mutai
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
