Re: [sqlmap-users] backdoor file permission
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] backdoor file permission
|
From: Miroslav S. <mir...@gm...> - 2011-06-05 14:41:51
|
Hi. We can provide this as a alternative and warn the user that file will contain some garbage at the beggining. Just a reminder, it won't be suffice in most number of cases (i can't wait reports with complaints related). Kr On 5.6.2011. 16:26, "Sergio Charpinel Jr." <ser...@gm...> wrote: > Miroslav, > > In my case, I can access the file uploader, but I can't upload any files > (even text files) from the file uploader. > I agree I can't upload bin files in this case, but what about php files or > text files? The gargabe at the beggning will not affect them, I think. > > Is that any way to upload these files in the same way as the file stager via > sqlmap? > > Thanks. > > 2011/6/5 Miroslav Stampar <mir...@gm...> > >> Hi sergio. >> >> Answer to your question is NO. Why? Because while injecting file uploader >> you'll get few chars of garbage (at least in union injection case) at the >> start of file which are of not so importance for the uploader script itself, >> and the file itself must be textual. Uploading any arbitrary file, without >> garbage at the beggining, especially binary, is not possible via sql >> injection. >> >> Kr >> On 5.6.2011. 06:12, "Sergio Charpinel Jr." <ser...@gm...> >> wrote: >> > Hi, >> > >> > In a pentest, I could upload the web file stager but not the web >> backdoor. >> > Why this happens? I mean, isn't it possible to upload the backdoor in the >> > same way the file stagger is uploaded? >> > >> > Thanks in advance. >> > >> > -- >> > Sergio Roberto Charpinel Jr. >> > > > > -- > Sergio Roberto Charpinel Jr. |
