Re: [sqlmap-users] question about --os-cmd
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] question about --os-cmd
|
From: Miroslav S. <mir...@gm...> - 2011-09-11 16:29:16
|
hi ryan. short answer is permissions (most often file write ones) long answer is: 1) --os-shell/--os-cmd/--os-pwn (STACKED INJECTION CASE) A) for MYSQL (rare in real life), PGSQL current DBMS user has to have UDF create/exec permissions B) MSSQL current DBMS user has to be able to run master.dbo.xp_cmdshell (EXEC permissions, function has to be enabled - sqlmap can try to enable it automatically, function has to exist) 2) --os-shell/--os-cmd/--os-pwn (NON-STACKED INJECTION CASE) A) for MYSQL current DBMS user has to have file write permissions to a reachable web directory kind regards On Sat, Sep 10, 2011 at 8:11 AM, ryan cartner <rya...@gm...> wrote: > what are the actual requirements for --os-cmd/shell/pwn ? I'm trying to > figure out how they work specifically. As far as I can tell you just need > write access to a folder in the web root. Is this true? Is there a way to > check your filesystem priviledges? > ------------------------------------------------------------------------------ > Malware Security Report: Protecting Your Business, Customers, and the > Bottom Line. Protect your business and customers by understanding the > threat from malware and how it can impact your online business. > http://www.accelacomm.com/jaw/sfnl/114/51427462/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
