Re: [sqlmap-users] OS Shell
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] OS Shell
|
From: Miroslav S. <mir...@gm...> - 2011-12-21 15:24:43
|
Hi Chris. Could you please send the traffic file retrieved with -t traffic.txt? Kind regards, Miroslav Stampar Dana 21.12.2011. 15:57 "Chris Oakley" <chr...@gm...> je napisao/la: > Hi All > > I have a time based blind injection on a machine running Windows Server > 2003, IIS 6 and SQL Server 2000. The user is running as DBA. I should be > able to enable xp_cmdshell, and indeed: > > [13:10:12] [INFO] testing if current user is DBA > [13:10:12] [INFO] retrieved: 1 > [13:10:29] [INFO] checking if xp_cmdshell extended procedure is available, > please wait.. > [13:10:40] [INFO] xp_cmdshell extended procedure is available > [13:10:41] [INFO] going to use xp_cmdshell extended procedure for > operating system command execution > [13:10:41] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and > press ENTER > os-shell> dir > do you want to retrieve the command standard output? [Y/n/a] > [13:10:53] [INFO] retrieved: > No output > os-shell> ipconfig > do you want to retrieve the command standard output? [Y/n/a] > [13:11:11] [INFO] retrieved: > No output > os-shell> exit > [13:31:24] [INFO] cleaning up the database management system > [13:31:26] [INFO] Fetched data logged to text files under... > > As you can see, no output is returned (is this because of the injection > type I wonder?). > > I've tried the various out of bounds methods with BT and msf too, but this > seems to fail at various stages. > > Could it be that the database server is separate from the web server and > is totally isolated from the outside world by egress rules? > > I'm trying to understand why in this case nothing seems to be working. > > Any ideas would be great. > > Regards > > Chris > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
