sqlmap-users

[sqlmap-users] Execute os commands

[Nikos T. <tar...@ho...>]

Hello, there is an sqli in SQL SERVER 2008. When I execute sqlmap with the parameter --sql-shell it gives me the shell but when I try to execute a command it cannot get the output and it says that xp_cmdshell is disabled. (tried --no-cast and --hex as it suggests)
I don't know if the output filtered by firewall, but how sqlmap is able to create a cmd-shell while xp_cmdshell is disabled? 		 	   		  

Re: [sqlmap-users] Execute os commands

[Brandon P. <bpe...@gm...>]

--sql-shell is not --os-shell.

You can also try --os-cmd if you want to execute a one-off command.

See --help for explanations.


On 02/23/2014 02:18 PM, Nikos Tzounakos wrote:
> Hello, 
> there is an sqli in SQL SERVER 2008. When I execute sqlmap with the
> parameter --sql-shell it gives me the shell but when I try to execute
> a command 
> it cannot get the output and it says that xp_cmdshell is disabled.
> (tried --no-cast and --hex as it suggests)
>
> I don't know if the output filtered by firewall, but how sqlmap is
> able to create a cmd-shell while xp_cmdshell is disabled?
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] Execute os commands

[Nikos T. <tar...@ho...>]

Sorry my fault I mean --os-shell instead of --sql-shell.
Also when I use -b it finds the operating system. Is it possible though SQL server is completely seperated? Every time it says no output when I execute a command. I have tried also --os-cmd.
Thank you for your response.



> Date: Sun, 23 Feb 2014 14:20:48 -0600
> From: bpe...@gm...
> To: tar...@ho...; sql...@li...
> Subject: Re: [sqlmap-users] Execute os commands
> 
> --sql-shell is not --os-shell.
> 
> You can also try --os-cmd if you want to execute a one-off command.
> 
> See --help for explanations.
> 
> 
> On 02/23/2014 02:18 PM, Nikos Tzounakos wrote:
> > Hello, 
> > there is an sqli in SQL SERVER 2008. When I execute sqlmap with the
> > parameter --sql-shell it gives me the shell but when I try to execute
> > a command 
> > it cannot get the output and it says that xp_cmdshell is disabled.
> > (tried --no-cast and --hex as it suggests)
> >
> > I don't know if the output filtered by firewall, but how sqlmap is
> > able to create a cmd-shell while xp_cmdshell is disabled?
> >
> >
> > ------------------------------------------------------------------------------
> > Managing the Performance of Cloud-Based Applications
> > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> > Read the Whitepaper.
> > http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> >
> >
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>  		 	   		  

Re: [sqlmap-users] Execute os commands

[Miroslav S. <mir...@gm...>]

If all those fail, you probably have problems with permissions at the
target side. That's a perfectly normal behavior. For example, to be able to
run --os-shell against the MsSQL xp_cmdshell has to be enabled and running
user has to have permissions to execute it.

Bye


On Mon, Feb 24, 2014 at 7:23 PM, Nikos Tzounakos <tar...@ho...>wrote:

> Sorry my fault I mean --os-shell instead of --sql-shell.
>
> Also when I use -b it finds the operating system. Is it possible though
> SQL server is completely seperated? Every time it says no output when I
> execute a command. I have tried also --os-cmd.
>
> Thank you for your response.
>
>
>
>
> > Date: Sun, 23 Feb 2014 14:20:48 -0600
> > From: bpe...@gm...
> > To: tar...@ho...; sql...@li...
> > Subject: Re: [sqlmap-users] Execute os commands
> >
> > --sql-shell is not --os-shell.
> >
> > You can also try --os-cmd if you want to execute a one-off command.
> >
> > See --help for explanations.
> >
> >
> > On 02/23/2014 02:18 PM, Nikos Tzounakos wrote:
> > > Hello,
> > > there is an sqli in SQL SERVER 2008. When I execute sqlmap with the
> > > parameter --sql-shell it gives me the shell but when I try to execute
> > > a command
> > > it cannot get the output and it says that xp_cmdshell is disabled.
> > > (tried --no-cast and --hex as it suggests)
> > >
> > > I don't know if the output filtered by firewall, but how sqlmap is
> > > able to create a cmd-shell while xp_cmdshell is disabled?
> > >
> > >
> > >
> ------------------------------------------------------------------------------
> > > Managing the Performance of Cloud-Based Applications
> > > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> > > Read the Whitepaper.
> > >
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> > >
> > >
> > > _______________________________________________
> > > sqlmap-users mailing list
> > > sql...@li...
> > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>
>
> ------------------------------------------------------------------------------
> Flow-based real-time traffic analytics software. Cisco certified tool.
> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
> Customize your own dashboards, set traffic alerts and generate reports.
> Network behavioral analysis & security monitoring. All-in-one tool.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm