Thread: [sqlmap-users] backdoor file permission

Brought to you by: inquisb

This project can now be found here.

sqlmap-users

[sqlmap-users] backdoor file permission

From: Sergio C. Jr. <ser...@gm...> - 2011-06-05 04:12:19

Hi,

In a pentest, I could upload the web file stager but not the web backdoor.
Why this happens? I mean, isn't it possible to upload the backdoor in the
same way the file stagger is uploaded?

Thanks in advance.

-- 
Sergio Roberto Charpinel Jr.

Re: [sqlmap-users] backdoor file permission

From: Bernardo D. A. G. <ber...@gm...> - 2011-06-05 10:14:39

Hi Sergio,

sqlmap uses the file stager to upload the web backdoor. Can you try to
access the file stager from your browser? If so, can you upload it
from there?
Please, run again with -v3 --parse-errors and send us the full output,
privately if you prefer, so we can debug it properly.

Cheers,

Bernardo Damele A. G.

This message was sent from a smartphone

On 5 Jun 2011, at 05:12, "Sergio Charpinel Jr."
<ser...@gm...> wrote:

> Hi,
>
> In a pentest, I could upload the web file stager but not the web backdoor. Why this happens? I mean, isn't it possible to upload the backdoor in the same way the file stagger is uploaded?
>
> Thanks in advance.
>
> --
> Sergio Roberto Charpinel Jr.
> ------------------------------------------------------------------------------
> Simplify data backup and recovery for your virtual environment with vRanger.
> Installation's a snap, and flexible recovery options mean your data is safe,
> secure and there when you need it. Discover what all the cheering's about.
> Get your free trial download today.
> http://p.sf.net/sfu/quest-dev2dev2
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] backdoor file permission

From: Miroslav S. <mir...@gm...> - 2011-06-05 14:13:05

Hi sergio.

Answer to your question is NO. Why? Because while injecting file uploader
you'll get few chars of garbage (at least in union injection case) at the
start of file which are of not so importance for the uploader script itself,
and the file itself must be textual. Uploading any arbitrary file, without
garbage at the beggining, especially binary, is not possible via sql
injection.

Kr
On 5.6.2011. 06:12, "Sergio Charpinel Jr." <ser...@gm...>
wrote:
> Hi,
>
> In a pentest, I could upload the web file stager but not the web backdoor.
> Why this happens? I mean, isn't it possible to upload the backdoor in the
> same way the file stagger is uploaded?
>
> Thanks in advance.
>
> --
> Sergio Roberto Charpinel Jr.

Re: [sqlmap-users] backdoor file permission

From: Sergio C. Jr. <ser...@gm...> - 2011-06-05 14:26:13

Miroslav,

In my case, I can access the file uploader, but I can't upload any files
(even text files) from the file uploader.
I agree I can't upload bin files in this case, but what about php files or
text files? The gargabe at the beggning will not affect them, I think.

Is that any way to upload these files in the same way as the file stager via
sqlmap?

Thanks.

2011/6/5 Miroslav Stampar <mir...@gm...>

> Hi sergio.
>
> Answer to your question is NO. Why? Because while injecting file uploader
> you'll get few chars of garbage (at least in union injection case) at the
> start of file which are of not so importance for the uploader script itself,
> and the file itself must be textual. Uploading any arbitrary file, without
> garbage at the beggining, especially binary, is not possible via sql
> injection.
>
> Kr
> On 5.6.2011. 06:12, "Sergio Charpinel Jr." <ser...@gm...>
> wrote:
> > Hi,
> >
> > In a pentest, I could upload the web file stager but not the web
> backdoor.
> > Why this happens? I mean, isn't it possible to upload the backdoor in the
> > same way the file stagger is uploaded?
> >
> > Thanks in advance.
> >
> > --
> > Sergio Roberto Charpinel Jr.
>



-- 
Sergio Roberto Charpinel Jr.

Re: [sqlmap-users] backdoor file permission

From: Miroslav S. <mir...@gm...> - 2011-06-05 14:41:51

Hi. We can provide this as a alternative and warn the user that file will
contain some garbage at the beggining. Just a reminder, it won't be suffice
in most number of cases (i can't wait reports with complaints related). Kr
On 5.6.2011. 16:26, "Sergio Charpinel Jr." <ser...@gm...>
wrote:
> Miroslav,
>
> In my case, I can access the file uploader, but I can't upload any files
> (even text files) from the file uploader.
> I agree I can't upload bin files in this case, but what about php files or
> text files? The gargabe at the beggning will not affect them, I think.
>
> Is that any way to upload these files in the same way as the file stager
via
> sqlmap?
>
> Thanks.
>
> 2011/6/5 Miroslav Stampar <mir...@gm...>
>
>> Hi sergio.
>>
>> Answer to your question is NO. Why? Because while injecting file uploader
>> you'll get few chars of garbage (at least in union injection case) at the
>> start of file which are of not so importance for the uploader script
itself,
>> and the file itself must be textual. Uploading any arbitrary file,
without
>> garbage at the beggining, especially binary, is not possible via sql
>> injection.
>>
>> Kr
>> On 5.6.2011. 06:12, "Sergio Charpinel Jr." <ser...@gm...>
>> wrote:
>> > Hi,
>> >
>> > In a pentest, I could upload the web file stager but not the web
>> backdoor.
>> > Why this happens? I mean, isn't it possible to upload the backdoor in
the
>> > same way the file stagger is uploaded?
>> >
>> > Thanks in advance.
>> >
>> > --
>> > Sergio Roberto Charpinel Jr.
>>
>
>
>
> --
> Sergio Roberto Charpinel Jr.

Re: [sqlmap-users] backdoor file permission

From: Miroslav S. <mir...@gm...> - 2011-06-06 09:06:07

hi again.

sorry, i was out of town (without source code) and haven't noticed
that we already do support this in this kind of cases.

also, i've tried to against our testing environment and both methods
do the job correctly.

this means that maybe in your case we do have some bug/problem.

kr

On Sun, Jun 5, 2011 at 4:41 PM, Miroslav Stampar
<mir...@gm...> wrote:
> Hi. We can provide this as a alternative and warn the user that file will
> contain some garbage at the beggining. Just a reminder, it won't be suffice
> in most number of cases (i can't wait reports with complaints related). Kr
>
> On 5.6.2011. 16:26, "Sergio Charpinel Jr." <ser...@gm...>
> wrote:
>> Miroslav,
>>
>> In my case, I can access the file uploader, but I can't upload any files
>> (even text files) from the file uploader.
>> I agree I can't upload bin files in this case, but what about php files or
>> text files? The gargabe at the beggning will not affect them, I think.
>>
>> Is that any way to upload these files in the same way as the file stager
>> via
>> sqlmap?
>>
>> Thanks.
>>
>> 2011/6/5 Miroslav Stampar <mir...@gm...>
>>
>>> Hi sergio.
>>>
>>> Answer to your question is NO. Why? Because while injecting file uploader
>>> you'll get few chars of garbage (at least in union injection case) at the
>>> start of file which are of not so importance for the uploader script
>>> itself,
>>> and the file itself must be textual. Uploading any arbitrary file,
>>> without
>>> garbage at the beggining, especially binary, is not possible via sql
>>> injection.
>>>
>>> Kr
>>> On 5.6.2011. 06:12, "Sergio Charpinel Jr." <ser...@gm...>
>>> wrote:
>>> > Hi,
>>> >
>>> > In a pentest, I could upload the web file stager but not the web
>>> backdoor.
>>> > Why this happens? I mean, isn't it possible to upload the backdoor in
>>> > the
>>> > same way the file stagger is uploaded?
>>> >
>>> > Thanks in advance.
>>> >
>>> > --
>>> > Sergio Roberto Charpinel Jr.
>>>
>>
>>
>>
>> --
>> Sergio Roberto Charpinel Jr.
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B