Hi Ahmed, On 2 May 2012 21:09, Ahmed Shawky <ah...@isecur1ty.org> wrote: > > While using sqlmap with --os-shell I found that it only works if the > writable directory is on the DOCUMENT_ROOT directly > and if it exists on another dir sqlmap successfully uploads the php file but > it couldn't connect through it
This should not be the case. > ... > Here's data I sent manually to the application > > ' UNION ALL SELECT "<?php system($_GET['cmd']); ?>",NULL,NULL,NULL INTO > OUTFILE "/opt/lampp/htdocs/uploads/test.php"# > > and here's sqlmap payload: > -7440' OR 6498=6498 LIMIT 1 INTO OUTFILE 's/scope/sqli/tmpuywdg.php' LINES > TERMINATED BY > ... The reason why we opted to upload the web file stager with "LIMIT 1 INTO OUTFILE" rather than using "UNION ALL SELECT" is because with the former we do not have to rely on UNION SQL injection technique which is statistically less common than boolean/time-based techniques. In cases where the boolean-based injection is OR-based though, the "LIMIT 1" clause limits the output to one entry only which will output to the file only the first entry of the whole SELECT statement. Hence no sqlmap payload is written to the target PHP file. This is exactly the behaviour that you have experienced. A solution to this issue is to use the "LIMIT [...]" clause payload for file upload as is by default unless it is an OR-based boolean-based SQL injection, in which case a fall-back to UNION statement is required, when UNION SQL injection technique has been identified too. We will be addressing this issue shortly. Bernardo -- Bernardo Damele A. G. Homepage: http://about.me/inquis E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
