Ahmed, I have created an issue for this, https://github.com/sqlmapproject/sqlmap/issues/96.
Bernardo On 3 May 2012 16:06, Bernardo Damele A. G. <bernardo.dam...@gmail.com> wrote: > Hi Ahmed, > > On 2 May 2012 21:09, Ahmed Shawky <ah...@isecur1ty.org> wrote: >> >> While using sqlmap with --os-shell I found that it only works if the >> writable directory is on the DOCUMENT_ROOT directly >> and if it exists on another dir sqlmap successfully uploads the php file but >> it couldn't connect through it > > This should not be the case. > >> ... >> Here's data I sent manually to the application >> >> ' UNION ALL SELECT "<?php system($_GET['cmd']); ?>",NULL,NULL,NULL INTO >> OUTFILE "/opt/lampp/htdocs/uploads/test.php"# >> >> and here's sqlmap payload: >> -7440' OR 6498=6498 LIMIT 1 INTO OUTFILE 's/scope/sqli/tmpuywdg.php' LINES >> TERMINATED BY >> ... > > The reason why we opted to upload the web file stager with "LIMIT 1 > INTO OUTFILE" rather than using "UNION ALL SELECT" is because with the > former we do not have to rely on UNION SQL injection technique which > is statistically less common than boolean/time-based techniques. > > In cases where the boolean-based injection is OR-based though, the > "LIMIT 1" clause limits the output to one entry only which will output > to the file only the first entry of the whole SELECT statement. Hence > no sqlmap payload is written to the target PHP file. This is exactly > the behaviour that you have experienced. > > A solution to this issue is to use the "LIMIT [...]" clause payload > for file upload as is by default unless it is an OR-based > boolean-based SQL injection, in which case a fall-back to UNION > statement is required, when UNION SQL injection technique has been > identified too. > > We will be addressing this issue shortly. > > Bernardo > > > > -- > Bernardo Damele A. G. > > Homepage: http://about.me/inquis > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
