Re: [sqlmap-users] wrong file size checking with os-shell

Fri, 14 Sep 2012 05:50:20 -0700 

Hi.

Original stager(.php) size is indeed 703 bytes, so sqlmap is not wrong in
your case. You can check it by going into ./shell and running: "find
backdoor.*_ stager.*_ -type f -exec python ../extra/cloak/cloak.py -d -i
'{}' \;"

If you want to debug you could try watching traffic with -v 5 or by
capturing it with -t traffic.txt. Maybe something interesting could be
found there.

Kind regards,
Miroslav Stampar

On Fri, Sep 14, 2012 at 2:12 PM, Robin Wood <ro...@digininja.org> wrote:

> Looks like you've updated the shell sent over with os-shell but not
> updated the size that the script checks to see if it exists.
>
> Robin
>
> [13:08:22] [WARNING] unable to retrieve the web server document root
> please provide the web server document root [/var/www/]:
> /var/www/html/upload/
> [13:08:29] [WARNING] unable to retrieve any web server path
> please provide any additional web server full path to try to upload
> the agent [Enter for None]:
> [13:08:30] [WARNING] unable to upload the file stager on
> '/var/www/html/upload'
> [13:08:30] [INFO] trying to upload the file stager via UNION technique
> do you want confirmation that the file
> '/var/www/html/upload/tmpuivks.php' has been successfully written on
> the back-end DBMS file system? [Y/n]
> [13:08:33] [INFO] the file has been successfully written and its size
> is 6969 bytes, but the size differs from the local file
> '/tmp/tmpo2EvI1' (703 bytes)
> [13:08:33] [WARNING] expect junk characters inside the file as a
> leftover from UNION query
> [13:08:33] [WARNING] HTTP error codes detected during testing:
> 404 (Not Found) - 2 times
> [13:08:33] [INFO] fetched data logged to text files under
> '/home/robin/tools/web/sqlmap/output/192.168.50.22'
>
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar
http://about.me/stamparm

------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to