1

Using sqlmap I was able to gain access to one database and using --current-user and --privileges. I can confirm that the user is root@localhost with full privileges.

The part I have problem with is that I don't understand how the --os-shell works. I have googled a lot but all the tutorials are using easy targets which doesn't help in my case.

So here is the command I use for using the --os-shell function:

python sqlmap.py -u 'http://www.example.com/th/dim-news-detail.php?id=9&page_num=0' --identify-waf --tamper=between,randomcase,space2comment -v 3 --random-agent --level 3 --risk 3 --dbs --os-shell

After this, sqlmap wants me to choose a programming language and I choose PHP. After that, it asks me for a location to upload the shell. This is the part I have problem with. I don't know what location I should choose. Whatever I enter, sqlmap tries to upload it in directions after public_html and it fails to do so. I mean when I enter /var/www for example, sqlmap tries example.com/var/www which obviously doesn't exist! Can anyone please let me know how to process works and how I need to figure out the path?

I'm using webmin panel on this target server if that helps. I just need to know what criteria should the directory have in order for sqlmap to upload files to it and also I need to know how to upload --os-shell before public_html. I mean actual /var/www not example.com/var/www.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Mr Pro
  • 11
  • 1
  • Have you tried using this flags ,as showed in this example ``` sqlmap -u 192.168.1.124/sqli/Less-1.?id=1 --file-write=/root/Desktop/shell.php --file-dest=/xampp/htdocs/shell.php``` ? – Marco Nappi Oct 08 '20 at 14:20
  • just tested this and I got : [10:33:57] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path) [10:33:57] [WARNING] HTTP error codes detected during run: 414 (Request-URI Too Long) - 1 times [10:33:57] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF) . it seems that the location is not writable . so now the question is , how can I find a writable location ? I know the web server is Apache and the panel is webmin . – Mr Pro Oct 08 '20 at 14:35
  • Seems the mysql user has not the right to write in that folder.Btw I hope you are doing all legally – Marco Nappi Oct 08 '20 at 14:42
  • of course it's legal and we have strict rules when comes to hacking where I live . The problem is that most of the tutorials on the internet are targeting easy targets and hence they don't give me much to learn . that's why I asked a friend of mine to install webmin on his vps so that I can practice on it . I can easily ask him to give me the location of a writable directory but I want to learn how I can find it myself .so please can you help me on how I can find writable directories that sqlmap can operate on? Is there a tool to achieve this or should we just guess and hope? – Mr Pro Oct 08 '20 at 14:53
  • why do you want to upload the shell to someplace beyond the web root? – schroeder Oct 08 '20 at 14:56
  • This is looking less and less like a sqlmap or even a security question. This is looking more like you need to understand how Linux handles directory roots. – schroeder Oct 08 '20 at 15:00
  • I have basic knowledge of how linux handles the directory roots . The problem I have right now is that based on my knowledge , I have made some guesses about where I can upload the shell but my guesses have been wrong . I want to know if there is any solid way to find writable directories to use with --os-shell option . sorry if I seem dumb . I'm trying to learn but I haven't been able to find anything regarding this on the internet on how to find locations that --os-shell would work . – Mr Pro Oct 08 '20 at 15:40
  • Ok, this is known as an XY Problem. You are having trouble uploading a shell (problem X) so you want to solve the problem of accessing locations outside of the web root (problem Y). This is not a good way of approaching problems. First, work to understand why you are having trouble uploading a shell within the webroot. There might be something simple. Breaking out of a root is very difficult. – schroeder Oct 12 '20 at 08:54

1 Answers1

0

Unless there is a configuration issue or a specific vulnerability, the root directory will be /var/www. That means that anything you upload will be within that directory.

schroeder
  • 123,438
  • 55
  • 284
  • 319