🎡OS Exploitation
SQLMap can attempt to give us direct command execution on the remote host if we had the proper privileges
We must have the following privileges: LOAD DATA
and INSERT
, to be able to load the content of a file to a table and then reading that table.
DBA Privileges
To check whether we have DBA privileges with SQLMap, we can use the --is-dba
If we have current user is DBA: True
we may have the privilege to read local files.
Reading Local Files
--file-read
It will generate an output file that we can cat later on
Writing Local Files
This is very restricted in modern DMBSes, since we can utilize this to write a Web Shell on the remote server,
To write files to the remote server we can use --file-write
and --file-dest
options
OS Command Execution
we can use the --os-shell
option
If this fails we can try another injection like the Error-based SQL Injection
, which we can specify with --technique=E
Try to use SQLMap to read the file "/var/www/html/flag.txt".
Use SQLMap to get an interactive OS shell on the remote host and try to find another flag within the host.
Last updated