How to use sqlmapGetshell
sqlmap reads and writes files
–file-read: reads files from the back-end database management system file system
–file-write: edits Local file on the file system of the back-end database management system (write from local)
–file-dest: The absolute path to the file written by the back-end database management system (write target path)
You can use the above commands to read and write the system files after SQL injection, but the prerequisite is that you need to have read and write permissions and have dba permissions, otherwise the read and write operations will not be successful.
Take DVWA as an example, build DVWA under kali to read and write files.
Read the file:
Check the relevant information in PHPinfo and use the -file-read command to read the file.
sqlmap -u"http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"--cookie "security=low; PHPSESSID=0o84koanki32dh7jjkckqelqme"-file-read " /etc/php/7.3/apache2/php.ini"
After the file is successfully read, there will be a prompt at the end of the displayed information to enter the sqlmap output Relevant information content can be read only under the relevant path.
Write file:
Here, after checking the path using DVWA command execution, write the file to / In the path var/www/html/vulnerabilities/exec, use the -file-write and -file-dest commands and find that the writing is successful.
sqlmap -u"http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"--cookie "security=low; PHPSESSID=0o84koanki32dh7jjkckqelqme"-file-write " /usr/test/1.txt" -file-dest "var/www/html/vulnerabilities/execl/1.txt"
(The content of 1.txt created under the use path)
(The content of 1.txt will be displayed after successful writing)
Sqlmap upload shell (--os-shell)
--os-shell has three execution conditions:
(1) The website must be root Permissions
(2) The attacker needs to know the absolute path of the website
(3) GPC is off, and PHP’s active escape function is turned off
First use --is- Use the dba command to check whether you are an administrator. If not, you cannot use the --os-shell command. As shown in the figure below, if it is displayed as true, it is an administrator, and if it is not an administrator, it is displayed as false.
Next, use the –os-shell command. After there is an injection point, you will be prompted to select a language. The selection here is based on the language used by the system. The DVWA built is php, so I selected it here. 4.
After the language selection of the website is completed, the path will be selected. If you know the absolute path of the website, you can choose 2, or you can choose 1 common path.
After the path selection is completed, a 404 prompt is displayed when writing, as shown in the figure below.
Go back and check if there are any problems with other settings. I used -is-dba earlier and the display was true. Then I used the command current-user to view the user and found that the user is dvwauser. During the initial setup, the system also prompted that MariaDB cannot use root permissions to connect to the database by default, but it also used the grant all statement to grant all permissions to dvwauser, and the writing path was also set with read and write permissions, but the writing was never successful. Finally, Or try using xampp. (I have wondered whether it is a problem with the root user or a problem with the database version. After all, xampp writes successfully)
Check that the user is dvwauser:
Grant dvwauser user permissions:
In desperation, when I tried to use Xampp to build DVWA, I found that it was successfully written this time.
Before using xampp to write, use current-user to view the user, as shown in the figure below, it is displayed as root, and -is-dba is displayed as true.
After the writing is successful, access the path to the written file. There is an upload point here for uploading. I uploaded a php file using Ant. The sword was connected successfully.
The above is the detailed content of How to use sqlmapGetshell. For more information, please follow other related articles on the PHP Chinese website!

Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

Notepad++7.3.1
Easy-to-use and free code editor

SublimeText3 Chinese version
Chinese version, very easy to use

Zend Studio 13.0.1
Powerful PHP integrated development environment

Dreamweaver CS6
Visual web development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Hot Topics

Use sqlmap to automate injection into dvwa, set the dvwa level to low, open dvwa's SQLInjection (SQLInjection(Blind)), open browser debugging, enter the userid and submit, and view the intercepted requests. You can see that it is a GET request, the url "http://192.168.1.222:8089/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" We put it directly into salmap to test it, use the -u command -u"http ://192.168.1.22

Because it is necessary to conduct penetration testing on external websites, most websites have access frequency control. Once this frequency is exceeded, the IP will be banned directly. Especially when SQLMAP is running, it is even more "aunty red", and an error is reported and exited before SQLMAP is finished running. So I started to study the proxy mode of SQLMAP. SQLMAP has two proxy modes, one is a normal proxy (HTTP proxy) and the other is an onion proxy. I originally wanted to write about the application of ordinary agents, but Baidu saw that this article was detailed enough and stopped talking nonsense. Sqlmap extension - External IP proxy pool implementation Let’s focus on the onion proxy. At the beginning, when onion was used directly for injection, there was no “aunt red” report. Later, as the number of penetrated websites increased,

Part One: Using Sqlmap 1.1 Introduction to sqlmap 1. I mentioned some basic statements of sql injection, but manual injection is very troublesome. We can use sqlmap, a powerful sql injection tool, to obtain data. 2. Introduction to sqlmap (1)# sqlmap is an open source penetration testing tool that can automatically detect and exploit SQL injection vulnerabilities and servers connected to the database. It has a very powerful detection engine, a penetration tester with multiple features, access the underlying file system through database fingerprinting and execute commands over an out-of-band connection. Official website: sqlmap.org(2)#Supported databases: MySQL, Oracle, PostgreS

0x00 Overview Recently, I encountered a strange phenomenon when using sqlmap injection testing. The higher version of sqlmap cannot detect the injection, but the lower version can detect the injection, and the data can be run out, which is not a false positive. After comparative testing and viewing the sqlmap source code, Found two small holes. 0x01 scenario reproduction injection point format: json..."whereparams":[{"name":"keyWord","value":"test"}]} Injectable parameters: valuesqlmap command: pythonsqlmap.py-rsqlpk.txt– flush-session-vvsqlmapv1.2.11 cannot inject s

1. Preface How to detect SQL injection? My answer is: When Party A is doing security, SQL injection detection is relatively easy to do. 1) Error injection detection. 2) Don’t inject bool error reports as false positives are relatively high. 3) Do time-based time injection, contact operation and maintenance to do slow log db recording, monitor sleep, and benchmark keyword monitoring. You can add the ID number of the scanning task to the decimal point of the sleep time to facilitate positioning. (p.s. This method can find 99% of SQL injections) Therefore, when doing time-based time injection, I limit the time error very harshly. However, @chengable is doing security-related work in Party B, based on t

When I tested the company's APP, I found that we added a 32-bit character to all parameter contents and finally performed MD5 encryption. Since the APP processing process first verifies whether the sign is correct, if the signature verification fails, it will not be able to enter the database at all. In order to use SQLMAP to test it, I wrote a script for proxy data. After intercepting the data packet , perform encrypted replacement of its parameter content and 32 characters. Note: This script is suitable for the company's internal system, because you can know the encryption process; or you can get the encryption method of the front-end JS. First, I wrote a program using Django to simulate the company's system. The process was to obtain the POST ID and token, and add a custom encrypted word.

sqlmap reads and writes files –file-read: reads files from the back-end database management system file system –file-write: edits local files on the back-end database management system file system (writes from local) –file-dest : The absolute path to the file written by the back-end database management system (write target path). You can use the above commands to read and write the system file after SQL injection, but the prerequisite is that you need to have read and write permissions and be a dba. permissions, otherwise read and write operations cannot be performed successfully. Taking DVWA as an example, build DVWA under kali to read and write files. Read the file: Check the relevant information in PHPinfo, use -file-r

There are too few related articles on dns injection for sqlmap on the Internet. They only briefly introduce the --dns-domain parameter. The relevant practical articles are either vague or mentioned in one stroke, which is confusing (mainly dishonest, the key is not yet Big boss). Then I did it again by referring to the methods on the Internet. Things that need to be prepared include one sqlmap, windows blind injection, two domain names, and an external network server. One time when I was doing something, I came across a time blind injection. It happened to be a Windows machine, and I remembered the method of dns injection. Before starting, I plan to use the --sql-shell command of sqlmap to test the dns injection payload. First, go to burpsuite.
