Shulou(Shulou.com)05/31 Report--

This article mainly shows you "how to use sqlmapGetshell", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "how to use sqlmapGetshell" this article.

Sqlmap reads and writes files

-file-read: reads files from the backend database management system file system

-file-write: edit local files on the backend database management system file system (write locally)

-file-dest: the absolute path of the backend database management system to write to the file (write target path)

You can use the above commands to read and write the system files after SQL injection, but the prerequisite is that you need read and write permission and dba permission, otherwise the read and write operation cannot be performed successfully.

Take DVWA as an example, set up DVWA under kali to read and write files.

Read the file:

Check the relevant information in PHPinfo and use the-file-read command to read the file.

Sqlmap-u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"--cookie" security=low; PHPSESSID=0o84koanki32dh7jjkckqelqme "- file-read" / etc/php/7.3/apache2/php.ini "

After the file is read successfully, there will be a prompt at the end of the information displayed that you must enter the relevant path of the sqlmap output before you can read the relevant information.

Write to a file:

Here, after using the command of DVWA to view the path, write the file to / var/www/html/vulnerabilities/exec this path, and use the-file-write,-file-dest command to find that the write is successful.

Sqlmap-u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#"--cookie" security=low; PHPSESSID=0o84koanki32dh7jjkckqelqme "- file-write" / usr/test/1.txt "- file-dest" var/www/html/vulnerabilities/execl/1.txt "

(1.txt content created under the use path)

(display 1.txt content after successful write)

Sqlmap upload shell (--os-shell)

-- there are three conditions for the execution of os-shell:

(1) the website must have root permission

(2) the attacker needs to know the absolute path of the website.

(3) GPC is disabled for active escape of off,php.

First use the-- is-dba command to see if you are an administrator, and if not, you cannot use the-- os-shell command. As shown in the following figure, true is shown as an administrator, not an administrator as false.

Next, use the-os-shell command. After there is an injection point, you will be prompted to select a language. The choice here is based on the language used by the system. The DVWA built is php, so 4. 0 is selected here.

After the language selection of the website is completed, the path will be selected. if you know the absolute path of the website, you can choose 2 or 1 common path.

After the path selection is complete, it prompts 404 when writing, as shown in the following figure.

Go back and see if there is a problem with the other settings. The previous use of-is-dba shows that it is true, and then uses the command current-user to view the user and see that the user is dvwauser. In the initial setting, the system also prompted Mariadb not to use root permissions to connect to the database by default, but also used the grant all statement to give dvwauser all permissions, and the write path was also set to read and write permissions, but it was not written successfully, and finally tried using xampp. (it was doubted whether it was because of the root user or the database version, after all, the xampp was written successfully.)

Check that the user is dvwauser:

Give the dvwauser user permissions:

In desperation, when I tried to build a DVWA using Xampp, I found that it was successfully written.

Before writing with xampp, I looked at the user with current-user, as shown in the following figure, as root, and with-is-dba as true.

After the write is successful, access the path where the file is written. There is an upload point here, which can be uploaded. I uploaded a php file and connected successfully using Ant Sword.

The above is all the contents of the article "how to use sqlmapGetshell". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.