Command shell
As we discussed earlier in the writing files section, we can easily upload a backdoor shell in a server-side host language and gain a shell. But SQLMap takes this thing to a new level, by simply automating this approach into itself. We can explicitly call for the interactive command line shell by using the --os-shell. SQLMap tries to upload its backdoor reverse shell stager to the document root of the web server, and if things go correctly then it drops us an interactive command line shell of the target. Although at times it can take a different approach as well, for example in MS-SQL systems it may first attempt to use the xp_cmdshell
stored procedure to achieve code execution.
Let's try this out as follows:
./sqlmap.py -u http://107.170.95.147/Less-1/?id=1 --os-shell
The output is shown in the following screenshot:
When run, it asks for the platform, which in our case is PHP, and secondly the path to the web server's document root. There can be different locations for the...
