We have recently implemented data retrieval over DNS in sqlmap. This data exfiltration technique adds up to the six existing techniques already implemented: boolean-based blind, time-based blind, full UNION, partial UNION, error-based and stacked (nested) queries. It is supported on Oracle (running either on UNIX/Linux or Windows) and Microsoft SQL Server/MySQL/PostgreSQL (running on Windows).
The technique can be tested for and used by providing sqlmap with the --dns-domain switch following a hostname that resolves over the Internet to the machine where you are running sqlmap from – you do not need to run your name server daemon so you can use a freely available DynDNS or similar solutions: sqlmap starts a fake DNS server on 53/udp so you need to run it with uid=0 privileges and handles the DNS requests from the target DBMS (actually from the DMZ’s DNS server misconfigured to resolve Internet hostnames) automatically. In cases where the target parameter is vulnerable and exploitable by either of the blind techniques or both of them, then sqlmap will test for DNS exfiltration too and prefer it over the blind techniques as it is much faster. Needless to say that both error-based and UNION based techniques are preferred if identified exploitable. The paper and slide-deck presented recently at PHDays conference in Moscow, Russia are available on my Miroslav's Slideshare page[1]: * Data Retrieval over DNS in SQL Injection Attacks[2] paper. * DNS exfiltration using sqlmap[3] (particularly slide 12 onwards if you plan on using sqlmap for this purpose). I recommend you all run always sqlmap latest development version from its Subversion repository: svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev cd sqlmap-dev python sqlmap.py -h You can follow the sqlmap development on Twitter too, @sqlmap[4]. [1] http://www.slideshare.net/stamparm/ [2] http://www.slideshare.net/stamparm/ph-days-2012miroslavstampardataretrievaloverdnsinsqlinjectionattackspaper [3] http://www.slideshare.net/stamparm/dns-exfiltration-using-sqlmap-13163281 [4] http://twitter.com/sqlmap -- Bernardo Damele A. G. Homepage: http://about.me/inquis E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
