We have recently implemented data retrieval over DNS in sqlmap. This
data exfiltration technique adds up to the six existing techniques
already implemented: boolean-based blind, time-based blind, full
UNION, partial UNION, error-based and stacked (nested) queries. It is
supported on Oracle (running either on UNIX/Linux or Windows) and
Microsoft SQL Server/MySQL/PostgreSQL (running on Windows).
The technique can be tested for and used by providing sqlmap with the --dns-domain switch following a hostname that resolves over the Internet to the machine where you are running sqlmap from – you do not need to run your name server daemon so you can use a freely available DynDNS or similar solutions: sqlmap starts a fake DNS server on 53/udp so you need to run it with uid=0 privileges and handles the DNS requests from the target DBMS (actually from the DMZ’s DNS server misconfigured to resolve Internet hostnames) automatically.
In cases where the target parameter is vulnerable and exploitable by either of the blind techniques or both of them, then sqlmap will test for DNS exfiltration too and prefer it over the blind techniques as it is much faster. Needless to say that both error-based and UNION based techniques are preferred if identified exploitable.
The paper and slide-deck presented recently at PHDays conference in Moscow, Russia are available on my fellow sqlmap developer's Slideshare page:
The technique can be tested for and used by providing sqlmap with the --dns-domain switch following a hostname that resolves over the Internet to the machine where you are running sqlmap from – you do not need to run your name server daemon so you can use a freely available DynDNS or similar solutions: sqlmap starts a fake DNS server on 53/udp so you need to run it with uid=0 privileges and handles the DNS requests from the target DBMS (actually from the DMZ’s DNS server misconfigured to resolve Internet hostnames) automatically.
In cases where the target parameter is vulnerable and exploitable by either of the blind techniques or both of them, then sqlmap will test for DNS exfiltration too and prefer it over the blind techniques as it is much faster. Needless to say that both error-based and UNION based techniques are preferred if identified exploitable.
The paper and slide-deck presented recently at PHDays conference in Moscow, Russia are available on my fellow sqlmap developer's Slideshare page:
- Data Retrieval over DNS in SQL Injection Attacks paper.
- DNS exfiltration using sqlmap (particularly slide 12 onwards if you plan on using sqlmap for this purpose).
svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-devcd sqlmap-devpython sqlmap.py -hYou can follow the sqlmap development on Twitter too, @sqlmap .
