We have recently implemented data retrieval over DNS in sqlmap. This
data exfiltration technique adds up to the six existing techniques
already implemented: boolean-based blind, time-based blind, full UNION, partial UNION, error-based and stacked (nested) queries. It is
supported on Oracle (running either on UNIX/Linux or Windows) and
Microsoft SQL Server/MySQL/PostgreSQL (running on Windows).
The technique can be tested for and used by providing sqlmap with the
--dns-domain switch following a hostname that resolves over the
Internet to the machine where you are running sqlmap from – you do
not need to run your name server daemon so you can use a freely available
DynDNS or similar solutions: sqlmap starts a fake DNS server on 53/udp
so you need to run it with uid=0 privileges and handles the DNS
requests from the target DBMS (actually from the DMZ’s DNS server misconfigured to resolve Internet hostnames) automatically.
In cases where the target parameter is vulnerable and exploitable by
either of the blind techniques or both of them, then sqlmap will test
for DNS exfiltration too and prefer it over the blind techniques as
it is much faster. Needless to say that both error-based and UNION based techniques are preferred if identified exploitable.
The paper and slide-deck presented recently at PHDays conference in
Moscow, Russia are available on my fellow sqlmap developer's Slideshare
purpose).
I recommend you all run always sqlmap latest development version from
its Subversion repository:
svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-devcd sqlmap-devpython sqlmap.py -h
![Windows下配置Apache的SSL服務[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)