enablind DNS server for DNS data exfiltration

2025-02-03 05:04:11 +03:00 · 2012-03-31 12:08:27 +00:00 · 2012-03-31 12:08:27 +00:00 · f7a664b120
commit f7a664b120
parent 8be9cd4ac4
3 changed files with 25 additions and 3 deletions
--- a/_sqlmap.py
+++ b/_sqlmap.py
@ -126,5 +126,5 @@ def main():
        dumper.flush()

        # Reference: http://stackoverflow.com/questions/1635080/terminate-a-multi-thread-python-program
-        if hasattr(conf, "threads") and conf.threads > 1:
+        if conf.get("threads", 0) > 1 or conf.get("dnsServer", None):
            os._exit(0)
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -77,6 +77,7 @@ from lib.core.exception import sqlmapSyntaxException
 from lib.core.exception import sqlmapUnsupportedDBMSException
 from lib.core.exception import sqlmapUserQuitException
 from lib.core.optiondict import optDict
+from lib.request.dns import DNSServer
 from lib.core.settings import CODECS_LIST_PAGE
 from lib.core.settings import DEFAULT_GET_POST_DELIMITER
 from lib.core.settings import DEFAULT_PAGE_ENCODING
@ -581,7 +582,7 @@ def __setMetasploit():
    if conf.osSmb:
        isAdmin = runningAsAdmin()

-        if isAdmin is not True:
+        if not isAdmin:
            errMsg = "you need to run sqlmap as an administrator "
            errMsg += "if you want to perform a SMB relay attack because "
            errMsg += "it will need to listen on a user-specified SMB "
@ -1380,6 +1381,7 @@ def __setConfAttributes():
    conf.cj = None
    conf.dbmsConnector = None
    conf.dbmsHandler = None
+    conf.dnsServer = None
    conf.dumpPath = None
    conf.hashDB = None
    conf.hashDBFile = None
@ -1711,6 +1713,25 @@ def __setTrafficOutputFP():

        conf.trafficFP = openFile(conf.trafficFile, "w+")

+def __setDNSServer():
+    if not conf.dnsDomain:
+        return
+
+    infoMsg = "making DNS server instance"
+    logger.info(infoMsg)
+
+    isAdmin = runningAsAdmin()
+
+    if isAdmin:
+        conf.dnsServer = DNSServer()
+        conf.dnsServer.run()
+    else:
+        errMsg = "you need to run sqlmap as an administrator "
+        errMsg += "if you want to perform a DNS data exfiltration attack "
+        errMsg += "as it will need to listen on privileged TCP port 53 "
+        errMsg += "for incoming address resolution attempts"
+        raise sqlmapMissingPrivileges, errMsg
+
 def __setTorProxySettings():
    if not conf.tor:
        return
@ -1919,6 +1940,7 @@ def init(inputOptions=AttribDict(), overrideOptions=False):
    __checkDependencies()
    __basicOptionValidation()
    __setTorProxySettings()
+    __setDNSServer()
    __adjustLoggingFormatter()
    __setMultipleTargets()
    __setTamperingFunctions()
--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@ -119,7 +119,7 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
        if tunnel == 2:
            isAdmin = runningAsAdmin()

-            if isAdmin is not True:
+            if not isAdmin:
                errMsg = "you need to run sqlmap as an administrator "
                errMsg += "if you want to establish an out-of-band ICMP "
                errMsg += "tunnel because icmpsh uses raw sockets to "