From f7a664b1205bae06b45079ee62a3d355d1d735a0 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Sat, 31 Mar 2012 12:08:27 +0000
Subject: [PATCH] enablind DNS server for DNS data exfiltration

---
 _sqlmap.py                  |  2 +-
 lib/core/option.py          | 24 +++++++++++++++++++++++-
 plugins/generic/takeover.py |  2 +-
 3 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/_sqlmap.py b/_sqlmap.py
index 0cbef711f..ae05a126a 100755
--- a/_sqlmap.py
+++ b/_sqlmap.py
@@ -126,5 +126,5 @@ def main():
         dumper.flush()
 
         # Reference: http://stackoverflow.com/questions/1635080/terminate-a-multi-thread-python-program
-        if hasattr(conf, "threads") and conf.threads > 1:
+        if conf.get("threads", 0) > 1 or conf.get("dnsServer", None):
             os._exit(0)
diff --git a/lib/core/option.py b/lib/core/option.py
index 5b982757f..71f8df239 100644
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -77,6 +77,7 @@ from lib.core.exception import sqlmapSyntaxException
 from lib.core.exception import sqlmapUnsupportedDBMSException
 from lib.core.exception import sqlmapUserQuitException
 from lib.core.optiondict import optDict
+from lib.request.dns import DNSServer
 from lib.core.settings import CODECS_LIST_PAGE
 from lib.core.settings import DEFAULT_GET_POST_DELIMITER
 from lib.core.settings import DEFAULT_PAGE_ENCODING
@@ -581,7 +582,7 @@ def __setMetasploit():
     if conf.osSmb:
         isAdmin = runningAsAdmin()
 
-        if isAdmin is not True:
+        if not isAdmin:
             errMsg = "you need to run sqlmap as an administrator "
             errMsg += "if you want to perform a SMB relay attack because "
             errMsg += "it will need to listen on a user-specified SMB "
@@ -1380,6 +1381,7 @@ def __setConfAttributes():
     conf.cj = None
     conf.dbmsConnector = None
     conf.dbmsHandler = None
+    conf.dnsServer = None
     conf.dumpPath = None
     conf.hashDB = None
     conf.hashDBFile = None
@@ -1711,6 +1713,25 @@ def __setTrafficOutputFP():
 
         conf.trafficFP = openFile(conf.trafficFile, "w+")
 
+def __setDNSServer():
+    if not conf.dnsDomain:
+        return
+
+    infoMsg = "making DNS server instance"
+    logger.info(infoMsg)
+
+    isAdmin = runningAsAdmin()
+
+    if isAdmin:
+        conf.dnsServer = DNSServer()
+        conf.dnsServer.run()
+    else:
+        errMsg = "you need to run sqlmap as an administrator "
+        errMsg += "if you want to perform a DNS data exfiltration attack "
+        errMsg += "as it will need to listen on privileged TCP port 53 "
+        errMsg += "for incoming address resolution attempts"
+        raise sqlmapMissingPrivileges, errMsg
+
 def __setTorProxySettings():
     if not conf.tor:
         return
@@ -1919,6 +1940,7 @@ def init(inputOptions=AttribDict(), overrideOptions=False):
     __checkDependencies()
     __basicOptionValidation()
     __setTorProxySettings()
+    __setDNSServer()
     __adjustLoggingFormatter()
     __setMultipleTargets()
     __setTamperingFunctions()
diff --git a/plugins/generic/takeover.py b/plugins/generic/takeover.py
index b40bb0b12..4b03e2405 100644
--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@@ -119,7 +119,7 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
         if tunnel == 2:
             isAdmin = runningAsAdmin()
 
-            if isAdmin is not True:
+            if not isAdmin:
                 errMsg = "you need to run sqlmap as an administrator "
                 errMsg += "if you want to establish an out-of-band ICMP "
                 errMsg += "tunnel because icmpsh uses raw sockets to "