laying foundation for DNS based data retrieval

stamparm · stamparm · commit 1b072f6415f4 · 2012-03-27T18:59:12.000Z
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
@@ -628,6 +628,9 @@ def cmdLineParser():
         parser.add_option("--test-filter", dest="testFilter",
                            help=SUPPRESS_HELP)
 
+        parser.add_option("--dns-domain", dest="dnsDomain",
+                          help=SUPPRESS_HELP)
+
         parser.add_option_group(target)
         parser.add_option_group(request)
         parser.add_option_group(optimization)
diff --git a/lib/request/dnsquery.py b/lib/request/dnsquery.py
@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+class DNSQuery:
+    """
+    Used for making fake DNS resolution responses based on received
+    raw request
+
+    Reference(s):
+        http://code.activestate.com/recipes/491264-mini-fake-dns-server/
+        https://code.google.com/p/marlon-tools/source/browse/tools/dnsproxy/dnsproxy.py
+    """
+
+    def __init__(self, raw):
+        self._raw = raw
+        self._query = ""
+
+        type_ = (ord(raw[2]) >> 3) & 15                 # Opcode bits
+        if type_ == 0:                                  # Standard query
+            i = 12
+            j = ord(raw[i])
+            while j != 0:
+                self._query += raw[i+1:i+j+1] + '.'
+                i = i + j + 1
+                j = ord(raw[i])
+
+    def response(self, resolution):
+        retval = ""
+
+        if self._query:
+            retval += self._raw[:2] + "\x81\x80"
+            retval += self._raw[4:6] + self._raw[4:6] + "\x00\x00\x00\x00"      # Questions and Answers Counts
+            retval += self._raw[12:]                                            # Original Domain Name Question
+            retval += "\xc0\x0c"                                                # Pointer to domain name
+            retval += "\x00\x01\x00\x01\x00\x00\x00\x3c\x00\x04"                # Response type, ttl and resource data length -> 4 bytes
+            retval += "".join(chr(int(_)) for _ in resolution.split('.'))       # 4 bytes of IP
+
+        return retval
diff --git a/lib/techniques/dns/__init__.py b/lib/techniques/dns/__init__.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+pass
diff --git a/lib/techniques/dns/use.py b/lib/techniques/dns/use.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+def dnsUse(expression, expected=None, dump=False):
+    """
+    Retrieve the output of a SQL query taking advantage of the DNS
+    resolution mechanism by making request back to attacker's machine.
+    """
+
+    raise NotImplementedError
diff --git a/procs/README.txt b/procs/README.txt
@@ -1,3 +1,3 @@
-Files in this folder represent SQL Procedural Language snippets used
+Files in this folder represent SQL (Procedural Language) snippets used
 by sqlmap on the target system. They are licensed under the terms of
 the GNU Lesser General Public License.
