Press "Enter" to skip to content

Infrastructure Hacking: WHOIS Protocol

Have you ever used the whois command? In this post I’ll talk about how to use this command to get information, as well as give you details about the whois protocol and explain some of the vulnerabilities I’ve found in this protocol. 

This command provides information about a specific domain. Before explaining anything, let’s see a simple example with my own website:

As you can see, information appears about my domain, as well as the hosting server I use, dinahosting. If you try it yourself, you’ll see that there isn’t much information. Even though previously in this protocol you could find very interesting information when gathering information about a target, nowadays the information is much scarcer because most domains are protected by the data protection law.

However, it is still possible to use this protocol to obtain information. It also depends on how it is configured on the server:

But let’s look at this protocol a little more.

This protocol stores and provides content from a database in a readable format. It may contain information on registered users, or allocated Internet resources such as the domain name or ip address

The whois protocol runs in port 43.

Nmap

Let’s see how this protocol looks when we find it with nmap:

It is giving us information about the domain name, supersechosting.htb, and it tells us that it is running MariaDB, a SQL database, version 10.1.37

In this example, where a server has an open port with the whois protocol running, the first step is to connect via netcat or telnet.

Conexión con Netcat

We can first ask about the domain name we have discovered:

As we can see, it gives us the server information that we would get with the whois command.

SQL Injection in whois protocol

If we enter anything, the query returns 0 objects, so it is actually performing queries to a database

Knowing that the MariaDB database (which is a version of MySQL) is running, let’s try to perform an SQL Injection by putting a single quotation mark:

Indeed, it is vulnerable to SQL Injection, so we can proceed with an SQLi attack. Next I show you the final results of the attack. If you want to know more about how to execute a successful SQL Injection attack, I recommend you to look at this post.

As you can see in the picture, thanks to this attack we have discovered the different domain names that we can find in that host: supersechosting.htb, justanotherblog.htb, pwnhats.htb and rentahacker.htb.

As I have already described in another blog how to run manual queries, so this time I will focus on showing you how to automate this injection.

If we wanted to use SQLMap to automate this injection we couldn’t. However, we can create a small script in php that serves as an intermediary between SQLMap and port 43:

The script simply receives as parameters an ip and a port and redirects to the whois protocol of the victim machine all the information we write in the “PleaseSubscribe” parameter of the request we want to send

We execute the script by passing port 80 of localhost:

Right now everything we send through port 80 of our localhost will be redirected to port 43 of the vulnerable machine. So finally we only have to execute SQLMap indicating as url 127.0.0.1 and in the url we indicate as vulnerable parameter the parameter PleaseSuscribe. In the next image you can see in the bottom the SQLMap execution and in the top the requests that SQLMap makes to find the SQL Injection:

And in this way we can automate an SQL Injection to the whois protocol. It is worth mentioning that with this same script we can automate the injection not only to this protocol but to any other infrastructure protocol.

I hope you liked this post, I hope next week with another really interesting protocol: DNS.

Lethani.

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *