We have recently implemented data retrieval over DNS in sqlmap. This
data exfiltration technique adds up to the six existing techniques already implemented: boolean-based blind, time-based blind, full UNION, partial UNION, error-based and stacked (nested) queries. It is
supported on Oracle (running either on UNIX/Linux or Windows) and Microsoft SQL Server/MySQL/PostgreSQL (running on Windows).
The technique can be tested for and used by providing sqlmap with the --dns-domain switch following a hostname that resolves over the
Internet to the machine where you are running sqlmap from – you do
notneed to run your name server daemon so you can use a freely available
DynDNS or similar solutions: sqlmap starts a fake DNS server on 53/udp
so you need to run it with uid=0 privileges and handles the DNS requests from the target DBMS (actually from the DMZ’s DNS server misconfigured to resolve Internet hostnames) automatically. In cases where the target parameter is vulnerable and exploitable by either of the blind techniques or both of them, then sqlmap will test for DNS exfiltration too and prefer it over the blind techniques as it is much faster. Needless to say that both error-based and UNION based techniques are preferred if identified exploitable.
The paper and slide-deck presented recently at PHDays conference in Moscow, Russia are available on my fellow sqlmap developer's Slideshare page: