Shulou(Shulou.com)05/31 Report--

How to build the DNSLOG platform, I believe that many inexperienced people do not know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

1 preface

DNSLOG is an echo mechanism, which is often used to take out data when some vulnerabilities cannot be echoed but can initiate DNS requests, so as to solve the problem that some vulnerabilities are difficult to exploit due to lack of echo. The main use of the scene is SQL blind injection, no echo command execution, no echo SSRF. This paper introduces a method of building DNSLOG platform, which aims to provide some help for penetration testing.

2 preparation in advance

One domain name, one vps

This article uses the domain name and CVM ECS purchased by Aliyun.

Domain name: example.icu

Vps ip:100.100.100.100

3 Experimental process 3.1 add DNS parsing

Add an A record and a NS record at the cloud resolution DNS, as shown in the figure:

3.2 Open port 53

Add the rule of developing port 53 to the ECS security group rule of CVM. The protocol is udp.

3.3Cod DNSLOG

Dnslog.py

Running under python2, there is no need to install dependency packages.

#! / usr/bin/env python

#-*-coding: utf-8-*-

Import SocketServer

Import struct

Import socket as socketlib

# DNS Query

Class SinDNSQuery:

Def _ _ init__ (self, data):

I = 1

Self.name =''

While True:

D = ord (data [I])

If d = = 0:

Break

If d

< 32: self.name =self.name + '.' else: self.name =self.name + chr(d) i = i + 1 self.querybytes =data[0:i + 1] (self.type,self.classify) = struct.unpack('>

HH', data [I + 1VR I + 5])

Self.len = I + 5

Def getbytes (self):

Return self.querybytes+ struct.pack ('> HH', self.type, self.classify)

# DNS Answer RRS

Class SinDNSAnswer:

Def _ _ init__ (self, ip):

Self.name = 49164

Self.type = 1

Self.classify = 1

Self.timetolive = 190

Self.datalength = 4

Self.ip = ip

Def getbytes (self):

Res = struct.pack ('> HHHLH', self.name, self.type, self.classify, self.timetolive,self.datalength)

S = self.ip.split ('.')

Res = res + struct.pack ('BBBB', int (s [0]), int (s [1]), int (s [2]), int (s [3])

Return res

# DNS frame

Class SinDNSFrame:

Def _ _ init__ (self, data):

(self.id, self.flags,self.quests, self.answers, self.author, self.addition) = struct.unpack ('> HHHHHH', data [0:12])

Self.query = SinDNSQuery (data [12:])

Def getname (self):

Return self.query.name

Def setip (self, ip):

Self.answer = SinDNSAnswer (ip)

Self.answers = 1

Self.flags = 33152

Def getbytes (self):

Res = struct.pack ('> HHHHHH', self.id, self.flags, self.quests, self.answers,self.author, self.addition)

Res = res + self.query.getbytes ()

If self.answers! = 0:

Res = res + self.answer.getbytes ()

Return res

# A UDPHandler to handle DNS query

Class SinDNSUDPHandler (SocketServer.BaseRequestHandler):

Def handle (self):

Data = self.request [0] .strip ()

Dns = SinDNSFrame (data)

Socket = self.request [1]

Namemap = SinDNSServer.namemap

If (dns.query.type==1):

# If this is query an A record, thenresponse it

Name = dns.getname ()

Toip = namemap ['*']

Dns.setip (toip)

Print'% svv% s toip->% s% (self.client_address [0], name, toip)

Socket.sendto (dns.getbytes (), self.client_address)

Else:

# If this is notquery an A record, ignore it

Socket.sendto (data, self.client_address)

# DNS Server

Class SinDNSServer:

Def _ init__ (self,port=53):

SinDNSServer.namemap = {}

Self.port = port

Def addname (self, name,ip):

SinDNSServer.namemap [name] = ip

Def start (self):

HOST, PORT = "0.0.0.0", self.port

Server = SocketServer.UDPServer ((HOST, PORT), SinDNSUDPHandler)

Server.serve_forever ()

If _ name__ = = "_ _ main__":

Sev = SinDNSServer ()

Sev.addname ('*', '127.0.0.1') # default address

Sev.start () # start DNSserver

Run dnslog.py directly on vps, and a simple DNSLOG platform is built.

The running effect is as follows: the echoed ip address can be customized through sev.addname ('*', '127.0.0.1').

4 WEB interface

Write a web interface using the tornado framework.

The project has been uploaded to github: https://github.com/sa1tor/dnslog

Pip can run server.py directly after installing tornado, of course, you can also use Nginx+Tornado+Supervisor for deployment.

Pip install tornado

Python server.py

The default is port 8000, and the browser can access http://ip:8000/ to see the web interface.

I specified port 6002, python server.py-- port=6002.

The interface is relatively simple, with only three buttons, the getsubdomain button is used to get the random subdomain name, the refresh button is used to refresh the page, and the delete all button is used to delete all records.

5 postscript

Most of the related experiments on the Internet are carried out using two domain names, one domain name modifies the DNS server, and the other domain name modifies the NS record. But in fact, it is possible to use only one domain name.

Modify the DNS server as shown below:

After reading the above, have you mastered the method of how to build the DNSLOG platform? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.