wtorek, 6 maja 2014

How Reverse DNS can help us with XSS, SQLi, RCE...

One day I got the idea to put XSS vector into reverse dns record. You know - sometimes webapplication displays IP address AND reverse lookup. As far as people think that there is no need to sanitize displayed revdns records, because as RFC1034 said:

Note that while upper and lower case letters are allowed in domain
names, no significance is attached to the case.  That is, two names with
the same spelling but different case are to be treated as if identical.

The labels must follow the rules for ARPANET host names.  They must
start with a letter, end with a letter or digit, and have as interior
characters only letters, digits, and hyphen.  There are also some
restrictions on the length.  Labels must be 63 characters or less.

...so (theoretically) there is no possibility to have hostname with dangerous characters such as > < ' " and it's XSS safe, right?

Right.

c40957:~ jakub.zoczek$ host 87.204.122.210
210.122.204.87.in-addr.arpa is an alias for 210.192/26.122.204.87.in-addr.arpa.
210.192/26.122.204.87.in-addr.arpa domain name pointer f\"><img/src=http://monitor.ropchain.org/xss.gif>f.x.32s.pl.



That's my blind xss testing IP address. All I need is to visit websites using this address and every time it will be displayed (and interpreted as html) - it should display 1x1 GIF image from my server. In apache log I'll have informations like IP address, User Agent and Referer - so I know where XSS occur.

To configure this kind of environment you will need:

- at least one IPv4 address
- possibility to configure reverse zone on own DNS server.

So - if you have VPS with some IP addresses and possibility to setup reverse dns - it won't work. In most cases configuration of reverse dns is implemented in customer's web panel and restricted to PTR records. If you have possibility to setup CNAME or NS record for your revdns - that's great and it would work. I tried to search for VPS provider who gives this kind of feature for customers and I didn't found single one.

Also - as far as I know - ISP not often want to give such delegations for only few addresses, but there is no problem for full C class or more - they give then for example delegation for all /24 prefix. In Poland - Orange can be solution - there is possibility to setup CNAME records for few addresses.

After months of searching someone who have full class and can borrow me few IP addresses and give delegation - I finally found friend of my who provided me all I need.

So - lets say you have IP address - 1.2.3.4 - the reverse zone configuration for BIND will look like this:


The 1.2.3.4 file:

As you can see - there is no big differences between normal reverse dns configuration. The most important option is check-names ignore; - it will tell BIND that we want to use illegal characters in our DNS records. :)

Problem is that in multiple languages this IP will be resolved normally (with payload), and in others - not. At the moment I checked that it works fine for Linux host, dig, nslookup, Windows nslookup, PHP dns_get_record, python reversename.from_addr(). In future I want to check all other modern languages reverse lookup implementations.

Happy hunting, and btw - check my Yandex.Metrica XSS ;-)




8 komentarzy:

  1. Ten komentarz został usunięty przez administratora bloga.

    OdpowiedzUsuń
  2. Let's 't find to apply the culprit in the past. Be realistic and must but not necessarily quite ask for to help repair the culprit over the past. We can should not solely observe to help repair the culprit over the past. Arnold amazing family group desire to appreciate associated with the medical experts and assist persons who have been needed to his appropriate, Most definitely Celine Illescas and the place make group, Who actually performed well so difficult to keep you at their house even with an individual's problems. Arnold became a mma martial artist what person had a strong encheer forever not lost the battle. Definitely be very much couldn't get to..

    tags: Ray Ban Prescription Sunglasses, Ray Ban Round Sunglasses, 2020 Jordan Release Dates, New Black Yeezys, Air Jordan 1 Sale, Ray Ban Sunglass Hut

    OdpowiedzUsuń
  3. It is very helpful and informative blog post. I would like to thankful to you providing such a information I have also have website providing very good information
    artificial intelligence internship | best final year projects for cse | internship certificate online | internship for mba finance students | internship meaning in tamil


    OdpowiedzUsuń

  4. تمثل المكيفات دور هام في حياتنا في اشهر الصيف
    بغض النظر عن أنها يمكن أن تخلصك من الحرارة، لكن يؤكد كثير من الباحثين أن مكيفات الهواء غير صحية، حيث إن لها العديد من الآثار السلبية على صحتك إذا لم يتم تنظيفها بانتظام.
    تعمل عملية تنظيف المكيفات علي التخلص التام من الاوساخ و الاتربة التى تكون عالقة بالتكييف و التى تسبب العديد من امراض الحساسية، زيادة قوة دفع الهواء الخارج من المكيف، حماية التكييف من الاعطال المحتملة و المتكررة
    كما تساعد على خروج الهواء النقي
    شركة الهرم تقدم خدمات تنظيف المكيفات بالادوات الخاصة للمكيف مع ارخص الاسعار وعمالة مدربة ومتخصصون في هذا المجال
    تكييف الهواء هو جهاز يثبت في الغرف أو السيارات ونحوها، وتديره القوة الكهربية، لتقوم بخفض الحرارة فتبرد الجو في فصل الصيف أو يتم رفعها في فصل الشتاء حتى تقوم بتدفئة الجو، ويوجد العديد من أنواع أجهزة التكييف فمنها ما هو مناسب للمنازل ومنها ما يناسب الشركات والمصانع وحتى المراكز التجارية والمعروف عن أجهزة التكييف هو حاجتها للتنظيف باستمرار وبطريقة معينة حتى لا تتسبب الأتربة في تلفها.
    شركة تنظيف مكيفات بخميس مشيط
    يعتبر التكييف من أساسيات الأجهزة الكهربائية في المنزل بسبب درجات الحرارة المرتفعة، لذلك يحرص الجميع على تنظيفه باستمرار من الأتربة أو الشوائب للحفاظ عليه من الأعطال والتلف
    يوجد العديد من الشركات التي تتيح خدمات تنظيف المكيفات و لعل من اهم تلك الشركات شركتنا و التي تعد واحدة من اهم شركات تنظيف المكيفات بالاعتماد على احدث الاجهزة و المعدات و بتنفيذ امهر العمال و الفنيين.
    شركة تنظيف مكيفات

    OdpowiedzUsuń
  5. Bihar Board 10th Hindi Question Paper
    Every year the BSEB is provided the latest updated model question paper for intermediate Hindi Medium and English Medium students from past years old examination set wise question paper with expert answers to theory and objective type questions for all subjects of Hindi, English, Mathematics, Physics, Chemistry, Biology, Computer Science, Bihar Board 10th Hindi Question Paper Multimedia & Web Technology for BSEB Inter science stream students.

    OdpowiedzUsuń