DNS rebinding Technology bypasses ssrf/proxy IP restrictions

0x00 Traditional SSRF filter

The traditional way of ssrf filters is roughly the following steps:

(1) Gets the URL of the input, extracting the host from the URL

(2) DNS resolution of the host to obtain the resolved IP

(3) Check whether the IP is legitimate, such as whether it is a private IP, etc.

(4) If IP detection is legal, the phase of the packet into curl

At first glance, there seems to be no problem with this filtering method.

From the perspective of DNS resolution, the detection method has a total of two times, the first is in step 2 for the DNS resolution of the host, the second is the use of the curl packet when parsing. There is a time difference between the two DNS parsing, which we can use to bypass this difference.

0x01 DNS rebinding bypass

DNS rebinding is not a new technology, before someone used this technology to do SOP Bypass, we first look at the specific process.

An attacker would need to own a domain name and then resolve the domain name to its own DNS server and write a parsing service on the server, returning different parsing results each time.

Like what:

As you can see, this parsing service returns a different result each time, the first time a DNS query is requested, the result is a 101.191.60.117, a legitimate public IP, but a second request becomes a private IP 10.36.5.215. Note that the TTL for these two records is 0, which is to prevent the DNS server from caching the parsing results.

Speaking of which, the basic can be said to bypass the principle. From the traditional SSRF filtering idea, the DNS resolution is divided into two times, of which the first is the critical effectiveness of the detection, the second is the specific initiation of the request. We use DNS rebinding technology to return a legitimate IP when the IP is first verified, and to return the intranet IP that we really want to access when the request is actually initiated.

The code snippet for this script is as follows:

0x02 IP Dual bind bypass

In-depth exploration, PHP generally uses the gethostname or Dns_get_record functions when acquiring IP.

I am under a domain name, binding two IP at the same time, to see how these two functions are handled.

Then take a look at Dns_get_record:

If you are using GetHostName to get the IP, only one is returned, and which IP is returned is random.

But when Curl accesses this domain name, because the binding is two Ip,curl will try to access each IP, eventually return to the valid one. For example, I have a domain name bound two IP, one is 1.1.1.1 (80 port off), one is 2.2.2.2 (80 port Open), when the domain name Curl, will return 2.2.2.2 request results.

If the SSRF filter logic uses GetHostName or only gets the first element of the Dns_get_record return array, there is a risk of being bypassed.

0x03 problems in the actual combat

In fact, DNS rebinding-based bypass may encounter some problems in combat.

Problem one is the problem of DNS caching, even though we set the TTL at the previous implementation of 0, but some public DNS servers, such as 114.114.114.114 will still cache the records, completely not in accordance with the standard protocol, encountered this situation is not solved. However, 8.8.8.8 is strictly in accordance with the DNS protocol to manage the cache, if the set TTL of 0, it will not be cached, from the effect, every time dig will run to our NS server to query again.

Problem two is the problem of DNS iterative query and recursive query, often on this side of the attack, the DNS server will receive a lot of different IP query requests, unable to determine the victim server related to the source IP is. For this I have achieved a total of 3 version of the parsing script, the first version is very easy to think, first of all the source IP to collect, save in the file, and then the real launch of the request based on the IP list to parse, but later found still a lot of inexplicable source IP come over. But look at these IP, the discovery is a section B or C, very fixed, so the second version is based on the IP segment filtering, but there is this resolution flag flag bit alternating inaccurate.

Finally, I implement a time window, use this time window to return to parse content, such as the first 5s return results 1, after 5s return results 2, for the specific value of the time window, the detection phase needs to be counted and attempted.

The relevant code is not public, interested can achieve the following by themselves, not difficult.