這大概是我看到解釋DNS Rebinding最清楚的文章The Good Old DNS Rebinding.節錄下圖馬上理解為什麼DNS Rebinding可以衍生出這麼多其他的攻擊, 根本是進攻萬花筒 而關於這個已經被公開揭露的攻擊手法在2021的現在還能持續存活, 就在於DNS Rebinding還是有其正當用途. 像是在處理高流量網站時的Load Balancing, 還須仰賴DNS的Short TTL(Time To Live)設定.

First examine the pcap Trace the TCP/HTTP. "tcp.stream eq 1" looks like an obfuscated powershell "tcp.stream eq 2" looks like an execuable "tcp.stream eq 3" shows a traffic which can not understand So far we had an idea that:1. Requested to 147.182.172.189 and received a response with 4A7xH.ps12. Requested to the same IP and received an executable user32.dll3. Requested to the same IP and received the response that we can not understand so far De-obfuscated the PS script leverage pwsh...