python Redis未授权访问
漏洞简介:
简单来说,redis是一个数据库。在默认的配置下,redis绑定在0.0.0.0:6379,也就是说,如果服务器有公网ip,可以通过访问其公网ip的6379端口来操作redis。最为致命的是,redis默认是没有密码验证的,可以免密码登录操作,攻击者可以通过操作redis进一步控制服务器。
import socket
import sys
import getopt #输入不同指令不同功能
def banner():
print('欢迎来到嘿嘿')
def usage():
print('-h: --help 帮助;')
print('-p: --port 端口')
print('-u: --url 域名;')
print('-s: --type Redis')
sys.exit() #程序退出
def redis_unathored(url, port):
result = []
s = socket.socket() #创建socket
payload = "\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a"
socket.setdefaulttimeout(10) #限制时间
for ip in url:
try:
s.connect((ip, int(port))) #进行发送
s.sendall(payload.encode()) #判断每次发送的内容量,删除重合
resves = s.recv(1024).decode() #创建存储
if resves and 'redis_version' in resves:
result.append(str(ip) + ":" + str(port) + ':' + '\033[1;32;40msuccess\033[0m')
except:
pass
result.append(str(ip) + ':' + str(port) + ':' + '\033[1;31;40mfailed \033[0m')
s.close()
return (result)
def url_list(li):
ss = []
i = 0
j = 0
zi = []
for s in li:
a = s.find('-')
i = i + 1
if a != -1:
ss = s.rsplit("-")
j = i
break
for s in range(int(ss[0]), int(ss[1]) + 1):
li[j - 1] = str(s)
aa = '.'.join(li)
zi.append(aa)
return zi
def url_exec(url):
i = 0
zi = []
group = []
group1 = []
group2 = []
li = url.split('.')
if (url.find('-') == -1):
group.append(url)
zi = group
else:
for s in li:
a = s.find('-')
if a != -1:
i = i + 1
zi = url_list(li)
if i > 1:
for li in zi:
zz = url_list(li.split('.'))
for ki in zz:
group.append(ki)
zi = group
i = i - 1
if i > 1:
for li in zi:
zzz = url_list(li.split('.'))
for ki in zzz:
group1.append(ki)
zi = group1
i = i - 1
if i > 1:
for li in zi:
zzzz = url_list(li.split('.'))
for ki in zzzz:
group2.append(ki)
zi = group2
return zi
def start(argv):
thread = 1
dict = {}
utl = ''
type = ""
if len(sys.argv) < 2: #程序外部获取参数的桥梁
print('-h 帮助信息;\n')
sys.exit()
try:
banner()
opts, args = getopt.getopt(argv, '-u:-p:-s:-h')
except getopt.GetoptError:
print('Error an argument!')
sys.exit()
for opt, arg in opts:
if opt == '-u':
url = arg
elif opt == '-s':
type = arg
elif opt == '-p':
port = arg
elif opt == '-h':
print(usage())
launcher(url, type, port)
def output_exec(output, type):
print("\033[1;32;40m" + type + "......\033[0m")
print("++++++++++++++++++++++++++++++++++++++++++++++++")
print("| ip | port | status |")
for li in output:
print("+-----------------+-----------+--------------+")
print("| " + li.replace(":", " | ") + " | ") #替换字符串
print("+----------------+------------+---------------+\n")
print("[*] shutting down....")
def launcher(url, type, port):
if type == 'Redis':
output = redis_unathored(url_exec(url), port)
output_exec(output, type)
if __name__ == '__main__':
try:
start(sys.argv[1:]) #程序外部获取参数的桥梁
except KeyboardInterrupt:
print("interrupted by user, killing all threads...")