From fcacf6d54112746d32154228f9f5662f0b2fe9cc Mon Sep 17 00:00:00 2001 From: sairson Date: Mon, 10 Jan 2022 11:23:23 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0redis=E6=95=B0=E6=8D=AE?= =?UTF-8?q?=E5=BA=93sql=E6=9F=A5=E8=AF=A2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cmd/all.go | 1 - cmd/mongo.go | 26 ++++++++++++++++++++------ cmd/redis.go | 24 ++++++++++++++++++++++-- 3 files changed, 42 insertions(+), 9 deletions(-) diff --git a/cmd/all.go b/cmd/all.go index 3e0d1ad..114a212 100644 --- a/cmd/all.go +++ b/cmd/all.go @@ -16,7 +16,6 @@ var allCmd = &cobra.Command{ _ = cmd.Help() return } - allRun(Hosts, Ports, LogBool, Runtime, PingBool) return }, diff --git a/cmd/mongo.go b/cmd/mongo.go index 042b3b2..baead81 100644 --- a/cmd/mongo.go +++ b/cmd/mongo.go @@ -29,7 +29,7 @@ func BruteMongoByUser() { } var ips []string var err error - if Hosts != "" { + if Hosts != "" && ConnHost == "" { ips, err = ResolveIPS(Hosts) if err != nil { Println(fmt.Sprintf("resolve hosts address failed %v", err)) @@ -47,7 +47,7 @@ func BruteMongoByUser() { } } -func MongoAuth(info config.HostIn, user, pass string) (bool, error) { +func MongoAuth(info config.HostIn, user, pass string) (*mgo.Session, bool, error) { conf := &mgo.DialInfo{ Dial: func(addr net.Addr) (net.Conn, error) { @@ -66,13 +66,13 @@ func MongoAuth(info config.HostIn, user, pass string) (bool, error) { if err == nil { err = db.Ping() if err != nil { - return false, err + return nil, false, err } - defer db.Close() - return true, nil + //defer db.Close() + return db, true, nil } - return false, err + return nil, false, err } func MongoUnAuth(info config.HostIn, user, pass string) (bool, error) { @@ -120,3 +120,17 @@ func MongoUnAuth(info config.HostIn, user, pass string) (bool, error) { } return flag, nil } + +func MongodbExec(session *mgo.Session) (string, error) { + var s string + dbs, err := session.DatabaseNames() + for _, db := range dbs { + if collections, err := session.DB(db).CollectionNames(); err == nil { + s += fmt.Sprintf("%s %v\n", db, collections) + } + } + if err != nil { + return "", err + } + return s, nil +} diff --git a/cmd/redis.go b/cmd/redis.go index 5635f1e..0f11128 100644 --- a/cmd/redis.go +++ b/cmd/redis.go @@ -34,7 +34,7 @@ func init() { RedisCmd.Flags().StringVar(&RemoteHost, "rebound", "", "Rebound shell address (eg.) 192.168.1.1:4444") RedisCmd.Flags().StringVar(&ConnHost, "hostname", "", "Redis will connect this address") RedisCmd.Flags().StringVar(&LoginPass, "pass", "", "set login pass") - + RedisCmd.Flags().StringVar(&SQLCommand, "sql", "", "Execute redis sql command") } func BruteRedisByUser() { @@ -59,7 +59,7 @@ func BruteRedisByUser() { Println(Clearln + "[*] May be you want to brute? try to add --crack") } } - if Hosts == "" && ConnHost != "" && (RemoteHost != "" || RemotePublicKey != "") { + if Hosts == "" && ConnHost != "" && (RemoteHost != "" || RemotePublicKey != "" || SQLCommand != "") { var ( conn net.Conn status bool @@ -76,6 +76,10 @@ func BruteRedisByUser() { Println(fmt.Sprintf("Redis UnAuth failed %v", err)) } } + if SQLCommand != "" { + RedisExec(conn, SQLCommand) + return + } if status == true { RedisExploit(conn, RemoteHost, RemotePublicKey) } @@ -269,6 +273,22 @@ func RedisExploit(conn net.Conn, RemoteHost string, Filename string) { } } +func RedisExec(conn net.Conn, cmd string) { + if cmd != "" { + _, err := conn.Write([]byte(fmt.Sprintf("%s\r\n", cmd))) + if err != nil { + Println(fmt.Sprintf("[!] %v", err)) + return + } + reply, err := RedisReply(conn) + if err != nil { + Println(fmt.Sprintf("[!] %v", err)) + return + } + Println(fmt.Sprintf("%v", string(reply))) + } +} + func RedisCron(conn net.Conn, RemoteHost string) (bool, error) { c, s, e := RedisWrite(conn) Println(fmt.Sprintf("%v %v %v", c, s, e))