Penetration engineer Redis entry-installation configuration, basic operations and common management tools

Big Data breeds NoSQL databases. Besides MongoDB, Redis is a frequent visitor to various systems. As an example of penetration, we obviously need to popularize this knowledge. At the very least, we know how to view the information in the redis database when we know that the other party uses the redis database.

First, we will install a redis instance to let it run.

I. Installation
 

wget http://download.redis.io/releases/redis-2.8.7.tar.gztar zxvf redis-2.8.7.tar.gzcd redis-2.8.7make testmake

After the installation is successful, pay attention to the following important files:

(1) Server
Src/redis-server

(2) clients (now there are various clients on the market)
Src/redis-cls

(3) configuration file
Redis. conf

Then, place the executable file in the $ PATH environment directory, so that you do not need to enter the complete PATH when executing the program in the future,
Cp redis-server/usr/local/bin/
Cp redis-cli/usr/local/bin/

Next, let's take a look at the redis configuration file redis. conf. I like to read various configuration files, which can always be a surprise. I will list common configuration items
Whether to set redis as a daemon. The default value is no.

Daemonize yes

If it is set as a daemon, You need to specify the pid File
Pidfile/var/run/redis/redis-server.pid.

Redis listening port (the penetration personnel must be super sensitive to the port)
Port 65432

Bind listening port
Bind 127.0.0.1)

Working directory
Dir/home/lidanqing01/redis (infiltration personnel note, database storage address)

Database Name
Dbfilename redis. rdb

RDB persistence (this is generally used)
Save 900 1 # if more than one key is modified within 900 seconds, the snapshot is saved.

Save 300 10 #300 seconds if more than 10 keys are modified, the snapshot is saved.

Save 60 10000

AOF persistence
Appendonly yes // enable the aof persistence Method

# Appendfsync always // immediately write data to the disk after receiving the write command, which is the slowest, but ensures full persistence. It is not recommended to use appendfsync everysec // to forcibly write data to the disk every second, we have made a good compromise on performance and persistence. We recommend # appendfsync no // fully dependent on OS. It has the best performance and persistence is not guaranteed.

The number of databases. The concept of a redis database is different from that of MySQL/MongoDB. All databases in a redis instance adopt the same access control, that is, the same authentication password. Generally, place the same APP in different environments, such as the production environment and test environment, in different databases. Instead of placing different apps in different databases, you must create a new redis instance because it is not isolated.
The MySQL database is equivalent to a drawer, each drawer has a lock, while the Redis database is a locked drawer, but this drawer has a different baffle
Databases 16

Identity Authentication (penetration Note: it is a plaintext Password !!)
Requirepass xxxxx

Master-slave Synchronization
Slaveof xxxx (master redis host) xxx (master redis port) (penetration personnel Note: If slave is found, the master information and password provided here)
Masterauth xxxxxxxx

The additional configuration items are important security-related configurations. redis has not considered much about security, as stated in the redis Getting Started Guide.

"Redis's security design is in" Redis running in a trusted environment ". during production, external connections to the Redis server are not allowed, but applications should be used for transit"

In this way, penetration personnel may be able to see the wealth of redis and make good use of it.

Ii. Start/close operations
Now you can run it.

Start the server
Redis-server redis. conf (configuration file path)

Connect the client to redis
./Redis-cli-h host (127.0.0.1 by default)-p 65432 (6379 by default)-a xxxx (password)
Or
./Redis-cli-h host (127.0.0.1 by default)-p 65432 (6379 by default)
127.0.0.1: 65432> auth xxxx (password)

OK

Disable redis
Redis-cli-p 65432-a xxxx (password) shutdown

Iii. redis Startup Script
You can also write a STARTUP script and put it in/etc/init. d/for ease of operation.

The script is modified based on the redis Getting Started Guide (this book is recommended) and the authentication required is added.
Vim/etc/init. d/redis_init_script

#! /Bin/sh # Replace it with the actual configuration item REDISPORT = 65432 EXEC =/usr/local/bin/redis-serverCLIEXEC =/usr/local/bin/redis-cliPIDFILE =/var /run/redis. pidCONF = "/home/work/lidanqing01/redis. conf "PASSWD =" xxxxx "case" $1 "in start) if [-f $ PIDFILE] then echo" PIDFILE exists, process is already running or crashed "else echo" Starting Redis Server... "$ EXEC $ CONF fi; stop) if [! -F $ PIDFILE] then echo "PIDFILE does not exist, process is not running" else PID =$ (cat $ PIDFILE) echo "Stopping... "$ CLIEXEC-p $ REDISPORT-a $ PASSWD shutdown while [-x"/proc/{$ PID} "] do echo" Waiting for Redis to shutdown... "sleep 1 done echo" Redis stopped "fi; *) echo" Please use start or stop as first argument "; esac

An episode occurred while running the script. I edited the script in windows and uploaded it to the debian machine. Then, an error was returned.
#/Etc/init. d/redis_init_script start

-Bash:/etc/init. d/redis_init_script:/bin/sh ^ M: bad interpreter: No such file or directory
Later I found the cause: sh had a problem in parsing the DOS format (the default format of the editor in windows ).

Solution: Convert the DOS format to the UNIX format
Vim redis_init_script

: Set ff: view the current text format
Fileformat = dos

: Set ff = set the current text format for unix
: Wq

 

After redis is installed, it also runs. Then, we need to popularize the basic knowledge of the redis database. What we should know most about the data format and Data Type of redis data for data-sensitive penetration users

Iv. Basic data types and data naming features
Redis stores data in the form of key-value. The key is the name of the data, and the value is the value of the data.

Value can be of the following 5 types:

(1) string type: string can be considered as a byte array. The maximum value is 1 GB. For more operations, see help @ string.
(2) list type: each sub-element is a string-type two-way linked list. The maximum length of the linked list is (Power 32 of 2-1). For more operations, see help @ list.
(3) set type: unordered set of the string type. Implemented through hash table, the set element can contain up to (32 power-1 of 2) for more operations, see help @ set
(4) sorted set ordered set type: a set of string-type elements. Each element is associated with a score of the double type. It is a mixture of skip list and hash table. For more operations, see help @ sorted_set.
(5) hash type: it is a string-type field and value ing table. For more operations, see help @ hash.

Redis prefers the format of object type: Object ID: Object Property to name data.

5. Common commands for penetration personnel
Next, we place some sample data in the redis database to demonstrate how to view the content when the penetration personnel connect to a redis database.

First, we need to build an instance that contains five types of redis databases, so we don't need to worry about the meaning of the command. Of course, we 'd better use the help command to view the meaning of the command.

In general, Redis commands are case-insensitive. If you forget a command, the TAB key is supplemented. If you forget the meaning of a command, search by the help (Space) TAB key.

Connect to the redis server using redis-cli

(1) Add data of string type
127.0.0.1: 65432> set string_name xiaoge

OK

127.0.0.1: 65432> append string_name, tianzheng

(Integer) 16

(2) Add list Data
127.0.0.1: 65432> lpush list_programmer perl

(Integer) 1

127.0.0.1: 65432> lpush list_programmer python

(Integer) 2

127.0.0.1: 65432> lpush list_programmer lua

(Integer) 3

127.0.0.1: 65432> lpush list_programmer ruby

(Integer) 4

127.0.0.1: 65432> lpush list_programmer shell

(Integer) 5

127.0.0.1: 65432> lpush list_programmer javascript

(Integer) 6

127.0.0.1: 65432> lpush list_programmer R

(Integer) 7

(3) add data of the set type
127.0.0.1: 65432> sadd set_fruits apple

(Integer) 1

127.0.0.1: 65432> sadd set_fruits pear

(Integer) 1

127.0.0.1: 65432> sadd set_fruits orange

(Integer) 1

127.0.0.1: 65432> sadd set_fruits banana

(Integer) 1

127.0.0.1: 65432> sadd set_fruits pipeapple

(Integer) 1

127.0.0.1: 65432> sadd set_fruits strawbrew

(Integer) 1

(4) add sorted_set Ordered Set Data
127.0.0.1: 65432> zadd sorted_set_attacktype 10 webshell

(Integer) 1

127.0.0.1: 65432> zadd sorted_set_attacktype 9 command_exexexute

(Integer) 1

127.0.0.1: 65432> zadd sorted_set_attacktype 8 sqli

(Integer) 1

127.0.0.1: 65432> zadd sorted_set_attacktype 7 file_upload

(Integer) 1

127.0.0.1: 65432> zadd sorted_set_attacktyp 6 file_include

(Integer) 1

127.0.0.1: 65432> zadd sorted_set_attacktyp 5 xss

(Integer) 1

(5) add hash
127.0.0.1: 65432> hset hash_resume name tanjiti

(Integer) 1

127.0.0.1: 65432> hset hash_resume city shanghai

(Integer) 1

127.0.0.1: 65432> hset hash_resume gender female

(Integer) 1

Now that the test data has been set up, let's assume that when we find a machine equipped with redis, how can we perform information testing?

Step 1: Check whether the redis service is enabled, the redis listening port, and the configuration file used
-Bash-4.2 # ps aux | grep redis

Root 21051 0.0 0.9 33128 1280? Ssl Mar18 0: 05/usr/local/bin/redis-server 127.0.0.1: 65432/etc/redis. conf

We know that the port is 65432 and the configuration file is in/home/work/lidanqing01/redis. conf.

Step 2: Check the redis. conf file to see if the authentication password is set for redis and the redis persistent database storage address.
Requirepass xxxxxx
Masterauth xxxxxx

The authentication password is xxxxxx.

Dir/home/lidanqing01/redis
Dbfilename redis. rdb
The persistent database is stored in/home/lidanqing01/redis. rdb.

Step 3: connect to the redis server and run the following command to view the database content:

First, connect to redis
Redis-cli-p 65432-a xxxxxx

If you do not have redis-cli, you can use telnet and use the same command, but the returned result will be ugly.
-Bash-4.2 # telnet 127.0.0.1 65432
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Auth xxxxxxx
+ OK
Keys *
* 5
$10
Set_fruits
$11
String_name
$15
List_programmer
$11
Hash_resume
$21
Sorted_set_attacktype

 

Then, check which keys
127.0.0.1: 65432> keys *

1) "set_fruits"

2) "string_name"

3) "list_programmer"

4) "hash_resume"

5) "sorted_set_attacktype"

Next, obtain the data type of the key.
Return values: string, hash, list, set, zset, And none. The key does not exist)
127.0.0.1: 65432> type string_name

String

127.0.0.1: 65432> type list_programmer

List

127.0.0.1: 65432> type set_fruits

Set

127.0.0.1: 65432> type sorted_set_attacktype

Zset

127.0.0.1: 65432> type hash_resume

Hash

Finally, check the value corresponding to the key. Based on the Data Type of the key determined earlier, select different viewing methods. If you are not familiar with the command, you can use
Help @ string
Help @ list
Help @ set
Help @ sorted_set
Help @ hash
To view the specific method

A. For the string type
You can use get to obtain the string value.
127.0.0.1: 65432> get string_name

"Xiaoge, tianzheng"

B. For list type

You can use llen to obtain the length of the list first.
127.0.0.1: 65432> llen list_programmer

(Integer) 7

Then, use lrange to view the content in the list.
127.0.0.1: 65432> lrange list_programmer 0 6

1) "R"

2) "javascript"

3) "shell"

4) "ruby"

5) "lua"

6) "python"

7) "perl"

C. For the set type

You can use scard to obtain the number of elements in the set.
127.0.0.1: 65432> scard set_fruits

(Integer) 6

Then, use srandmember to obtain any number of members in the set.
127.0.0.1: 65432> srandmember set_fruits 6

1) "pear"

2) "apple"

3) "orange"

4) "strawbrew"

5) "pipeapple"

6) "banana"

D. For sorted_set type
You can use zcard to obtain the number of elements in the set.
127.0.0.1: 65432> zcard sorted_set_attacktype

(Integer) 6

Then, use zrange to obtain any number of member and corresponding scores in the set.
127.0.0.1: 65432> zrange sorted_set_attacktype 0 5 withscores

1) "xss"2) "5"3) "file_include"4) "6"5) "file_upload"6) "7"7) "sqli"8) "8"9) "command_exexute"10) "9"11) "webshell"12) "10"

E. For the hash type

You can use hkeys to obtain all fields in the hash.
127.0.0.1: 65432> hkeys hash_resume

1) "name"

2) "city"

3) "gender"

Then, use hget to obtain the value of the specified field in the hash.
127.0.0.1: 65432> hget hash_resume name

"Tanjiti"

Step 4: Download The/home/lidanqing01/redis. rdb database to your local computer and use rdbtools to read the database (Introduction to rdbtools in redis programming interfaces and management tools)

Vi. redis programming interfaces and management tools
1. Client Programming Interface
In addition to the redis-cli client that comes with redis, the following types
(1) PHP Client

Predis https://github.com/nrk/predis native client implemented using PHP code
PhpRedis https://github.com/nicolasff/phpredis using PHP extensions written in C Language

(2) ruby Client
Redis-rb https://github.com/redis/redis-rb

(3) python Client
Redis-py https://github.com/andymccurdy/redis-py

(4) node. js Client
Node-redis https://github.com/mranney/node_redis.

2. Management Tools
(1) phpRedisAdmin https://github.com/ErikDubbelboer/phpRedisAdmin
I know what it is. I like phpMyAdmin.

1) Installation
Cd/var/www/web root directory
Git clone https://github.com/ErikDubbelboer/phpRedisAdmin.git
Cd phpRedisAdmin/

2) Configuration
 

Cd nodes des/cp config. sample. inc. php config. inc. phpvim config. inc. php replaces the corresponding configuration options $ config = array ('servers' => array ('name' => 'local Server', // Optional name. 'host' => '2017. 0.0.1 ', 'Port' => 65432, 'filter' =>' * ', // Optional Redis authentication. 'auth' => 'xxxxx' // Warning: The password is sent in plain-text to the Redis server. penetration notes ),

3) Access
Http://www.tanjiti.com/phpRedisAdmin/


 
Is it like phpMyAdmin in a simple version?

(2) rdbtools https://github.com/sripathikrishnan/redis-rdb-tools
 
If redis adopts the RDB persistence mode (from memory storage to the hard disk file system), it will be stored as * rdb in the file system. For the file storage location, see the redis configuration.
Working directory
Dir/home/lidanqing01/redis

Database storage path
Dbfilename redis. sites. rdb

Then we can use rdbtools to read the redis. rdb database stored in/home/lidanqing01/redis. rdb.

1) install rdbtools
Git clone https://github.com/sripathikrishnan/redis-rdb-tools.git
Cd redis-rdb-tools/
Sudo python setup. py install

2) use rdbtools to export the database content
You can specify multiple formats as follows:
 

rdb --command json /root/redis/redis.rdb > output.jsonmore output.json[{"set_fruits":["apple","orange","strawbrew","pear","pipeapple","banana"],"string_name":"xiaoge,tianzheng","list_programmer":["R","javascript","shell","ruby","lua","python","perl"],"hash_resume":{"name":"tanjiti","city":"shanghai","gender":"female"},"sorted_set_attacktype":{"xss":5,"file_include":6,"file_upload":7,"sqli":8,"command_exexute":9,"webshell":10}}]rdb --command diff /root/redis/dump.rdb > output.diffmore output.diffdb=0 "set_fruits" { "apple" }db=0 "set_fruits" { "orange" }db=0 "set_fruits" { "strawbrew" }db=0 "set_fruits" { "pear" }db=0 "set_fruits" { "pipeapple" }db=0 "set_fruits" { "banana" }db=0 "string_name" -> "xiaoge,tianzheng"db=0 "list_programmer"[0] -> "R"db=0 "list_programmer"[1] -> "javascript"db=0 "list_programmer"[2] -> "shell"db=0 "list_programmer"[3] -> "ruby"db=0 "list_programmer"[4] -> "lua"db=0 "list_programmer"[5] -> "python"db=0 "list_programmer"[6] -> "perl"db=0 "hash_resume" . "name" -> "tanjiti"db=0 "hash_resume" . "city" -> "shanghai"db=0 "hash_resume" . "gender" -> "female"db=0 "sorted_set_attacktype"[0] -> {"xss", score=5}db=0 "sorted_set_attacktype"[1] -> {"file_include", score=6}db=0 "sorted_set_attacktype"[2] -> {"file_upload", score=7}db=0 "sorted_set_attacktype"[3] -> {"sqli", score=8}db=0 "sorted_set_attacktype"[4] -> {"command_exexute", score=9}db=0 "sorted_set_attacktype"[5] -> {"webshell", score=10}

Well, this is a very basic introduction. In fact, redis currently has many application scenarios, such as queue rq server http://python-rq.org/based on the redis list feature.