Using redis to write webshell

Source: Internet
Author: User
Tags phpinfo

Using redis to write webshell

What I see in redis and mongodb

Recently, I am working on some personal small creations and small projects, including using mongodb and redis. I may not have a deep understanding of them at first.
What is the difference between non-relational databases?

In fact, in my opinion, the role of redis is closer to memcache, while mongodb is a real database.

Redis is a key-value database. information is stored in the memory based on the relationship between key-value pairs. The advantage of redis over memcache lies in the diversity of its data structures.

It is not a real database, because redis mainly stores data in the memory (of course, it can be stored on the hard disk, which is also one of the necessary conditions for shell writing ), its "cache" is much more powerful than its "Data Storage". The data correction and modification operations are just as simple as variable operations. Mongodb is a "Data Storage" system. When adding, deleting, modifying, and querying data, there are "and" or "conditions. The data query method is as flexible as that of SQL database, this is what redis does not possess.

So in my project, redis is used as the memory of session and task queue, while mongodb is used as the storage of data (including user information.

Go to the topic. I saw the security problem that redis may cause on freebuf yesterday. I mentioned writing files, so I will explain the method here.

After the redis installation is complete, you have your own command line, that is, redis-cli, which contains the command can be viewed in: Each client adds, deletes, modifies, and queries based on this command.

Previously we mentioned that redis data is mainly stored in the memory. When it is different from memcache, we can execute the "save" command at any time to save the current redis data to the hard disk, in addition, redis will automatically store data to the hard disk according to the configuration.

This has to talk about redis's persistent operation solution, which refers to an RDB, an AOF. RDB is more like a database backup file, while AOF is a log file. We can set redis to back up data at a specified time and number of changes to generate an RDB file. While setting AOF, logs can be written to the end of a file after an operation or time. When more operations are performed, the AOF file will become larger and larger.


The two complement each other. With the cooperation of the two, we can stably and persistently store data on servers.


Using redis to write webshell

We use these data storage operations to write arbitrary files.

There are several key items in redis Configuration:

Dir, which specifies the "working path" of redis. The generated RDB and AOF files will be stored here.

Dbfilename, RDB file name. The default value is "dump. rdb"

Appendonly, whether to enable AOF

Appendfilename, AOF file name. The default value is "appendonly. aof"

Appendfsync and AOF backup methods: always, everysec, and no

After my research, we can set dir to a directory a, while dbfilename to file name B, and then execute save or bgsave, then we can write an arbitrary file with the path a/B:


When we get a redis console, we can call the config set/get command to modify some redis configurations.

However, we can use config set to change the dir and dbfilename. In other words, we can write any file without modifying redis. conf or restarting the redis service:

config set dir /home/wwwroot/default/
config set dbfilename redis.php
set webshell "<?php phpinfo(); ?>"

When we set a variable webshell to "<? Php phpinfo () ;?>" Then, you can perform getshell on the server. It can be seen that the data has been written:

The exported RDB is actually a binary file, but it contains <? Php phpinfo () ;?>, So it is parsed:

In the previous figure, we can see that an appendonly. aof is generated. Can this file name be customized? Unfortunately, the value of appendfilename cannot be defined using the config set command:

However, only one dbfilename is enough.

Therefore, if you scan for unauthorized access to redis in the future, do not rush to submit the dark clouds. Check whether the server has any web services. If yes, try to win the webshell.

Related posture

Redis has high permissions, generally root.


1. redis is not authorized to connect to redis-cli

2. Open the web and know the path (such as using phpinfo)

If you fail to perform a successful check, check: 1. shell readable permission; 2. Is there any content in front of the shell? <? This character breaks the shell (the main cause may be a problem with shell writing)

Alibaba Cloud Hot Products

Elastic Compute Service (ECS) Dedicated Host (DDH) ApsaraDB RDS for MySQL (RDS) ApsaraDB for PolarDB(PolarDB) AnalyticDB for PostgreSQL (ADB for PG)
AnalyticDB for MySQL(ADB for MySQL) Data Transmission Service (DTS) Server Load Balancer (SLB) Global Accelerator (GA) Cloud Enterprise Network (CEN)
Object Storage Service (OSS) Content Delivery Network (CDN) Short Message Service (SMS) Container Service for Kubernetes (ACK) Data Lake Analytics (DLA)

ApsaraDB for Redis (Redis)

ApsaraDB for MongoDB (MongoDB) NAT Gateway VPN Gateway Cloud Firewall
Anti-DDoS Web Application Firewall (WAF) Log Service DataWorks MaxCompute
Elastic MapReduce (EMR) Elasticsearch

Alibaba Cloud Free Trail

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.